- HappyNewY. 98 Virus BB and File-Link

     requires KS 2.04  !!  (Versiontest min #37)

     Nameingreason: in the linkpart you can read noncoded:
            74756974 646f732e 6c696272 61727900 tuitdos.library.
            3c3e2048 61707079 204e6577 20596561 <> Happy New Yea
            72203938 203c3e00 000a0000 00000000 r 98 <>.........

     Hidded vectors: LoadSeg and DoIo
     Resetresistant: no
     Cache-problem: yes
     Filesizeincrease: #920 bytes
     Link after the first hunk or as bootblock
     VT tries to reset Loadseg and DoIo in the memmory.
     VT tries to remove the link part from the file.
     Write with install a new Bootblock.
     Reproductionconditions for BB:
      - Block 0 is read by the user with DoIo
      - DOS0 or 1 with expansion.lib (checksum) is found
      - Error: in my oppinion the update command is missing
      - DOESN`T call trackdisk.device
     Reproductionconditions for file link:
      - File is not infected already (98-test)
      - max. filesize #600000 bytes
      - min. filesize #2800 bytes
      - 3E9-hunk is found with loop
      - Disk validated
      - min. 4 Blocks free
      - RTS is found (max. loop $3F)
      - RTS will be replaced by bra.s or NOP (if RTS is at the 
          very end of the first hunk )
     Leaves out 3E8, 3F0, 3F1 hunks and so on !!!
     This thing doesn`t show itselves

     Hint:
     during tests defekt files were created also

     Hint 2:
     Please prepare a bootdisk for VT


--------------------------------------------------------------
 Translated to English by Frank Cieslewicz © 2001 VHT-Denmark
 Org. Test by Heiner Schneegold.
--------------------------------------------------------------

[Go back]