TERRORISTS Virus (10-February-1991) Entry...............: TERRORISTS Virus Alias(es)...........: --- Virus Strain........: BGS 9 virus strain Virus detected when.: MAY 1990 (when VTC received virus code) where.: North Germany Classification......: link virus (renaming), resident Length of Virus.....: 1. length on storage medium: 2608 byte 2. length in RAM : 2608 byte --------------------- Preconditions ---------------------------------- Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5 Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B --------------------- Attributes ------------------------------------- Easy Identification.: typical text: "TTV1" at end of virus (length=2608 byte) identification on disk: a file in ROOT- and/or DEVS-directory is named with following unprintable string: $A0,$20,$20,$20,$A0,$20, $20,$A0,$20,$A0,$A0; length of first command in startup-sequence seems to be altered to 2608 byte (because file isnot original anymore) Type of infection...: self-identification method: virus searches for a file in devs- or root directory named with this unprintable string: $A0,$20,$20,$20,$A0, $20,$20,$A0,$20,$A0,$A0 system infection: RAM resident, reset resident Infection Trigger...: reset (CONTROL+Left-AMIGA+Right-AMIGA) Storage media affected: bootable floppy disks (3.5" and 5.25"), bootable RAM disks, bootable hard disks Interrupts hooked...: --- Damage..............: permanent damage: overwriting bootblock; transient damage: screen buffer manipulation: screen becomes black, a graphic with fol- lowing text is displayed: "a computer virus is a disease terrorism is a transgression software piracy is a crime this is the cure BGS9 Bundesgrenzschutz Sektion 9 Sonderkommando 'EDV' " Damage Trigger......: permanent damage: reset (CONTROL+LEFT-AMIGA +RIGHT-AMIGA) transient damage: 4 resets (to be run until initial CLI window appears) Particularities.....: other resident programs using the system resident list (KickTagPointer, KickMem Pointer) are shutdown; name of resident task is "TTV1" (see string in bootblock); when virus doesn't find a DEVS directory, it uses the root; first command in startup- sequence is renamed to a file named with following unprintable string: $A0,$20,$20,$20,$A0,$20,$20,$A0,$20,$A0,$A0 (in DEVS- or root directory if available), and virus is written to directory the command comes from using the same name; next time, virus will be called first before original command is executed Similarities........: 100% clone of the BGS 9 virus, only name of the relocated carrier (DEVS:) is different (see above); problems show when other resident programs suc as harddisk devices are installed; same problem (=guru medita- tion when started from startup-sequence) also occurs with BGS 9 --------------------- Agents ----------------------------------------- Countermeasures.....: Names of tested products of Category 1-6: Category 1: .2 Monitoring System Vectors: CHECKVECTORS 2.3 .3 Monitoring System Areas: CHECKVECTORS 2.3, GUARDIAN 1.2, VIRUS-DETEKTOR 1.1 Category 2: Alteration Detection: --- Category 3: Eradication: CHECKVECTORS 2.3, BGS9-PROTECTOR, VIRUS-DETEKTOR 1.1 Category 4: Vaccine: BGS9-PROTECTOR Category 5: Hardware Methods: --- Category 6: Cryptographic Methods: --- Countermeasures successful: CHECKVECTORS 2.3, BGS9-PROTECTOR Standard means......: CHECKVECTORS 2.3 with deletion of "no name" file entry (see above) using a disk manager and correction of startup-sequence (removal) and creating two files named with the following unprintable string "$A0,$20,$20, $20,$A0,$20,$20,$A0,$20,$A0,$A0" to vaccinate disk (one file has to be placed in ROOT-, the other in DEVS-directory); BGS9-PROTECTOR --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Alfred Manthey Rojas Documentation by....: Alfred Manthey Rojas Date................: 10-February-1991 Information Source..: --- .