DOOM Filevirus: --------------- Kickstart 1.x: probably not working based on very high DOS Jmps. Kickstart 2.0: working Kickstart 3.0: working Kickstart 3.1: working MC68040 : working Installer: clx_doom.exe (406012 bytes packed Stc 4.10.2) New created files: -sys:c/assign (3220 bytes unpacked) This is the original 37.4 assign command (25.5.91) with the linked virus. The hunklength are manipulated, so don`t wonder about the same lenght as the original. -sys:c/copy (5496 bytes unpacked) This is the original 38.1 copy command (20.05.92) with the linked virus. -sys:libs/diskfont.library (15820 bytes unpacked) This is the original library V39.3 (14.07.92) with the linked virus. The original Diskfont.library is 15340 bytes long. As a result the virus is 480 bytes long. This file is spreaded as AMIGA DOOM by Complex. But it not even creates some output except from the virus. @{b}File ID:@{ub} ______________ /\_________ _______ /\_ / ______ / \/ \____ \|-/ _____\/__/ / |_/ |/ / ___/|/ _|_/ \_ \______\____\ /\/\__\___|\___¯\____\__/\ / ----\/-p-r-\/s-e-n-t-s------\/---\/----\/ Amiga Doom! Coded by Gengis / Complex! The main programm is extremly lame coded. A DMS file can be found in the file, whith some Mapus banners hanging around and some IFF sound samples. At the beginning, all texts and some other parts will be decoded using a lame cryptloop. Then the files will be saved and some filecomments will be set (set "RESTICTED" to bbs:user.data & to bbs:user.key). The DMS file was uploaded to a quite known BBS on 26.05.94. Atleast this banner can be found in the header. Another file is in the maincode, which is an intro. In this intro you can read some texts from Melön Dezign. The virus checks for higher processors and read the VBR and installs a new interrupt in the $74 vector in the vectorpage. This is new. Nearly all other viruses only patch the vector- page. This new interrupt increases a variable until it has reached 30000. As long as this value is not in the variable, it will be tried to manipulate the $dff030 register. The $dff030 will be only changed, if a special string , which adress will be calculated using the SerDat register($dff018)and an internal counter, will be found(string=$6c554e69544963210d). I think that it is something like hacking programm or a special programm to manipulate the datatransfer from the serial port. No other texts were found in the virus. Detection in files tested 16.07.1994. Detection in memory and removal tested 17.07.1994. Test by Markus Schmall [Go back]