Return Of Lamer Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
Amiga Antivirus Website
www.vht-dk.dk
 


     ------------------------    
     Amiga Virus Encyclopedia    
     Return Of Lamer Virus
     ------------------------


     Name         : Return Of The Lamer

     Aliases      : Le Role (With french text in virus 'Le Role')
     
     Original     : Saddam

     Type         : Disk-Validator
     
     Size         : 1848 bytes

     Symptoms     : No Symptoms

     Discovered   : ?

     Way to infect: File infection

     Rating       : Very Dangerous

     Kickstarts   : 1.2
                    1.3
                    Can not infect Kickstart 2.0x or higher,  because they
                    dont use Disk-Validator
                    
     Damage       : Overwrites original Disk-Validator

     Manifestation: -

     Removal      : Use good Viruskiller.

     Comments     : This  virus  is a very  nasty  one.  It owerwrites the
                    original  Disk-Validator and damages the Rootblock. If
                    you  are now inserting a infected disk DOS thinks that
                    the  disk  has an  error, so it loads the (fake) Disk-
                    Validator. Now theVirus does the following:

                 1) Copies  itself  in the  memory-adress which was before
                    calculated  with  $DFF006  register  and  the Memlist.

                 2) It  patches  the  DoIO()-Vector and the Close()-Vector
                    from  the  trackdisk.device.  This Vectors are used to
                    set  a  Rootblock-value   always  to  "Not-Validated".
                    Additionally   another  vector  will be patched by the
                    virus.  Calculated  with  the  Vertical  Blank-Vector.
                    -> $90(a6)

                 3) Furthermore  it uses the KICK-Vectors to stay resident
                    in the memory.

                    If  you  are  now  booting with an unproteced disk the
                    virus  tries  to  copy  itself  in  the L directory of
                    the  current  disk.  The  virus  jump  directly to the
                    DOS-functions. 

                    Sometimes  the  virus  fill s up a block on your disks
                    with the word "LAMER !!!".

                    And even worse:
                    Depending  of  a  special  value the virus formats all
                    disks in every drive and gives out an alert:

                    Damage depending on the time:
                    a) determines a block number via $ DFF007 and writes 64 times LAMER !!! into it
                    b) Fast format routine for all drives and via DisplayAlert, Text output:
                    "The Return Of The Lamer Exterminator"
                    c) writes the wrong disk validator to disk 
                    
     Antivirus    : Kickstart 1.2 & 1.3..... : VT-Schutz
                    Kickstart 2.0 and higher : VirusZ III, with the new Xvs.library installed
     
     Test made by : Heiner Schneegold & Safe Hex International
Virus Help Team
Denmark & Canada
Copyright © All Rights Reserved