Genestealer Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



     ------------------------
     Amiga Virus Encyclopedia
     Genestealer Virus
     ------------------------

   
     Name         : Genestealer

     Aliases      : No Aliases

     Clones       : No Clones 

     Type         : Bootblock
     
     Size         : 1024 bytes

     Symptoms     : Like it is a KS 1.3 with NTSC specifications?

     Discovered   : 23 april 1992

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2
                    1.3
                    2.0

     Damage       : Overwrites boot + Rootblock

     Removal      : Install boot

     Comments     : Infects  every  none write-protected disk  inserted in
                    any  drive.  Can  probably  DAMAGE  harddisks.

                    The  virus tests the frequency on the El-net.  In this
                    way  the Amiga system  distinguishes between  American
                    and  European  (NTSC/PAL)  systems  and  if  it  isn't
                    American   the  Rootblock  can  probably  be  damaged.
                    Sometimes  the  Amiga  can't detect either it works in
                    Europe or  in the US under Sys-1.3.  It will then open
                    its initial  screen in NTSC in  Europe.

                    Most  likely  the virus will behave that way, too, and
                    that's no good.

                    The Genestealer-Virus copies itself always to the same
                    memory-address  =>  $7EC00. It uses the CoolCapture to
                    stay  resident  in  memory . For  infection  the virus
                    patches the DoIO()-Vector from the exec.library.

                    When  the  virus  is active it pretends to be a normal
                    DOS-Bootblock.  The  virus  checks  for a value in the
                    Vertikal-Blank-Int.  If  this value isn`t 50 the virus
                    destroys  the  rootblock  (Only DD-Disks!). If you are
                    pressing  the  left mouse-button while you are booting
                    the  virus executes an endless-loop by showing a green
                    screen.

                    In the end of the Bootblock you can read:
                    "GENESTEALER VIRUS!!! by someone..."

     Test made by : Safe Hex International
     
 
     Ascii of Genestealer virus:
     

     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk