| Alias: | --- |
| Strain: | --- |
| detected when: | --- |
| where: | North Germany |
| Classification: | link virus (directory type), resident |
| Length: | 1. length on storage medium: 2916 byte 2. length in RAM : 2876 byte |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 1.2/33.166, 1.2/33.180, 1.3/34.5 |
| Computer model(s): | AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B |
| Caroname: | Butonic.3_00 |
Attributes | |
| Easy identification: | typical text: --- identification by the following entry (invisible in ASCII editors) in startup-sequence as 1st entry: "$A0,$A0,$A0,$20,$9B,$41"; identification using a disk manager: a file $A0,$A0,$A0 (invisible) exists in root directory, with length=2916 byte; identification by text in memory: "Hi. Jeff's speaking here... (w) by the genious BUTONIC... V3.00/9.2.89 - Gen.0026 Greetings to *Hackmack*,*Atlantic*, & Alex,Frank,Wolfram, Gerlach,Miguel,Klaus,Snoopy-Data!"; this text is displayed as alert message after destruction of a disk structure; identification by transient damage: window titles are changed to following ones: "Ich Brauch jetzt Alk!", "Bitte keinen Wodka!", "Mehr Buszyklen fuer den Prozessor", "Paula meint, Agnus sei zu dick" |
Type of Infection: | self-identification method: virus searches for the following entry in startup-sequence: $A0,$A0,$A0,$A0,$9B,$41 (invisible in ASCII editors); system infection: RAM resident, reset resident |
| Infection Technique: | |
| Infection Trigger: | using unprotected disk-like devices |
| Storage Media affected: | all bootable and disk-like devices |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | permanent damage: destroys directory structure; transient damage: manipulation of window titles; alert message after destroying the structure of a bootable device |
| Damage Trigger: | permanent damage: (to be analysed) transient damage: (to be analysed) |
| Particularities: | DoIO vector and KickTag pointer are misused |
| Similarities: | author of this virus evidently knows BGS virus |
Agents | |
| Countermeasures: | CHECKVECTORS 2.3, VT 1.94 |
| Standard means: | CHECKVECTORS 2.3 or VT 1.94 with deletion of "no name" file entry (see above) with a disk manager and correction of the startup-sequence |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Alfred Manthey Rojas |
| Documentation by: | Alfred Manthey Rojas |
| Date: | 10-February-1991 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg