Cohen

Introduction

Cohen is a computer virus written for the Commodore Amiga. It is an old bootvirus and clone of the Hoden virus.

Summary

  • Overwriting the original bootblock when inserting an unprotected disk in the floppy-drive
  • It is not crypted
  • Hooks DoIO()-vector from the exec.library
  • Makes itself reset resident by using the KickTag
  • Hooks $6C interrupt

Details

Compared to its original Hoden the virus is now working also on Kickstart 1.3 because the virus dynamically gets the correct ROM-addresses for the DoIO()-vector:

doio:
  lea     $7F2D0,a1
  move.l  -$1C6(a6),(a1)
  lea     $7F35E,a2

Furthermore the virus now also hooks the $6C interrupt which increases a counter. Each time the counter reaches a certain value (approx. each 5 1/2 minutes) the virus will decreas the available memory on the Amiga by 100.000 bytes.

On each infection the virus increases a counter which resides at ram-location $7FE00. If this counter reaches the value 5 the virus activates a graphical routine which runs a yellow sprite one time through the screen from left to right. Instead the typical yellow head it shows the text COHEN:

cohen_sprite.png

Also the virus now dynamically recalculates the bootblock-checksum which the Hoden virus does not, however the programmer made a mistake which cause infected disks not to be bootable:
Although the bootblock-checksum will be recalculated on each infection the virus-author obviously forgot the $6C interrupt hook which increases a counter within the bootblock asynchronously. This means that between checksum recalculation and writing of the virus-bootblock there is enough time for the interrupt to increase the counter again, so the checksum which has been determined before is invalid, what a bug :-)

At the end of the virus-code you can read the following text:

03c0h: 46 72 65 64 20 43 6F 68 65 6E 20 2D 20 55 6E 69 ; Fred Cohen - Uni
03d0h: 76 65 72 73 69 74 79 20 53 6F 75 74 68 65 72 6E ; versity Southern
03e0h: 20 43 61 6C 69 66 6F 72 6E 69 61 20 31 39 38 39 ;  California 1989

Everything else is the same, so for more/other information please go to Hoden

Clones and variants

None

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License