Burn 1 Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
Amiga Antivirus Website
www.vht-dk.dk
 


     ------------------------
     Amiga Virus Encyclopedia
     Burn 1 Virus 
     ------------------------


     Name         : Burn 1

     Aliases      : No Aliases

     Type         : Link virus

     Size         : 2412 bytes

     Clone        : No Clones

     Symptoms     : No Sypmtoms.

     Discovered   : 16-01-94

     Way to infect: Link infection

     Rating       : Very Dangerous

     Kickstarts   : 1.2/1.3/2.0/3.0

     Damage       : Damages HD!!
     
     Info         : This virus is quite clever. It adds 2 hunks  to the file.
                    The  first hunk will  be linked  before the file and  the
                    other hunk will be added behind the file. The first  hunk
                    creates a process with the data of the last hunk.DOSWRITE
                    will be changed.

                    The linkroutine only knows a very low amount of hunks and
                    is not the state of the art.

                    The installed process has always another name,because the
                    Exec Tasklist will be used to create the Procname.

                    The virus contains a DATESTAMP routine. On 07.2.1994. the
                    virus will start to destroy all DATA and no spredtry will
                    be performed.

                    The memorykill routine  fills up the process with  1037 *
                    "RTS". All routines will be overwritten and no damage can
                    be caused by this process. Other viruskillers try to rem.
                    the process, but it`s much easier  only to deactivate the
                    thing.

                    A formatroutine is in this file. The mainfile is  about
                    3000 bytes  longer than the real VirusZ version and
                    contains at the end of the  file  the  virussode. The
                    DOSlist will be scanned and several sectors will be
                    overwritten  via  EXECs  DOIO and  the blocks will  be
                    filled  up with "BURN"s. The string "BURN" cannot be read
                    as  in  the Bossnuke Virus("DOS3"s).

     Comments     : The  Burn  virus isn`t resident.  The way how the virus
                    infects  is  new.  It  links  2 (!!!)  new hunks to the
                    original  file.  (One  at  the beginnig of the original
                    file and one at the end of the file.)

                    NO!  Vectors  are  used.  The  virus  searches  in the
                    TaskWait-List  a  name  for his own process. After the
                    7.Feb.1994  a  damage  routine  will be executed. This
                    routine  searches  over  DosEnv  devices which will be
                    filled up with the word "BURN".

     Antivirus    : Kickstart 1.2 & 1.3..... : VT-Schutz
                    Kickstart 2.0 and higher : VirusZ III, with the new Xvs.library installed 

     Test by       : Markus Schmall
Virus Help Team
Denmark & Canada
Copyright © All Rights Reserved