Terrorists Virus (BGS9 Clone) - Amiga Virus Encyclopedia

VIRUS HELP TEAM




-----------------------------
Amiga Virus Encyclopedia
Terrorists Virus (BGS9 Clone)
-----------------------------


=== Computer Virus Catalog 1.2: TERRORISTS Virus (10-February-1991) ==
Entry...............: TERRORISTS Virus
Alias(es)...........: ---
Virus Strain........: BGS 9 virus strain
Virus detected when.: MAY 1990      (when VTC received virus code)
              where.: North Germany
Classification......: link virus (renaming), resident
Length of Virus.....: 1. length on storage medium: 2608 byte
                      2. length in RAM           : 2608 byte
--------------------- Preconditions ----------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B
--------------------- Attributes -------------------------------------
Easy Identification.: typical text: "TTV1" at end of virus
                                     (length=2608 byte)
                      identification on disk: a file in ROOT- and/or
                         DEVS-directory is named with following
                         unprintable string:  $A0,$20,$20,$20,$A0,$20,
                         $20,$A0,$20,$A0,$A0; length of first command
                         in startup-sequence seems to be altered to
                         2608 byte (because file isnot original anymore)
Type of infection...: self-identification method: virus searches for a
                         file in devs- or root directory named with
                         this unprintable string: $A0,$20,$20,$20,$A0,
                         $20,$20,$A0,$20,$A0,$A0
                      system infection: RAM resident, reset resident
Infection Trigger...: reset (CONTROL+Left-AMIGA+Right-AMIGA)
Storage media affected: bootable floppy disks (3.5" and 5.25"),
                         bootable RAM disks, bootable hard disks
Interrupts hooked...: ---
Damage..............: permanent damage: overwriting bootblock;
                      transient damage: screen buffer manipulation:
                         screen becomes black, a graphic with fol-
                         lowing text is displayed:
                                "a computer virus is a disease
                                 terrorism is a transgression
                                 software piracy is a crime
                                 this is the cure     BGS9
                                 Bundesgrenzschutz Sektion 9
                                 Sonderkommando 'EDV'       "
Damage Trigger......: permanent damage: reset (CONTROL+LEFT-AMIGA
                                               +RIGHT-AMIGA)
                      transient damage: 4 resets (to be run
                         until initial CLI window appears)
Particularities.....: other resident programs using the system
                         resident list (KickTagPointer, KickMem
                         Pointer) are shutdown; name of resident
                         task is "TTV1" (see string in bootblock);
                         when virus doesn't find a DEVS directory,
                         it uses the root; first command in startup-
                         sequence is renamed to a file named with
                         following unprintable string:
                         $A0,$20,$20,$20,$A0,$20,$20,$A0,$20,$A0,$A0
                         (in DEVS- or root directory if available),
                         and virus is written to directory the
                         command comes from using the same name;
                         next time, virus will be called first
                         before original command is executed
Similarities........: 100% clone of the BGS 9 virus, only name of
                         the relocated carrier (DEVS:) is different
                         (see above); problems show when other
                         resident programs suc as harddisk devices
                         are installed; same problem (=guru medita-
                         tion when started from startup-sequence)
                         also occurs with BGS 9
--------------------- Agents -----------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
                      Category 1: .2 Monitoring System Vectors:
                                     CHECKVECTORS 2.3
                                  .3 Monitoring System Areas:
                                     CHECKVECTORS 2.3, GUARDIAN 1.2,
                                     VIRUS-DETEKTOR 1.1
                      Category 2: Alteration Detection: ---
                      Category 3: Eradication: CHECKVECTORS 2.3,
                                  BGS9-PROTECTOR, VIRUS-DETEKTOR 1.1
                      Category 4: Vaccine: BGS9-PROTECTOR
                      Category 5: Hardware Methods: ---
                      Category 6: Cryptographic Methods: ---
Countermeasures successful: CHECKVECTORS 2.3, BGS9-PROTECTOR
Standard means......: CHECKVECTORS 2.3 with deletion of "no name" file
                         entry (see above) using a disk manager and
                         correction of startup-sequence (removal)
                         and creating two filesðnamed w¹th the
                         following unprintable string "$A0,$20,$20,
                         $20,$A0,$20,$20,$A0ü$20,$A0¼$A0" to vaccinate
                         disk (one file has to be placed in ROOT-, the
                         other in DEVS-directory); BGS9-PROTECTOR
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Alfred Manthey Rojas
Documntation by.....: Alfred Manthey Rojas
Date................: 10-February-1991
Information Source..: ---
===================== End of Terrorists Virus ========================


Screenshot of Terrorists Virus:





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk