OLI Virus

Alias:---
Strain:---
detected when:May 1989
where:Utrecht (Netherlands)
Classification:Boot sector virus
Length:512 Bytes

Preconditions

Operating System(s):Atari TOS
Version/Release:All versions
Computer model(s):All Atari ST
Caroname:OLI

Attributes

Easy identification:If the boot sector is infected, the string "OLI-VIRUS installed ." can be found at end of the boot sector; in memory, the same string can be found at $7B6.

Type of Infection:

Any boot sector that can be written to.

Infection Technique:
Infection Trigger:Execution of XBIOS disk functions. Execution of boot code.
Storage Media affected:Drive which is set as boot device or accessed by XBIOS.
Interrupts hooked:TRAP #14, TRAP #12 set to old value of TRAP #14. Vertical Blank Interrupt at infection time.
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Transient damage:1.Message on screen: "OLI-VIRUS installed. " 2. The computer slows down until stop; all CPU time is used by Vertical Blank Interrupt; time until stop depends on the time the computer has been used (=number of VBI's).
Damage Trigger:Internal counter =0 (3rd byte in boot code +$414 in RAM).
Particularities:The virus simulates an uninfected boot sector by modifying the read buffer. The disk information is left unchanged, and the virus code is over- written with $4E ='N'. The virus is recognised by Sagrotan because of direct programming of the FDC.
Similarities:---

Agents

Countermeasures:Make sure that the virus is not in memory. Search bootsector for the string mentioned above. Modify the last byte in boot sector to another value.
Standard means:Clear all bytes in boot sector beginning at offset 30 decimal.

Acknowledgements

Location:Virus Test Center, University of Hamburg, FRG
Classification by:
Documentation by:Ronald Greinke
Date:5-June-1990
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg