Byte Warrior

Introduction

Byte Warrior is a computer virus written for the Commodore Amiga. It is an old bootvirus written in 1988.

Summary

  • Overwrites the bootblock of an unprotected floppy disk when inserted in the disk drive.
  • It is not encrypted
  • Uses DoIO() of the exec.library for infection
  • Works only with Kickstart 1.2
  • Resident by using KickTag

Details

When booting with an infected disk the virus copies itself to ChipRam location $7F800 without allocation or registering the memory area as occupied by using AllocMem() of the exec.library. This can cause the Amiga to crash if another program overwrites this memory-area. Then the virus decrypts a hidden message in the bootblock and copies this message to memory-location $7FC00:

decrypt:
  (...)
  move.b  (a0)+,d1   ; a0 = byte to decode
  eori.b  #$FF,d1
  ror.b   #3,d1
  move.b  d1,(a1)+   ; a1 = destination, initial $7FC00
  (...)

Finally, it hooks the DoIO()-vector of the exec.library and makes itself resident by using KickTag.

After all that it checks if the CoolCapture oder ColdCapture is occupied by another program (i.e. a virus) if this is true the virus clears these vectors, flashes the power LED of the Amiga and plays a short sound.

The virus works only with Kickstart 1.2 Amigas as it assumes the original DoIO()-address is $FC06DC which is only valid for Kickstart 1.2. This means that booting with an infected disk on Kickstart 1.3+ will crash the Amiga immediately.

Here is an example:

writebb:
  move.l  #$7F800,$28(a1)
  move.w  #3,$1C(a1)
  move.l  #$400,$24(a1)
  move.l  #0,$2C(a1)
  jsr     $FC06DC         ; DoIO() only valid for Kick1.2 at this address!!!

Decrypted you can see the following text (this is the part which will be copied to $7FC00, see above):

0260h: 4E 75 7F 7F 80 80 56 69 72 75 73 20 64 65 74 65 ; Nu€€Virus dete
0270h: 63 74 6F 72 20 62 79 20 74 68 65 20 6D 69 67 68 ; ctor by the migh
0280h: 74 79 20 42 79 74 65 20 57 61 72 72 69 6F 72 21 ; ty Byte Warrior!
0290h: 21 21 20 50 6C 65 61 73 65 2C 20 70 6C 65 61 73 ; !! Please, pleas
02a0h: 65 2C 20 70 6C 65 61 73 65 20 64 6F 6E 27 74 20 ; e, please don't 
02b0h: 69 6E 73 74 61 6C 6C 20 74 68 69 73 20 64 69 73 ; install this dis
02c0h: 6B 2C 20 63 6F 7A 20 49 20 77 61 6E 74 20 74 6F ; k, coz I want to
02d0h: 20 74 72 61 76 65 6C 21 20 53 70 72 65 61 64 20 ;  travel! Spread 
02e0h: 74 68 65 20 62 6F 6F 74 62 6C 6F 63 6B 20 61 6E ; the bootblock an
02f0h: 64 20 74 68 65 20 77 6F 72 64 21 20 FF 00 00 00 ; d the word! ÿ...

Sometimes the virus is called DASA virus because in the bootblock you can read:

00c0h: 44 41 53 41 30 81 32 3C 00 08 13 FC 00 02 00 BF ; DASA02<...ü...¿

This is actually the ASCII-representation of the following assembler-code within the virus, so no text:

dasa:
  neg.w   d1
  subq.w  #1,d1

Clones and variants

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License