
     Name         : TeleCom

     Aliases      : -

     Clone        : -

     Type/size    : File/756

     Symptoms     : -

     Discovered   : ?

     Way to infect: File infection

     Rating       : Less Dangerous

     Kickstarts   : only 1.3 with Ranger RAM ($C00000)

     Damage       : -

     Manifestation: -

     Removal      : Delete file.

     Comments     : The virus uses the CoolCapture to stay resident
                    in memory. It is always at the same adress in
                    memory ($C71000). After a reset the virus patches
                    the DoIO(), FindResident(), and later the Open-
                    Window() vectors. If you are booting with a disk
                    the virus does the following:

                    a) It checks with the help of DoIO() if the disk
                       is write protected. If not the virus
                       moves a value at memory adress. This value will
                       later be used from the OpenWindow-Patch to check
                       if the disk was write protected.

                    b) The virus patches the FindResident()
                       vector. This new patch installs some time
                       later a new patch in the OpenWindow()-vector.

                    c) This new patch infects the root-dir of the disk
                       while it creates the virusfile ($A0) and modifies
                       the startup-sequence.

                     The string "s/startup-sequence" in the virus is
                     coded with a simple EOR-loop (eor.b #$27,(a1)+).
                     In the decoded virus you can read "TeleCom".

                     NOTE: I wonder how such a virus could spread itself.
                     ^^^^^ -> The memory Ranger RAM is rare.
                           I think this virus must be an older one.

A.D 12-93
