Introduction
Digital Dream is a computer virus written for the Commodore Amiga. It is a bootvirus which occupies block 0-3 (2048 byte) instead of block 0-1 (1024 byte).
Summary
- Overwrites the bootblock of an unprotected floppy disk when inserted in the disk drive.
- Stores the original bootblock at diskblock 2 and 3
- It is fully encrypted using register $dff006
- Uses DoIO() of the exec.library for infection
- Alters Supervisor() of the exec.library
- Resident by using KickTag
Details
If you boot with an infected disk the virus will copy itself to ChipRAM, location $7F400 without allocation. This can cause the Amiga to crash if another program occupies this location.
After that the virus will hook the DoIO()- and the Supervisor()-vector of the exec.library and makes itself resident by using the KickTag. Interestingly the virus won't compute a new checksum by using SumKickData()!
Finally the original bootblock of the disk will be loaded from diskblock 2 and 3 to memory-location $7E000 and executed:
read:
movem.l d0-a6,-(sp)
move.l #$400,$2C(a1)
move.l #$400,$24(a1)
move.l #$7E000,$28(a1)
move.w #2,$1C(a1)
jsr $FC0718 ; DoIO()
movem.l (sp)+,d0-a6
jmp $7E00C ; Start original Bootblock
The Supervisor()-hook is used to make the virus resident using KickTag each time the function is called by the AmigaOS.
If an unprotected disk is entered the virus will get attention due the DoIO()-hook. Then it reads the original bootblock of the inserted disk (if not infected) to memory-location $7F800, afterwards the virus copies itself crypted (by using a "random byte" of $dff006) to $7F400 and writes 2048 byte (block 0-3) of data to the disk.
This means that the virus will be written to block 0 and 1 (bootblock) and the original bootblock is stored at block 2 and 3. Next time you boot with the infected disk the virus loads the original bootblock and executes it.
The advantage of this technique is that if the disk contained a bootloader for e.g. a game the disk will start normally and won't make the victim suspicious. However, the downside is that block 2 and 3 does not belong to the bootsector of an Amiga-disk, this means that it can be occupied by file data which are gone (and the file corrupted) after infection.
In the decrypted virus you can read:
0320h: 20 3E 3E 44 49 47 49 54 41 4C 20 44 52 45 41 4D ; >>DIGITAL DREAM
0330h: 3C 3C 20 00 62 79 20 4D 61 78 20 6F 66 20 53 74 ; << .by Max of St
0340h: 61 72 4C 69 67 68 74 00 48 E7 FF FE 2C 79 00 00 ; arLight.Hçÿþ,y..
and:
02b0h: F6 CD 06 39 00 01 00 07 F6 CB 4C DF 7F FF 4E 75 ; öÍ.9....öËLßÿNu
02c0h: 20 3E 20 43 6F 70 69 65 73 3A 20 30 30 36 20 3C ; > Copies: 006 <
02d0h: 00 00 48 E7 FF FE 41 FA FD 28 43 F9 00 07 F8 00 ; ..HçÿþAúý(Cù..ø.
Clones and variants
None
