Coder

Introduction

Coder is a computer bootvirus written for the Commodore Amiga.

Summary

  • Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
  • Uses DoIO() of the exec.library for infection
  • Stays resident in memory by using KickTag
  • Hooks $68 interrupt
  • Is not encrypted (except a small text hidden in the bootblock)

Details

If an Amiga is started with an infected disk the virus copies itself to ChipRam location $7F600 without allocation. This can cause the Amiga to crash if another program overwrites that area lateron.
Then the virus makes itself resident by using KickTag and finally hooks the DoIO()-vector of the exec.library aswell as the $68 interrupt. Also an encrypted text exists within the virus which will be decrypted to memory-location $7FB00 while the boot-process takes place:

02f0h: 00 00 20 20 20 20 20 20 53 6F 6D 65 74 68 69 6E ; ..      Somethin
0300h: 67 20 57 4F 4E 44 45 52 46 55 4C 20 68 61 73 20 ; g WONDERFUL has 
0310h: 68 61 70 70 65 6E 65 64 21 21 20 59 6F 75 72 20 ; happened!! Your 
0320h: 41 6D 69 67 61 20 69 73 20 61 6C 69 76 65 2C 20 ; Amiga is alive, 
0330h: 61 6E 64 20 69 74 20 69 73 20 69 6E 66 65 63 74 ; and it is infect
0340h: 65 64 20 77 69 74 68 20 74 68 65 20 27 43 6F 64 ; ed with the 'Cod
0350h: 65 72 73 20 4E 69 67 68 74 6D 61 72 65 20 56 69 ; ers Nightmare Vi
0360h: 72 75 73 27 2E 20 2D 20 54 68 65 20 75 6C 74 69 ; rus'. - The ulti
0370h: 6D 61 74 65 20 6B 65 79 2D 6B 69 6C 6C 65 72 2C ; mate key-killer,
0380h: 20 6D 61 73 74 65 72 6D 69 6E 64 65 64 20 62 79 ;  masterminded by
0390h: 20 74 68 65 20 6D 65 67 61 6D 69 67 68 74 79 20 ;  the megamighty 
03a0h: 4D 72 2E 20 4E 20 6F 66 20 54 68 65 20 50 6F 77 ; Mr. N of The Pow
03b0h: 65 72 42 6F 6D 62 20 53 79 73 74 65 6D 73 21 21 ; erBomb Systems!!
03c0h: 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00 00 ;      ...........

From now on every unprotected disk entered in the Amiga floppydrive will be infected by using the installed DoIO()-hook. Nothing special happens here though, simply infection.
The also installed $68 interrupt-routine tracks keyboard-inputs and increases a counter while the Amiga user is typing. As soon as this counter reaches the value 2560 the Power-LED will flash and the Amiga will be resetted immediately.

At the beginning of the virus-bootblock you can read the following text which should cheat clueless people:

0040h: 42 6F 6F 74 62 6C 6F 63 6B 20 69 6E 73 74 61 6C ; Bootblock instal
0050h: 6C 65 64 20 77 69 74 68 20 27 43 4F 44 45 52 27 ; led with 'CODER'
0060h: 20 2D 20 54 68 65 20 55 6C 74 69 6D 61 74 65 20 ;  - The Ultimate 
0070h: 56 69 72 75 73 6B 69 6C 6C 65 72 21 21 20 14 00 ; Viruskiller!! ..

Clones and variants

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License