DOOM Filevirus:
---------------
Kickstart 1.x: probably not working based on very high DOS Jmps.
Kickstart 2.0: working
Kickstart 3.0: working
Kickstart 3.1: working
MC68040 : working
Installer: clx_doom.exe (406012 bytes packed Stc 4.10.2)
New created files:
-sys:c/assign (3220 bytes unpacked)
This is the original 37.4 assign command (25.5.91)
with the linked virus. The hunklength are manipulated,
so don`t wonder about the same lenght as the
original.
-sys:c/copy (5496 bytes unpacked)
This is the original 38.1 copy command (20.05.92)
with the linked virus.
-sys:libs/diskfont.library (15820 bytes unpacked)
This is the original library V39.3 (14.07.92) with
the linked virus.
The original Diskfont.library is 15340 bytes long. As a result
the virus is 480 bytes long.
This file is spreaded as AMIGA DOOM by Complex. But it not even
creates some output except from the virus.
@{b}File ID:@{ub}
______________ /\_________ _______ /\_
/ ______ / \/ \____ \|-/ _____\/__/
/ |_/ |/ / ___/|/ _|_/ \_
\______\____\ /\/\__\___|\___¯\____\__/\ /
----\/-p-r-\/s-e-n-t-s------\/---\/----\/
Amiga Doom!
Coded by Gengis / Complex!
The main programm is extremly lame coded. A DMS file can be
found in the file, whith some Mapus banners hanging around
and some IFF sound samples. At the beginning, all texts and
some other parts will be decoded using a lame cryptloop.
Then the files will be saved and some filecomments will be
set (set "RESTICTED" to bbs:user.data & to bbs:user.key).
The DMS file was uploaded to a quite known BBS on 26.05.94.
Atleast this banner can be found in the header. Another
file is in the maincode, which is an intro. In this intro
you can read some texts from Melön Dezign.
The virus checks for higher processors and read the VBR and
installs a new interrupt in the $74 vector in the vectorpage.
This is new. Nearly all other viruses only patch the vector-
page.
This new interrupt increases a variable until it has reached
30000. As long as this value is not in the variable, it will
be tried to manipulate the $dff030 register. The $dff030 will
be only changed, if a special string , which adress will be
calculated using the SerDat register($dff018)and an internal
counter, will be found(string=$6c554e69544963210d).
I think that it is something like hacking programm or a
special programm to manipulate the datatransfer from the
serial port.
No other texts were found in the virus.
Detection in files tested 16.07.1994.
Detection in memory and removal
tested 17.07.1994.
Test by Markus Schmall
[Go back]