SADDAM Virus

Alias:IRAK = Saddam Hussein = Disk-Validator Virus
Strain:Saddam Virus Strain
detected when:March 1991
where:Australia
Classification:System virus (replacing), memory resident
Length:1.Length on storage medium: 1848 bytes 2.Length in RAM : 1936 bytes

Preconditions

Operating System(s):AMIGA-DOS
Version/Release:1.2/all, 1.3/all
Computer model(s):All AMIGA models
Caroname:Saddam.Original

Attributes

Easy identification:---

Type of Infection:

Self-identification method: virus searches for an encryption-byte in Disk-Validator system program on disk that fits with its own. System infection: virus replaces system program Disk-Validator in L:. Directory on disk contains following system routines/vectors: System routines: - BeginIO(trackdisk.device) - Close(trackdisk.device) - InitResident(exec.library) - OpenWindow(intuition.library) System vectors: - ColdCapture(execbase) - CoolCapture(execbase) - KickTagptr(resident-struct.)

Infection Technique:
Infection Trigger:Restart validator starts Disk-Validator program, when Bitmap on disk is not valid. This will not work properly with Amiga OS Version 2.0, as there is no Disk-Validator program use (no re- start validator process in AmigaOS V2.0)
Storage Media affected:Any floppy disk (every trackdisk.device)
Interrupts hooked:Vertikal Blank interrupt works like a watchdog, which guarantees that virus will stay in memory.
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent damage: 1. If no Disk-Validator program exists on disk or no L: directory, both are built (re- placing Disk-Validator program on disk). 2. Virus destroys a block by writing "IRAK" over existing data. 3. Virus makes Bitmap NOT VALID, so running Disk-Validator next time will infect System. 4. Virus starts diskhead stepping in all floppy drives and writing on disk (if writeable) which will result in trackdisk errors. Transient damage: Mouse pointer will disappear, and an Alert will be displayed with text: "SADDAM VIRUS". After pressing mouse button, cold reset.
Damage Trigger:Permanent damage: 1) insertion of a diskette 2) reading a Datablock 3) accessing rootblock Transient damage: reading bootblock after a certain time.
Particularities:1) No infection occurs when using FastFilingSystems or running AmigaOS Version 2.0. 2) Virus uses direct Dos.Library Jumps. Encrypts itself with pseudo random number upon infection. 3) Virus installs a message port which called "mycon.write".
Similarities:All numbered SADDAMs (SADDAM 4, SADDAM 5, ...) are just differently decrypted original SADDAMs.

Agents

Countermeasures:VirusZ 3.06, VT 2.54, VirusChecker 6.28
Standard means:VT 2.54

Acknowledgements

Location:Virus Test Center, University Hamburg, FRG
Classification by:Oliver Meng
Documentation by:Oliver Meng, Update by Jens Vogler
Date:31-July-1993
Information Source:---

(c) 1996 Virus-Test-Center, University of Hamburg