Introduction
Black Knight is a computer virus written for the Commodore Amiga. It is a simple bootvirus.
Summary
- Overwriting the original bootblock of an unprotected disk inserted in the floppydrive
- The virus is not encrypted
- Uses DoIO()-vector from the exec.library for infection
- Makes itself reset resident by using the CoolCapture
Details
After booting with an infected disk the virus copies itself to memory-location $7F300. Unlike other typically old bootviruses on the Amiga this memory location can't be overwritten by the AmigaOS afterwards because the virus sets this memory area as allocated by using AllocAbs() of the exec.library.
Then the virus makes itself reset resident by using the CoolCapture and finally hooks the DoIO()-vector of the exec.library for infection of other disks.
Although the virus-code itself isn't encrypted there is an encrypted text within the bootblock which can be made visible by executing the following code (also found in the bootblock but never executed):
decrypt_text:
lea hidden_text(pc),a1 ;Pointer to hidden/encrypted text.
move.l #5,d0
.loop:
eori.l #$424C4B21,(a1)+ ;'BLK!'
dbf d0,.loop
rte
Then you are able to read the following text:
01f0h: 79 00 43 FA 00 14 20 3C 00 00 00 05 0A 99 42 4C ; y.Cú.. <.....™BL
0200h: 4B 21 51 C8 FF F8 4E 73 42 4C 41 43 4B 20 4B 4E ; K!QÈÿøNsBLACK KN
0210h: 49 47 48 54 20 28 31 32 2F 31 31 2F 39 31 29 20 ; IGHT (12/11/91)
While infecting a disk the virus saves the original structure of the DoIO-request to a non-allocated memoryaddress ($7F800-$7F812), this is dirty code because another programm which may occupy this memory-location may crash the Amiga:
save_structure:
move.w $1C(a1),$7F800
move.l $28(a1),$7F802
move.l $2C(a1),$7F806
move.l $24(a1),$7F80A
move.l $20(a1),$7F80E
Clones and variants
None
