CopyLock virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM


     ------------------------
     Amiga Virus Encyclopedia
     CopyLock Virus
     ------------------------
     
     
     Name         : CopyLock

     Aliases      : No Aliases

     Type         : Bootblock
     
     Size         : 2048 bytes

     Clones       : No Clones

     Symptoms     : No Symptoms

     Discovered   : -

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2
                    1.3
                    2.0

     Damage       : Overwrites boot + block 2 & 3

     Removal      : Install boot

     Comments  :    If  you  are booting with a CopyLock-infected disk the
                    virus  copies itself to adderss $7F400 and changes the
                    CoolCapture-Vector to stay resident. On the next reset
                    the  with  patches  the  DoIO()-Vector to infect other
                    disks. 

                    Now Imagine you are inserting an unprotected disk with
                    e.g.  the  X-Copy  boot block. Now, the virus does the
                    following:

                    1) Check for Write-Protection

                    2) Not protected: loads the bootblock form the current
                       disk (X-Copy-Boot) into address $7F800.

                    3) Saves  44  bytes  from  the  original-bb in the own
                       viruscode  and  insert in this place a virus-loader
                       routine.
 
                    4) Then  the  virus  cryptes  itself  with $DFF006 and
                       saves 2048 (!) bytes. (Original+Virus!).

                    Block  2,3  are  now  DAMAGED  !! NO salvage possible.
                    If  you  are  now  booting  with the infected disk the
                    virus-loader  routine  copies the virus from the block
                    2,3  in  $7F400  and  jumpes at $7F400. Then the virus
                    copies  the  modified  original-bb  into  the  address
                    $7F000  inserts  the  original  code  of  the  bb  and
                    executes it.

                    The  whole  virus-bb  is  coded  (See point 4). In the
                    decrypted  virus  you  can read in the top of the boot
                    block:
                    "Copylock Amiga (c) Rob Northern. All rights "
                    "reserved."

                    In the end of the bootblock you can read:
                    "* YEP ROB NORTHERN ON THE BOARD ! MY COPYLOCKS"
                    "ARE FUCK. THE CRACKERS ARE BETTER THAN ME."
                    "THAT`S WHY I`M WRITING VIRUSES !!! (IN THE HOPE"
                    "THAT THEY ARE BETTER AS MY COPYLOCKS!) *"

     Test made by : Safe Hex International
     

     
     
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk