Introduction
Divina Exterminator is a computer virus written for the Commodore Amiga. It is a bootvirus. It is said that origin of the virus is a DiskMasher archive called -p-turbo.dms
Summary
- Overwrites the original bootblock of any unprotected disk inserted in the floppydrive.
- Alters DoIO()-vector of the exec.library (used for infection)
- Alters interrupts
- $6C, $64, $68, GlobVec5
- Stays resident in memory using the CoolCapture
- Is fully encrypted, each infection new by using register $dff006.
Details
After booting with an infected disk the virus allocates 1024 byte of memory and then copies itself to this address. Also the memorylocation where the bootblock has been loaded to by the AmigaOS (ChipRam in any case) will be set as occupied by the virus by using AllocAbs() of the exec.library.
Then the interrupt at $6C will be set to a virus routine. This routine will wait exactly 1 second; then the interrupt-hook will be removed again and the following procedure will be executed:
- The virus makes itself resident by using the CoolCapture
- The virus hooks the DoIO()-vector of the exec.library
- The virus alters interrupt at $64 and GlobVec5
Interrupt routines
The $64 interrupt which points now to the virus refreshes the CoolCapture and the DoIO()-hook. It's the only purpose of this routine.
The GlobVec5 interrupt becomes active after the 4th infection. Then the virus will wait for two minutes and removes the GlobVec5 interrupt-hook. However, before doing this it and alters the $68 interrupt.
This triggers a small routine which polls the Amiga keyboard: If the users presses the "k"-key 10 times the virus overwrites the absolute address $4. This will cause the Amiga to crash immediately, because this address contains the exec.library base-pointer.
This is the code:
keyhook:
lea counter(pc),a0
cmpi.b #$B1,$BFEC01 ; Check for the key 'k'
bne.s .end
addi.w #1,(a0)
cmpi.w #10,(a0)
beq.s loc_3C0
.end:
(...)
.kill:
clr.l 4.w ; Crashes the Amiga
If an unprotected disk is inserted in the disk-drive it will be infected immediately. This is done by the DoIO()-hook-routine. The virus writes data to absolute memory-addresses, this is dangerous and dirty because this could crash the Amiga if other, useful data is stored at this locations.
Here is an example of code the virus is using and which you better do not try at home:
dirty:
move.l $28(a1),$C4
(...)
move.l d0,$C8
(...) ; among other things
Also the virus uses a simple but effective stealth mechanism to hide its virus bootblock (similar to the The Lamer Exterminator viruses):
If the virus is not active in memory and you are trying to display the bootblock of an infected disk you will see the encrypted virus-bootblock.
However, if the virus actually is active in memory and you are trying to display the bootblock of an infected disk the virus will become active showing you a normal and clean Commodore standard bootblock.
Here is an example of displaying an infected bootblock of a disk while the virus is not active:
You clearly can see the encrypted virus. Well, or at least something suspicious as this is obviously no standard bootblock.
And this is the same disk while the virus was active in memory:
You will just see a standard Commodore bootblock.
Decrypted you can see the following text:
03c0h: 42 B8 00 04 00 00 56 49 52 47 4F 20 50 52 45 53 ; B¸....VIRGO PRES
03d0h: 45 4E 54 53 20 44 49 56 49 4E 41 20 45 58 54 45 ; ENTS DIVINA EXTE
03e0h: 52 4D 49 4E 41 54 4F 52 20 49 00 43 4F 50 49 45 ; RMINATOR I.COPIE
03f0h: 53 3A 00 02 00 00 30 59 00 00 00 00 00 00 00 00 ; S:....0Y........
Clones and variants
None
