Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



Pestilence Bootblockvirus
  
    Hi All !!


    Pestilence Bootblockvirus 1.15:
    -------------------------------

    Kickstart 1.x : not working
    Kickstart 3.1 and MC68040 : working

    Patched vectors:

    Exec-Disable
    TD`s BeginIO
    Exec-Coldcapture
    Exec-KicksumData       (not repairable)
    Intuition-DisplayAlert (not repairable)

    First appearance (as far as I know): Heilbronn/Germany

    This is a new bootblockvirus with some nasty inner workings:

    The last both patched vectors cannot be repaired, because the
    virus does not store the original value. Sorry guys ! All other
    patched vectors can be corrected by VirusWorkshop.

    It crypts all read blocks (T-DATA) with an eor-loop. If the
    virus is active in memory, all crypted blocks will be decrypted
    online. If you remove the virus from memory, several checksum-
    errors will appear on your screen. VirusWorkshop 4.6 and higher
    are able to repair the crypted blocks, because there is no magic
    in this cryptroutine.

    Such routines (online-(de)crypting) were first seen on the AMIGA
    in the "Saddam" diskvalidator viruses and then in "The Curse of
    little Sven" bootblockvirus.

    The whole virus is crypted with a simple eor-loop and looks like
    the work from a quite sober`n clean programmer. At the end of
    the virus you can read (after decrypting it):

    'trackdisk.device'
    'intuition.library'
    'PESTILENCE v1.15 (c) 14/05/94!'


    Greets
               Markus Schmall




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk