Introduction
Cookie is a computer virus written for the Commodore Amiga. It is a bootvirus written in 1995 and therefore possibly one of the last Amiga bootblock viruses created.
Summary
- Overwriting the original bootblock unprotected disk while booting
- It is not crypted
- Hooks DoIO()-vector from the exec.library
- Makes itself reset resident by using the CoolCapture
Details
After booting with an infected disk the virus copies itself to ChipRam location $7F300 without allocation. If another programm overwrites this area the Amiga will crash. Then it makes itself resident by using the CoolCapture.
On next reset the virus will hook the DoIO()-vector of the exec.library. This routine becomes active next time the Amiga is booted by a floppy-disk. Then the AmigaOS will read the original bootblock of the inserted floppy and puts it somewhere in ChipRam. However, before the AmigaOS is able to execute the original bootblock-code the virus gains control and checks the just loaded bootblock for three1 different checksums:
cmpi.l #$37FCBB02,4(a4) ; Bootblock checksum of the SCA-Virus
beq.w $7F40A
cmpi.l #$406F4B36,4(a4) ; Unknown
beq.w $7F40A
cmpi.l #$B2947083,4(a4) ; Bootblock checksum of the ASS virus protector
If found the virus copies itself to the ChipRam location where the original bootblock has been loaded by the AmigaOS. This means that if the inserted floppy has the SCA-Virus2 or the ASS virus-protector2 on it the original bootblock won't be processed, instead the Cookie virus will be executed. After that the virus checks if the disk is unprotected and writes itself onto it. The DoIO()-hook will then be removed (But will be altered again next time you reset your Amiga, etc…)
After the 3rd infection the virus destroys the rootblock of the disk by overwriting it with memory-garbage.
If the joystick-button is pressed while resetting the Amiga the virus will remove itself completely from RAM and resets all captured vectors. It indicates its removal by flashing the screen with random colors for a short peroid of time.
At the end of the virus-code you can read the following text:
002cfh: 20 20 57 6F 72 6C 64 20 4F 66 20 54 77 69 73 74 ; World Of Twist
002dfh: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;
002efh: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;
002ffh: 20 20 20 5C 2F 5C 2F 20 7C 5F 5F 7C 20 20 7C 20 ; \/\/ |__| |
0030fh: 20 20 50 72 65 73 65 6E 74 73 20 4F 75 72 20 6E ; Presents Our n
0031fh: 65 77 20 76 69 72 75 73 20 63 61 6C 6C 65 64 3A ; ew virus called:
0032fh: 20 60 43 6F 6F 6B 69 65 60 20 20 20 20 20 20 20 ; `Cookie`
0033fh: 20 20 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D ; --------------
0034fh: 2D 20 42 6F 6F 74 20 72 61 70 65 64 20 69 6E 20 ; - Boot raped in
0035fh: 30 33 2E 30 31 2E 39 35 21 20 54 68 65 20 66 69 ; 03.01.95! The fi
0036fh: 72 73 74 20 76 69 72 75 73 20 69 6E 20 31 39 39 ; rst virus in 199
0037fh: 35 ; 5
Clones and variants
None
1 Unfortunately I am not able to identify all bootblocks.
2 On Amiga the bootblock-checksum is a 32bit unsigned value. Of course other bootblocks could have the same checksum as SCA-Virus and or ASS virus-protector. So actually the virus alters execution of every bootblock which meets the requested condition.
