Eleni Bootblockvirus - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia
    Eleni Bootblockvirus
    Eleni Bootblockvirus:
    Length: 1024 bytes

    Patched vectors:   -Coolcapture (always patched to $7f296)
                       -SumKickData (always patched to $7f32a)
                       -DoIO        (always patched to $7f2da)
                       The original value  of the DoIO  vector
                       will be stored at $7fa02.

    The original  bootblock will be  stored at sector 1738 and
    will be loaded from the virus and the virus jumps directly
    in the  original  bootcode.  The virus  contains  a  write
    routine,  which  writes  the  text "ELENI" (via DOIO). The
    writeroutine uses not the dos.library, pure DOIO action !

    At the start  of the virus,  the viruscode  will be copied
    to  $7f144  (without  allocating  the  memory  before). On
    system with low memory, it can happen very often, that the
    system  crashes. The  viruses uses  the adress $60000 as a
    flag for the textwriteroutine.  The area $70000 and higher
    will be used from the virus without allocating the memory.

    The  text "*ELENI*" is  visible at the end of the file. In
    the middle you can read something about "Version 1.6".

    If the virus has read several  times from sector 1738 and
    a  counter  (hardware)  reached  the  value 1 ,  it  will
    overtake the control of the drive(s)  and manipulates CIA
    and the drivecontrol register.

    If the counter reached the value 4,  the writeroutine for
    the "*ELENI*"  string  will  be  started.  The counter is
    located  at $dc002d.  I don`t  know,  what is  this for a
    register and  I could not find out, if it is always init-
    ialized with the same value. On my AMIGA it contained the
    byte $f2.

    If a DoIO  read access was caught,  the infection routine
    will be  started.  If a DoIO write access was caught, the
    writeroutine will be started. In the NewDoIO routine, the
    virus handle  with the CIA-A registers (powersupply ticks
    and interrupt control).

    Due  to  no  checkroutine  for  Trdevice,  the  virus can
    destroy (in my opinion) the RDB.

    The  infection routine  reads the  original  bootblock to
    $70000,  tests  it  and at success,  the virus writes the
    original bootblock  to the sector 1738 and copies  itself
    to sector 0.  The bootblock at sector  1738 will be saved
    non crypted.

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III, and also Xvs.library must be installed

                   Detection in BB & memory tested 18.05.1994

    Test by Markus Schmall...

    Ascii of Eleni virus:


Virum Help Team
Denmark & Canada
Copyright © All rights reserved