VIRUS HELP TEAM



------------------------    
Amiga Virus Encyclopedia    
Starlight Bomb Virus
------------------------

    
======= Computer Virus Catalog 1.2: STARLIGHT Bomb (31-July-1993) ======
Entry...............: Starlight Bomb
Alias(es)...........: Commodore Virus
Virus Strain........: ---
Virus detected when.: ---
              where.: ---
Classification......: Timebomb, non-resident
Length of Virus.....: 1.Length on storage medium: 1752 byte
                      2.Length in RAM           : 1752 byte
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-OS
Version/Release.....: 1.2/all, 1.3/all, 2.0/all, 3.0/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: Typical text: "You have found the Routine !
                                     This is the new Commodore-Virus !
                                     BY STARLIGHT ENTERPRISES 1992"
                          visible at the end of the file.
Type of infection...: None (damage-only)
Infection Trigger...: None
Storage media affected: All disk-like media
Interrupts hooked...: None
Damage..............: Transient/Permanent damage: depending on trigger
                         condition, one of two damages are observed:
                         1) Bomb deletes file "s/startup-sequence" and
                            displays (via DisplayAlert) German text:
                            "Ihr Computer ist ueberhitzt !!!
                            Wenn es nach dem Reset ein absturz gibt
                            SCHALTEN IHN SIE BITTE AUS
                            Commodore 1987"
                            (in English: "Your computer is overheated!!!
                            If after a reset a crash happens
                            PLEASE SWITCH OFF   Commodore 1987")
                            and system will crash thereafter.
                         2) Bomb deletes file "s/startup-sequence",
                            creates a directory named "commodore war
                            hier !!" (="Commodore was here!!"),
                            opens CON-window named "REQUEST" to output
                            text: "KEIN VIRUS IN DRIVE DF0:
                                 GEFUNDEN !! Commodore 1987"
                                  (="NO VIRUS IN DRIVE DF0:
                                   FOUND !!Commodore 1987"),
                            waits for pressing left mousebutton
                            and crashes thereafter.
Damage Trigger......: a) Second execution of program
                      b) Third execution of program
Particularities.....: 1) Upon executing the 2nd damage routine, program
                         requests to disable write protection. While
                         executing the 1st damage routine, an enabled
                         write protection will end the program.
                      2) Program opens and closes used libraries many
                         times and uses different versions of the
                         same name string; the string "dos.library"
                         appears three times in the file.
                      3) The program seems to be patched together from
                         at least three different programs.
                      4) CoolCapture vector is set to text string:
                         "COMMODORE AMIGA !!!"
                      5) Address $66666 is used as a counter without
                         allocating it.
                      6) Useless stuff is written to $C002A4 (located
                         in RangerRAM).
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.54, VirusZ 3.06, VirusChecker 6.28
Countermeasures successful: VT 2.54, VirusZ 3.06, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Karim Senoucci
Documentation by....: Karim Senoucci
Date................: 31-July-1993
Information Source..: Virus dissassembly / SHI / Heiner Schneegold
===================== End of STARLIGHT bomb ============================




Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk