| Alias: | --- |
| Strain: | BYTE BANDIT Virus |
| detected when: | September 1989 |
| where: | Elmshorn, FRG |
| Classification: | system virus (bootblock), resident |
| Length: | 1. length on storage medium: 1024 byte 2. length in RAM : 1024 byte |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 1.2/33.166, 1.2/33.180 and 1.3/34.20 |
| Computer model(s): | AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B (and only wi |
| Caroname: | ByteBandit.Plus |
Attributes | |
| Easy identification: | typical text: --- |
Type of Infection: | self-identification method: --- system infection: RAM resident, reset resident, bootblock |
| Infection Technique: | |
| Infection Trigger: | reset (CONTROL + Left-AMIGA + Right-AMIGA) operation: any disk access |
| Storage Media affected: | only floppy disks (3.5" and 5.25") |
| Interrupts hooked: | vertical blank interupt |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | permanent damage: overwriting bootblock, maybe killing opened files when the screen and the keyboard are shut off and the user has to restart the computer using CONTROL+LEFT-AMIGA +RIGHT-AMIGA keys; allocates available memory minus 86016 byte transient damage: screen buffer manipulation: screen becomes dark, keyboard seems to mal- function, transient damage may only be inter- rupted by pressing a special key combination: LEFT-ALT+LEFT-AMIGA (on newer AMIGAS the COMMODORE key)+SPACE+RIGHT-AMIGA+RIGHT-ALT (but the virus is still active ) |
| Damage Trigger: | permanent damage: reset operation: any disk access transient damage: only under following condition: 2 resets AND 6 infections AND execution of BYTE BANDIT's own interrupt routine 5208 times (about 7 minutes) |
| Particularities: | uses StartIOVector other resident programs using the system resident list (KickTagPointer,KickMemPointer) are shut down copy counter: 19th word |
| Similarities: | clone of BYTE BANDIT with some new code instead of bootblock text, using undocumented system adresses, manipulates background color, seems to steel 86016 byte of system memory depending from a counter at memory location $0007FC00 |
Agents | |
| Countermeasures: | 'CHECKVECTORS 2.2', 'GUARDIAN 1.2', 'VIRUSX 4.0' |
| Standard means: | 'CHECKVECTORS 2.2' |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Alfred Manthey Rojas |
| Documentation by: | Alfred Manthey Rojas |
| Date: | 5-June-1990 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg