======= Computer Virus Catalog 1.2: STARLIGHT Bomb (31-July-1993) ====== Entry...............: Starlight Bomb Alias(es)...........: Commodore Virus Virus Strain........: --- Virus detected when.: --- where.: --- Classification......: Timebomb, non-resident Length of Virus.....: 1.Length on storage medium: 1752 byte 2.Length in RAM : 1752 byte --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-OS Version/Release.....: 1.2/all, 1.3/all, 2.0/all, 3.0/all Computer model(s)...: All AMIGA models --------------------- Attributes --------------------------------------- Easy Identification.: Typical text: "You have found the Routine ! This is the new Commodore-Virus ! BY STARLIGHT ENTERPRISES 1992" visible at the end of the file. Type of infection...: None (damage-only) Infection Trigger...: None Storage media affected: All disk-like media Interrupts hooked...: None Damage..............: Transient/Permanent damage: depending on trigger condition, one of two damages are observed: 1) Bomb deletes file "s/startup-sequence" and displays (via DisplayAlert) German text: "Ihr Computer ist ueberhitzt !!! Wenn es nach dem Reset ein absturz gibt SCHALTEN IHN SIE BITTE AUS Commodore 1987" (in English: "Your computer is overheated!!! If after a reset a crash happens PLEASE SWITCH OFF Commodore 1987") and system will crash thereafter. 2) Bomb deletes file "s/startup-sequence", creates a directory named "commodore war hier !!" (="Commodore was here!!"), opens CON-window named "REQUEST" to output text: "KEIN VIRUS IN DRIVE DF0: GEFUNDEN !! Commodore 1987" (="NO VIRUS IN DRIVE DF0: FOUND !!Commodore 1987"), waits for pressing left mousebutton and crashes thereafter. Damage Trigger......: a) Second execution of program b) Third execution of program Particularities.....: 1) Upon executing the 2nd damage routine, program requests to disable write protection. While executing the 1st damage routine, an enabled write protection will end the program. 2) Program opens and closes used libraries many times and uses different versions of the same name string; the string "dos.library" appears three times in the file. 3) The program seems to be patched together from at least three different programs. 4) CoolCapture vector is set to text string: "COMMODORE AMIGA !!!" 5) Address $66666 is used as a counter without allocating it. 6) Useless stuff is written to $C002A4 (located in RangerRAM). Similarities........: --- --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.54, VirusZ 3.06, VirusChecker 6.28 Countermeasures successful: VT 2.54, VirusZ 3.06, VirusChecker 6.28 Standard means......: VT 2.54 --------------------- Acknowledgement ---------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Karim Senoucci Documentation by....: Karim Senoucci Date................: 31-July-1993 Information Source..: Virus dissassembly / SHI / Heiner Schneegold ===================== End of STARLIGHT bomb ============================ [Go back]