ByteParasite.1

Alias:--
Strain:
detected when:
where:
Classification:Bomb (=destructive program)
Length:1. Length on storage medium: 2108 bytes 2. Length in RAM: 866 bytes

Preconditions

Operating System(s):AMIGA-OS
Version/Release:all system releases
Computer model(s):all models without redirected zero page
Caroname:Byteparasite.1

Attributes

Easy identification:Typical text: '...by ByteParasite in 9.90',$A 'from Hacker & Cracker GmbH GERMANY',0

Type of Infection:

Infection Technique:
Infection Trigger:--
Storage Media affected:
Interrupts hooked:
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent damage: This program creates first a file called "dir" in the actual directory and tries to copy the file "cd" (not "c:cd" !) into it. Then a file called "cd" is created and the contents of "dir" (emptieness ?) will be copied into it. Then the file "s/startup-sequence" (not "s:startup-sequence" !) will be created or it s old contents overwritten by the contents of "cd" (emptieness again ?). Transient damage: The hardware address $BFE001 will be overwritten and another copy of the Dos library will be opened.
Damage Trigger:Permanent damage: Start of program. Transient damage: Head of "current" disk drive is on track 0.
Particularities:This seems to be the first try (as the version number says ;-) ) to write a bomb. The program includes many operations that can fail and nearly half of the program code will never be executed. E.g. the Interrupt hook can fail, if the zero page is mapped to a different place (can be done by 68010 and up).
Similarities:---

Agents

Countermeasures:VirusZ II 1.09, VT 2.67, Virus Workshop 3.6
Standard means:VirusZ II 1.09, VT 2.67, Virus Workshop 3.6

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Jens Vogler
Documentation by:Jens Vogler
Date:1-July-1994
Information Source:reverse engeneering of original bomb

(c) 1996 Virus-Test-Center, University of Hamburg