The Australian Parasite

Introduction

The Australian Parasite is a computer virus written for the Commodore Amiga. It is a bootvirus written 1988.

Summary

  • Overwriting the original bootblock of an unprotected disk inserted in the floppydrive
  • It is not crypted
  • Hooks DoIO()-vector from the exec.library
  • Uses BeginIO()-vector from the gtrackdisk.device for infection
  • Makes itself reset resident by using the CoolCapture
  • Does not overwrite bootblocks which do not contain the string "dos.library"

Details

After booting with an infected disk the virus copies itself to SysStkLower memory-address:

getaddress:
  movea.l 4,a6
  movea.l $3A(a6),a0 ;$3a = SysStkLower

Then it allocates 1024 byte of ChipRam, makes itself resident by using the CoolCapture and finally hooks the DoIO()-vector from the exec.library.
Next time an DoIO() function call takes place the virus will additionally hook the BeginIO()-vector from the trackdisk.device. This is actually used to infect inserted floppy-disks, as follows:
  • Checks if a read or write access of a bootblock takes place (read-access of bootblocks occur for example if an disk is inserted in the floppy-drive)
    • No -> End
  • Checks if the disk is write-protected
    • Yes -> End
  • Then it saves the original IO-structure to $7EC00 without allocation of the memory-area. This can cause the Amiga to crash if another programm resides at this memory area!
save_iostruct:
  moveq   #$64,d0
  movea.l a1,a2
  lea     $7EC00,a3     ; DIRECT ACCESS TO $7EC00!!
.loop:
  move.b  (a2)+,(a3)+
  dbf     d0,.loop
  • Checks if IO-request is a write-access (e.g. when the user installs a new bootblock on the disk using install-cli-command)
    • Yes -> The disk will be infected
  • If it was an read-access then the virus will load the original bootblock first to the allocated ChipRam address. Here it will check if the original bootblock contains the string "dos.library" if yes the bootblock will be infected.
  • If there is no string "dos.library" the virus won't infect the disk.
    • The reasion is that the virus author wants to make sure the bootblock is not a loader for a game or similar stuff. These bootblocks usually1 do not contain string "dos.library"

If the DoIO()-hook has been called more than 700 times the virus will flip your screen-contents, like this:

auparasite.gif

At the end of the virus-bootblock you can read the following string

0360h: 00 00 1C 80 00 00 00 00 54 68 65 20 41 75 73 74 ; ...€....The Aust
0370h: 72 61 6C 69 61 6E 20 50 61 72 61 73 69 74 65 21 ; ralian Parasite!
0380h: 20 42 79 20 47 72 65 6D 6C 69 6E 20 31 38 2F 35 ;  By Gremlin 18/5
0390h: 2F 38 38 21 20 57 69 6C 6C 20 4E 4F 54 20 64 65 ; /88! Will NOT de
03a0h: 73 74 72 6F 79 20 67 61 6D 65 20 62 6F 6F 74 73 ; stroy game boots
03b0h: 65 63 74 6F 72 73 20 6F 72 20 63 6F 72 72 75 70 ; ectors or corrup
03c0h: 74 20 64 69 73 6B 73 2C 20 61 6E 64 20 6B 69 6C ; t disks, and kil
03d0h: 6C 73 20 6F 74 68 65 72 20 76 69 72 75 73 65 73 ; ls other viruses
03e0h: 21 20 47 65 6E 65 72 61 74 69 6F 6E 3A 00 00 18 ; ! Generation:...
03f0h: 00 00 20 52 44 41 21 52 44 41 21 52 44 41 21 52 ; .. RDA!RDA!RDA!R

Clones and variants

1 This mechanism is of course no guarantee that the original bootblock is not a loader for a game or similar. It is not generally reliable but in most cases it is.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License