Eleni Bootblockvirus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



 
    ------------------------
    Amiga Virus Encyclopedia
    Eleni Bootblockvirus
    ------------------------
    
    
    Eleni Bootblockvirus:
    
    Length: 1024 bytes

    Patched vectors:-Coolcapture (always patched to $7f296)
                    -SumKickData (always patched to $7f32a)
                    -DoIO        (always patched to $7f2da)
                    The original value  of the DoIO  vector
                    will be stored at $7fa02.

    The original bootblock will be stored at sector 1738 and
    will be loaded from the virus and the virus jumps directly
    in the original bootcode. The virus contains a write
    routine, which writes the text "ELENI" (via DOIO). The
    writeroutine uses not the dos.library, pure DOIO action !

    At the start of the virus, the viruscode will be copied
    to $7f144 (without allocating the memory before). On
    system with low memory, it can happen very often, that
    the system crashes. The viruses uses the adress $60000
    as a flag for the textwriteroutine. The area $70000 and
    higher will be used from the virus without allocating
    the memory.

    The text "*ELENI*" is visible at the end of the file. In
    the middle you can read something about "Version 1.6".

    If the virus has read several times from sector 1738 and
    a counter (hardware) reached the value 1 , it will
    overtake the control of the drive(s) and manipulates CIA
    and the drivecontrol register.

    If the counter reached the value 4, the writeroutine for
    the "*ELENI*" string will be started. The counter is
    located at $dc002d. I don`t know, what is this for a
    register and I could not find out, if it is always init-
    ialized with the same value. On my AMIGA it contained
    the byte $f2.

    If a DoIO read access was caught, the infection routine
    will be started. If a DoIO write access was caught, the
    writeroutine will be started. In the NewDoIO routine,
    the virus handle with the CIA-A registers (powersupply
    ticks and interrupt control).

    Due to no checkroutine for Trdevice, the virus can
    destroy (in my opinion) the RDB.

    The infection routine reads the original bootblock to
    $70000, tests it and at success, the virus writes the
    original bootblock to the sector 1738 and copies itself
    to sector 0. The bootblock at sector 1738 will be saved
    non crypted.


                 Detection in BB & memory tested 18.05.1994.

    Test by Markus Schmall...


    Ascii of Eleni virus:
    

    

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk