"BGS 9" Virus (5-June-1990) Entry...............: "BGS 9" (=Bundesgrenzschutz Sektion 9) Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: June 1989 where.: Elmshorn, FRG Classification......: link virus (renaming), resident Length of Virus.....: 1. length on storage medium: 2608 byte 2. length in RAM : 2608 byte --------------------- Preconditions ----------------------------------- Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5 Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B --------------------- Attributes -------------------------------------- Easy Identification.: typical text: 'TTV1' at the end of the virus (length is 2608 byte) identification on disk: a file in ROOT- and/or DEVS-directory is named with the following unprintable string: $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0, length of first command in startup-sequence seems to be altered to 2608 byte (because the file isn't the original anymore) Type of infection...: self-identification method: virus searches for a file in devs- or root directory named with the following unprintable string: $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0 system infection: RAM resident, reset resident Infection Trigger...: reset (CONTROL + Left-AMIGA + Right-AMIGA) Storage media affected: bootable floppy disks ( 3.5'' and 5.25'' ), bootable ram disks, bootable hard disks Interrupts hooked...: --- Damage..............: permanent damage: overwriting bootblock transient damage: screen buffer manipulation: screen becomes black, a graphic with following text is shown: 'a computer virus is a disease terrorism is a transgression software piracy is a crime this is the cure BGS9 Bundesgrenzschutz Sektion 9 Sonderkommando "EDV" ' Damage Trigger......: permanent damage: reset (CONTROL + LEFT-AMIGA + RIGHT-AMIGA) transient damage: 4 resets (have to be run until initial CLI window appears ) Particularities.....: other resident programs using the system resident list (KickTagPointer,KickMemPointer) are shutdown; name of its resident task is 'TTV1' (see string in bootblock code) when the virus doesn't find a DEVS directory, it uses the root. first command in startup-sequence is renamed to a file named with the following unprintable string: '$A0,$A0,$A0,$20,$20,$20,$A0,$20,$20, $20,$A0' (in DEVS- or in root directory if available) and the Virus is written to the directory. the command comes from using the same name, next time the virus will be called first before the original command is executed. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: Names of tested products of Category 1-6: Category 1: .2 Monitoring System Vectors: 'CHECKVECTORS 2.2' .3 Monitoring System Areas: 'CHECKVECTORS 2.2','GUARDIAN 1.2', 'VIRUSX 4.0' Category 2: Alteration Detection: --- Category 3: Eradication: 'CHECKVECTORS 2.2', 'BGS9-PROTECTOR', 'VIRUSX 4.0' Category 4: Vaccine: 'BGS9-PROTECTOR' Category 5: Hardware Methods: -- Category 6: Cryptographic Methods: --- Countermeasures successful: 'CHECKVECTORS 2.2', 'BGS9-PROTECTOR' Standard means......: 'CHECKVECTORS 2.2' (removal) and creating two files named with the following unprintable string '$A0,$A0,$A0,$20,$20,$20,$A0, $20,$20,$20,$A0' for vaccinate disk (one file has to be placed in the ROOT- and one in DEVS- directory), 'BGS9-PROTECTOR' --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Wolfram Schmidt, Alfred Manthey Rojas Documentation by....: Alfred Manthey Rojas Date................: 5-June1990 Information Source..: --- .