===== Computer Virus Catalog 1.2: SADDAM file Virus (31-July-1993) ===== Entry...............: SADDAM_file Virus Alias(es)...........: --- Virus Strain........: SADDAM Virus Strain Virus detected when.: --- where.: --- Classification......: File (!) variant of SADDAM virus, memory resident Length of Virus.....: 1.Length on storage medium: 1848 byte 2.Length in RAM : 1936 byte --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/all, 1.3/all Computer model(s)...: All AMIGA models --------------------- Attributes --------------------------------------- Easy Identification.: A req.library is found with 1848 Bytes length. Type of infection...: Self-identification method: virus searches for an encryption-byte in req.library on disk that its with its own. System infection: virus replaces library called "req.library" in libs: Directory on inserted diskettes contain following system routines/vectors (same as SADDAM virus): System routines: - BeginIO(trackdisk.device) - Close(trackdisk.device) - InitResident(exec.library) - OpenWindow(intuition.library) System vectors: - ColdCapture(execbase) - CoolCapture(execbase) - KickTagptr(resident-struct.) Infection Trigger...: 1) Opening req.library by exec function calls 2) OpenLibrary or OldOpenLibrary. Storage media affected: Any floppy disk (every trackdisk.device) Interrupts hooked...: Vertikal Blank interrupt works like a watchdog, which guarantees that virus will stay in memory (same as SADDAM virus). Damage..............: Permanent damage: 1. If no req.library program exists on diskette or no L: directory, both are built,replacing req.library on disk. 2. Virus destroys a block by writing "LOOM" over existing data. 3. Virus makes Bitmap NOT VALID, so running Disk-Validator next time will infect System (same as SADDAM). 4. Virus starts diskhead stepping in all floppy drives and writing on disk (if writeable) which will result in trackdisk errors (same as SADDAM). Transient damage: Mouse pointer will disappear, and an Alert will be displayed with text: "LOOOOM VIRUS". After pressing mouse button, cold reset. Damage Trigger......: Permanent damage: 1) insertion of a diskette 2) reading a Datablock 3) accessing rootblock Transient damage: reading bootblock after a certain time. Particularities.....: 1) Virus uses direct Dos.Library Jumps. 2) Virus enrypts itself upon every infection with another pseudo random number. 3) Virus installs a message port which is called "mycon.write". Similarities........: Similar to SADDAM LOOM Virus but as file infector; other SADDAM variants are boot infectors. --------------------- Agents ------------------------------------------- Countermeasures.....: VirusZ 3.06, VT 2.54, VirusChecker 6.28 Countermeasures successful: VirusZ 3.06, VT 2.54, VirusChecker 6.28 Standard means......: VT 2.54 --------------------- Acknowledgement ---------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Jens Vogler Documentation by....: Jens Vogler Date................: 31-July-1993 Information Source..: Reverse analysis of virus code ===================== End of SADDAM file Virus ========================= [Go back]