Debugger Virus - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia    
    Debugger Virus

    Debugger (04191994) Virus:
    An infected file becomes 1088 bytes long.
    Changed vectors: DosWrite and DosLoadSeg
    Kickstart: 2.04 and higher
    Other possible name: Fjpg Virus 1.11 (based on the first infected programm)

    The  virus  does  not work on  Kickstart versions under 2.0, because of the
    patchroutines. A new way to infect files:

    186 bytes  from the  first hunk  will be copied  in a new created $3f1 hunk
    behind the file and a part of  the virus will be copied at this position in
    the first  hunk. The length of the first  hunk will be  not changed but the
    length  entries  in  the hunkheader  will be changed  (probably to irritate
    antivirus-programmers  and resourcers).  This will  be  done  with a random
    value !!!

    The virus contains a destruction routine! No format but a destructive WRITE
    command !

    VirusWorkshop can remove the virus completely.  Please make a backup before
    repairing such a file !

    A normal hunkheader looks like this:

    number of hunks
    number of starthunk
    number of endhunk
    n longwords containing the lengths of the hunks

    $3e9 (hunk_code)
    length for this hunk

    ATTENTION: Some crunchers (Turbo Imploder e.g.) write 2 different lengths
    in the table of hunklengths and behind the $3e9! I expect in this special
    case problems !
    At the  end of an infected  file you can read the string  "DEBUGGER". The
    whole virus looks like the work of a better coder (in my opinion).

    This virus was send to me by Jan Bo Andersen of SHI Denmark.  The sending
    contained the whole documantated source and a little text from the author
    of this virus:


        Anarchy Unlimited - Virus Technology Centre - +358-0-PRIVATE

                      Amiga & PC viruses online


    Thank you for downloading Debugger V2 virus package!

    Debugger02.s.asc  - PGP signed asm source of Debugger virus
    EvilJesus.asc     - Public PGP key
    FJPEG111.lha      - Infected fjpeg, version number bumped up to 1.11
    NewAge.s.asc      - PGP signed asm source of NewAge virus

    Upload fjpeg only to systems which do not have networks! Those systems
    will have lowest information level and sysop are mostly dummies who bought
    modem week ago and decided to run bbs because "It's so cool" :)

    With this kind of approach virus will have best chance to reach users who
    want to upload it immediately. There is also a big chance that such users
     will trash their hd's in no time. So nice...

    So no network system as information about infection will spread very fast
    degrading overall chance of succesful destruction.

    Sincerely yours, Evil Jesus


    Even more irritating is, that PGP keys are in the package, too. I cannot
    understand this. The virus is dated 19.04.1994.

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III, and also Xvs.library must be installed

    Test by Markus Schmall                  Detection tested 27-28.04.1994.
                                            (again a night with only 3 hours
                                            of sleep)


Virum Help Team
Denmark & Canada
Copyright © All rights reserved