Fast Eddie Virus - Amiga Virus Encyclopedia


     Amiga Virus Encyclopedia
     Fast Eddie Virus
     Name         : Fast Eddie

     Aliases      : Some of the code are very like the Glastnost virus

     Type         : Bootblock
     Size         : 1024 bytes

     Clones       : Infector

     Symptoms     : No Symptoms

     Discovered   : 17 july 1991, Denmark

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2

     Comments     : It  disarranges  the disks  in  a very  confusing  way
                    In the bootblock it writes "FE91"

                    If you are booting with a FAST EDDIE infected disk the
                    virus  copies itself always to the same memory address
                    => $7F000.  After  that it changes the KICK vectors to
                    stay resident in memory. 

                    To infect other disks the virus uses the DoIO()-Vector
                    from the exec.library.

                    This routine does the following:

                    1) Installs a new patch  in $6C (ZERO-PAGE, see below)
                    2) Then  it  calculates a block with $DFF006.  In this
                       block  the virus  writes  from $100 " Fast Eddie ".
                      - Such blocks are damaged, sorry no salvage !!!!
                    3) Then  the  virus  reads the Rootblock from the disk
                       and inserts as a new diskname:
                      "This disk is infected (HE-HE)"
                    4) After  that  the  virus  crypts itself with $DFF006
                       (The whole  bootblock) and installs this virusBB on
                       the disk.

                    The ZERO-PAGE routine does the following:

                    1) Checks  if a value  reaches  45000 if this was true
                       the virus blockades the system. (A timer will start
                       which after few minutes it will cause  the keyboard
                       function in an abnormal manner).

                    2) If  the  value  becomes  60000 the virus shows some
                       colors on the screen and make an endless loop. (You
                       need a reset to escape from this routine!!)

                    In the decrypted bootblock in the memory you can read:

                    " Call 43-444304 and ask for HENRIK HANSEN"
                    " (FAST EDDIE) "

                    In fact I know this man and can say, that he had never
                    done  this virus because he can't code al all. Proably
                    the virus is done like a revenge or malice of the man,
                    who is a very  wellknown  "swapper" from the "Paradox"
                    demo (Paradox is a CRACKER CREW! -> Note Alex!) group.

                    But you can also read a "text" in the top of the  boot
                    block even then the virus is crypted: 


     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III with Xvs.library installed

     Test made by : Safe Hex International
     Ascii of Fast Eddie virus (Decoded):


Virum Help Team
Denmark & Canada
Copyright © All rights reserved