Introduction
Byte Bandit is a computer bootvirus written for the Commodore Amiga. It is very common and wellknown in the Amiga community and has been discovered late 1987. Due the fact that it is not encrypted some simple clones exist where just the visible virus-text in the bootblock has been changed.
There are also several other variants of this virus (Byte Bandit 2, Byte Bandit 3 and Byte Bandit Imitation) which behave a little bit different. Rumour has it that these variants are not made by the original author.
This virus was a template for many other viruses on Amiga, for example the Joshua 1 virus uses exactly the same routine to become memory-resident and also the timer-routine is almost the same!
Summary
- Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
- Uses BeginIO() of the trackdisk.device for infection
- Stays resident in memory by using KickTag
- Hooks ExecVec5 interrupt
- Is not encrypted
Details
After booting with an infected disk the virus writes itself to a RAM location which it gets by the MemList struct of the exec-base. Then the virus makes itself resident by using KickTag and hooks the BeginIO()-vector of the trackdisk.device for infecting other disks, finally the virus installs a new interrupt by using ExecVec5.
This is the Routine how the virus determines its RAM-location:
getram:
move.l 4.w,a6
(...)
lea $142(a6),a0
movea.l (a0),a0
movea.l $18(a0),a1
This is okay for Amiga Computers with only 512kb ChipRam. If the Amiga has been equipped with an old 512kb RangerRam extension (most of the RAM-extensions that time were RangerRam/SlowRam) the above routine will calculate a location which is not in ChipRam. This means that the virus will be activated and function normally except that no bootblocks will be written (so no disks will be infected!) Obviously the programmer had no RAM-extension, this is a major bug.
The interrupt routine will be processed in the background. Here, the virus checks if the Amiga has been resetted at least 2 times and already 6 infections have happened. If this is true a counter will be activated and after approx. 7 minutes the screen becomes dark and no keys will be accepted anymore, besides one key-combination which will disable this state: LEFT-ALT + LEFT-AMIGA + SPACE + RIGHT-AMIGA + RIGHT ALT
At the beginning of the virus-bootblock you can read the following text:
0000h: 44 4F 53 00 41 D2 5F 36 00 00 03 70 60 00 00 3E ; DOS.AÒ_6...p`..>
0010h: 56 69 72 75 73 20 62 79 20 42 79 74 65 20 20 20 ; Virus by Byte
0020h: 42 61 6E 64 69 74 20 69 6E 20 20 39 2E 38 37 2E ; Bandit in 9.87.
0030h: 4E 75 6D 62 65 72 20 6F 66 20 20 20 20 20 20 20 ; Number of
0040h: 63 6F 70 79 73 20 3A 00 00 00 08 FD 48 E7 7F 7F ; copys :....ýHç
After the colon you can see a counter which will be increased after each infection. My copy of the virus has the counter $8FD which is in decimal 2301(!). Here you can see how widespread this virus was1!
Clones and variants
1 Other viruses with a built-in infection counter had values between 50 and 300!
