====== Computer Virus Catalog 1.2: LAMER 2.0 Virus (5-June-1990) ====== Entry...............: LAMER 2.0 Virus Alias(es)...........: LAMER EXTERMINATOR Virus Virus Strain........: LAMER EXTERMINATOR Virus Virus detected when.: April 1989 where.: Elmshorn, FRG Classification......: system virus (bootblock), resident Length of Virus.....: 1. length on storage medium: 1024 byte 2. length in RAM : 1024 byte --------------------- Preconditions ----------------------------------- Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5 Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B --------------------- Attributes -------------------------------------- Easy Identification.: typical text: bootblock: --- in memory: 'The LAMER Exterminator !!!' Type of infection...: self-identification method: 423th word ($ABCD) on bootblock kicktag pointer = pointer to virus code system infection: RAM resident, reset resident, bootblock Infection Trigger...: reset (CONTROL + Left-AMIGA + Right-AMIGA) operation: any disk access Storage media affected: floppy disks (3.5" and 5.25") Interrupts hooked...: --- Damage..............: permanent damage: overwrites bootblock; simulates standard bootblocks when examined with any tool; fast formatting disks transient damage: --- Damage Trigger......: permanent damage: reset operation: 2 resets and 3 in- fections transient damage: --- Particularities.....: uses StartIOVector; other resident programs using the system resident list (KickTagPointer, KickMemPointer) are shut down; virus has also been found in a trojan horse version; virus is linked to the 'LoadWB' command of CLI, so the infection of system and the non-standard bootblocks produced by this virus isn't detected by many virus tools (see above); trojan horse version isn't a link virus! Virus text is uncoded here and may be read with hexdump tools. This version contains a small code section to make the virus resident beside the original LAMER bootblock; after im- plantation of virus the real 'LoadWB' command is executed. Virus encodes itself every new infection from byte 73, first 72 byte remain unchanged except byte 5-8 (bootblock checksum). Similarities........: LAMER EXTERMINATOR viruses --------------------- Agents ------------------------------------------ Countermeasures.....: Names of tested products of Category 1-6: Category 1: .2 Monitoring System Vectors: 'CHECKVECTORS 2.2' .3 Monitoring System Areas: 'CHECKVECTORS 2.2','GUARDIAN 1.2', 'VIRUSX 4.0' Category 2: Alteration Detection: --- Category 3: Eradication: 'CHECKVECTORS 2.2', 'VIRUSX 4.0' Category 4: Vaccine: --- Category 5: Hardware Methods: --- Category 6: Cryptographic Methods: --- Countermeasures successful: without restrictions: 'CHECKVECTORS 2.2', 'VIRUSX 4.0' with restrictions: 'GUARDIAN 1.2' Standard means......: 'CHECKVECTORS 2.2' --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Alfred Manthey Rojas Documentation by....: Alfred Manthey Rojas Date................: 5-June-1990 Information Source..: --- ===================== End of LAMER (EXTERMINATOR) 2.0 Virus =========== [Go back]