BLF Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
BLF Virus
------------------------


============ Computer Virus Catalog 2.0: BLF  (30. X. 1993) =============
Entry...............: BLF
Alias(es)...........: --
Virus Strain........: --
      detected when.: unknown
              where.: unknown
Classification......: system virus (bootblock), resident
Length of Virus.....: 1. length on storage medium: 1024 byte
                      2. length in RAM           : 1034 byte
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-OS
Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.20
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000
--------------------- Attributes ----------------------------------------
Easy identification.: at $02CE:
                      ;(dc.l  coded                   ;decoded)
                      dc.l    $4F47B8B3,$F7AEB8A2     ; $98906F64," you"
                      dc.l    $F7BFB6A1,$B2F7B1B8     ; " have fo"
                      dc.l    $A2B9B3F7,$A3BFB2F7     ; "und the "
                      dc.l    $A5B8A2A3,$BEB9B2F7     ; "routine "
                      dc.l    $F6F6F783,$BFBEA4F7     ; "!! This "
                      dc.l    $BEA4F7A3,$BFB2F7B9     ; "is the n"
                      dc.l    $B2A0F7A1,$BEA5A2A4     ; "ew virus"
                      dc.l    $F7B5AEF7,$959B912E     ; " by BLF."
Type of Infection...: RAM resident, reset resident, bootblock infector
Infection Trigger...: Booting from an infected disk, reset afterwards
Storage Media affec.: Only floppy disks
Systemcalls hooked..: --
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Clears ColdCapture, KickTagPtr, KickCheckSum
                      and sprite DMA.
                      Manipulates DoIo, TrackDisk-BeginIo and
                      CoolCapture.
Damage Trigger......: ColdCapture, KickTagPtr, KickCheckSum will be
                      cleared, BeginIo, and CoolCapture will be
                      manipulate every booting, BeginIo and DoIo call.
                      The sprite DMA will be cleared every 10th disk
                      infection.
                      DoIo will be manipulate every booting, reset and
                      BeginIo.
Particularities.....: This virus will crash Amigas with newer OS
                      versions than 1.3. The programmer knows the ROM
                      addresses of BeginIo and DoIo for OS 1.2 and 1.3
                      and uses them to jump directly into the ROM.
                      So if you have a newer OS version the virus jumps
                      for BeginIo calls to the OS 1.2 ROM address and
                      directly to the next GURU.
                      There is an unused decode routine in the virus.
                      When this routine will be used, a coded area in
                      the virus will be decoded and a text is readable.
                      (See at Easy Identification above for the text.)
Similarities........: --
--------------------- Agents --------------------------------------------
Countermeasures.....: Virus Workshop V3.0, VirusChecker V6.33,
                      VT 2.58, VirusZ 3.07
Standard means......: VT 2.58, Virus Workshop V3.0
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 30. X. 1993
Information Source..: virus disassembly
============================== End of BLF ===============================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III with Xvs.library installed
                      
                      
Ascii of BLF virus (Decoded):





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk