Introduction
Byte Bandit 2 is a computer bootvirus written for the Commodore Amiga. It is a variant of the Byte Bandit virus.
Summary
- Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
- Uses BeginIO() of the trackdisk.device for infection
- Stays resident in memory by using KickTag
- Hooks ExecVec5 interrupt
- Is not encrypted
- Only working with Kickstart 1.2
Details
Compared to Byte Bandit this variant calculates the location where it will reside in memory by using the AvailMem() function of the exec.library (then subtracting $15000 from the found location):
getlocation:
move.l #2,d1
jsr -$D8(a6)
subi.l #$15000,d0
jsr -$C6(a6)
This method cannot be used on Amiga Computers with SlowRam/RangerRam (RAM extension) installed because it will always find a SlowRam location. In this case the virus will install itself but won't infect other disks (same problem like Byte Bandit has).
Also instead of having the string "trackdisk.device" in the bootblock the virus assumes a ROM location where this string is located ($FE88C4). This is a bad idea because this is only valid for Kickstart 1.2!! On Kickstart 1.3+ the virus will crash the Amiga immediately because of this, so this variant is only working on Kickstart 1.2:
hook_beginio:
(...)
lea $15E(a6),a0
movea.l data(pc),a1
jsr -$114(a6)
tst.l d0
(...)
data:
dc.l $FE88C4 ; On Kickstart 1.2 this is a ROM-pointer to the string trackdisk.device
Here is an ActionReplay screenhot of the ROM-address $FE88C4 on Kickstart 1.2:
and here the same address with Kickstart 1.3:
The typical Byte Bandit-text has been removed completely.
Clones and variants
None
