Disaster Master

Introduction

Disaster Master is a virus written for the Commodore Amiga. It is a filevirus. And has been found on various Publicdomain disks in 1989.

Summary

  • Writes itself to unprotected disks while booting with them
  • Extends the startup-sequence by writing its filename (cls) in the first line
    • Disk must have a c directory
  • Stays resident in memory by using KickTagPtr
  • Has a total length of 1740 bytes
  • Alters DoIO()-vector of the exec.library
  • Alters OpenWindow()-vector of intuition.library
  • Displays an alert-message
  • Virus is not crypted (except the virus-texts)

Details

After execution of the virus it allocates 1700 byte of RAM, and copies itself to the allocated area. Finally the virus makes itself resident by using the KickTagPtr.
If you have started the virus-programm with the CLI parameter '*' the current CLI window will be untouched, else the virus will clear the screen1.

Next time you reset the Amiga the virus hooks the DoIO()-vector the exec.library. This hook becomes active next time you boot with a floppy disk.
So while booting the virus clears the Cool- and ColdCapture (to disable other viruses). Then it additionally alters the OpenWindow()-vector of the intuition.library.

This vector is called when the AmigaDOS opens the default console window so the virus becomes once more active and executed the following infection routine (before doing this the OpenWindow()-vector will be restored and set to default):

The startup-sequence will be opened, if it is bigger than 10240 byte the virus won't infect the disk. Then it will be checked if the disk is already infected by searching for the string cls * in the first line of the startup-sequence. Finally the virus writes itself to disk into directory c by using the filename cls and while adding "cls *"2 as startup-command.
After that an infection counter will be increased. If it reaches 20 the virus shows the following alert:

dmalert1.gif

after pressing the left mousebutton the screen will flash and another alter is displayed:

dmalert2.gif

If you press the right mousebutton the virus installs a small routine by using the ColdCapture and goes in an endless-loop which flashes your screen in different RGB-colors:

flash.png

The just installed routine has only one purpose: doing a reset: That means if you reset your Amiga it will be resetted again and again etc… you have to turn the power off to leave this.

This is the routine:

alert:
  lea     message(pc),a0
  jsr     -$5A(a6)         ; Alert
  tst.l   d0
  beq.w   destruct         ; Right mouse-button?
  rts

destruct:
  bsr.w   insert_cold      ; Makes routine "reset" resident by using ColdCapture
  jsr     -$84(a6)

.endless:
  move.w  $DFF006,$DFF180
  bra.s   .endless

reset:
  bsr.w   insert_cold
  jsr     -$96(a6)
  jmp     $FC0000          ; This reset will be performed endlessly!

Decrypted you can see following text:

0530h: 63 6C 73 20 2A 0A 0A 28 0A 53 6F 66 74 77 61 72 ; cls *..(.Softwar
0540h: 65 20 46 61 69 6C 75 72 65 2E 20 20 20 50 72 65 ; e Failure.   Pre
0550h: 73 73 20 6C 65 66 74 20 6D 6F 75 73 65 20 62 75 ; ss left mouse bu
0560h: 74 74 6F 6E 20 74 6F 20 63 6F 6E 74 69 6E 75 65 ; tton to continue
0570h: 2E 00 EA 28 96 0A 47 75 72 75 20 4D 65 64 69 74 ; ..ê(–.Guru Medit
0580h: 61 74 69 6F 6E 20 23 30 30 30 30 30 30 30 32 2E ; ation #00000002.
0590h: 30 36 30 30 31 39 38 39 00 00 0A 28 0A 49 6E 63 ; 06001989...(.Inc
05a0h: 6F 6D 69 6E 67 20 73 70 65 63 69 61 6C 2D 6D 65 ; oming special-me
05b0h: 73 73 61 67 65 2E 2E 2E 00 EA 32 28 0A 59 6F 75 ; ssage....ê2(.You
05c0h: 72 20 41 6D 69 67 61 20 69 73 20 69 6E 66 65 63 ; r Amiga is infec
05d0h: 74 65 64 20 62 79 20 44 49 53 41 53 54 45 52 2D ; ted by DISASTER-
05e0h: 4D 41 53 54 45 52 20 56 32 20 21 21 21 00 EA 50 ; MASTER V2 !!!.êP
05f0h: 28 0A 70 72 6F 62 61 62 6C 79 20 74 68 65 20 62 ; (.probably the b
0600h: 65 73 74 20 76 69 72 75 73 20 65 76 65 72 20 63 ; est virus ever c
0610h: 72 65 61 74 65 64 20 62 79 20 6D 61 6E 6B 69 6E ; reated by mankin
0620h: 64 2E 2E 2E 2E 00 EA 96 5A 0A 4C 65 66 74 20 3D ; d.....ê–Z.Left =
0630h: 20 63 6F 6E 74 69 6E 75 65 20 20 20 20 20 20 20 ;  continue       
0640h: 20 52 69 67 68 74 20 3D 20 73 65 6C 66 2D 64 65 ;  Right = self-de
0650h: 73 74 72 75 63 74 69 6F 6E 00 00 00 53 59 53 3A ; struction...SYS:
0660h: 00 00 00 00 00 00 3A 63 2F 63 6C 73 00 00 3A 73 ; ......:c/cls..:s
0670h: 2F 73 74 61 72 74 75 70 2D 73 65 71 75 65 6E 63 ; /startup-sequenc
0680h: 65 00 64 6F 73 2E 6C 69 62 72 61 72 79 00 69 6E ; e.dos.library.in

Clones and variants

None

1 & 2 If you start the virus-file by specifying a paramter called * (like cls *) the virus won't clear the screen contents. This the reason why the virus writes itself to the startup-sequence by using this parameter: Not to attract attention. But if a user enters cls without this parameter the virus will clear the screen so the user thinks its a useful tiny programm.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License