------------------------
Amiga Virus Encyclopedia
Saddam Virus
------------------------
===== Computer Virus Catalog 1.2: SADDAM file Virus (31-July-1993) =====
Entry...............: SADDAM_file Virus
Alias(es)...........: ---
Virus Strain........: SADDAM Virus Strain
Virus detected when.: ---
where.: ---
Classification......: File (!) variant of SADDAM virus, memory resident
Length of Virus.....: 1.Length on storage medium: 1848 byte
2.Length in RAM : 1936 byte
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: A req.library is found with 1848 Bytes length.
Type of infection...: Self-identification method: virus searches for an
encryption-byte in req.library on disk that
its with its own.
System infection: virus replaces library called
"req.library" in libs:
Directory on inserted diskettes contain following
system routines/vectors (same as SADDAM virus):
System routines: - BeginIO(trackdisk.device)
- Close(trackdisk.device)
- InitResident(exec.library)
- OpenWindow(intuition.library)
System vectors: - ColdCapture(execbase)
- CoolCapture(execbase)
- KickTagptr(resident-struct.)
Infection Trigger...: 1) Opening req.library by exec function calls
2) OpenLibrary or OldOpenLibrary.
Storage media affected: Any floppy disk (every trackdisk.device)
Interrupts hooked...: Vertikal Blank interrupt works like a watchdog,
which guarantees that virus will stay in memory
(same as SADDAM virus).
Damage..............: Permanent damage:
1. If no req.library program exists on diskette
or no L: directory, both are built,replacing
req.library on disk.
2. Virus destroys a block by writing "LOOM"
over existing data.
3. Virus makes Bitmap NOT VALID, so running
Disk-Validator next time will infect System
(same as SADDAM).
4. Virus starts diskhead stepping in all floppy
drives and writing on disk (if writeable)
which will result in trackdisk errors
(same as SADDAM).
Transient damage: Mouse pointer will disappear,
and an Alert will be displayed with text:
"LOOOOM VIRUS". After pressing mouse
button, cold reset.
Damage Trigger......: Permanent damage:
1) insertion of a diskette
2) reading a Datablock
3) accessing rootblock
Transient damage: reading bootblock after a
certain time.
Particularities.....: 1) Virus uses direct Dos.Library Jumps.
2) Virus enrypts itself upon every infection with
another pseudo random number.
3) Virus installs a message port which is called
"mycon.write".
Similarities........: Similar to SADDAM LOOM Virus but as file infector;
other SADDAM variants are boot infectors.
--------------------- Agents -------------------------------------------
Countermeasures.....: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Countermeasures successful: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 31-July-1993
Information Source..: Reverse analysis of virus code
===================== End of SADDAM file Virus =========================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
Screenshot of Saddam Virus:
