Introduction
Fast 1 is a computer virus written for the Commodore Amiga. It is a bootvirus.
Summary
- Overwrites the original bootblock of any unprotected disk while writeaccess on the bootblock
- Uses DoIO()-vector of the exec.library for infection
- Alters Wait()-vector of the exec.library
- Stays resident in memory by using the CoolCapture
- Is fully encrypted, each infection new by using register $dff006.
Details
After booting with an infected disk the virus copies itself to ChipRAM location $7F000 without allocation. Then it makes itself resident by using the CoolCapture-vector.
Finally the virus alters the DoIO()- and the Wait()-vector of the exec.library. The DoIO()-hook is used to infect disks while the Wait()-hook calls a function which alters DoIO(), Wait() and CoolCapture again, if a programm changed them (e.g. an Anti-virus program).
The virus writes to hardcoded memory-locations at $C0-$E0. This is dangerous because this can cause the Amiga to crash, here is an example:
uglycode:
move.w #$4EF9,$D0
move.l -$1C6(a6),$D2
A counter at $C0 will be initialized with the value 16. Each infection the value will be decreased. If it reaches 0 then an alert will be shown:
In the decrypted virus you can read the additional text (which is not shown in the alert):
02e0h: 61 72 79 00 4E 6F 74 65 20 74 6F 20 50 61 72 61 ; ary.Note to Para
02f0h: 6E 6F 69 6D 69 61 3A 20 54 68 65 20 65 61 72 6C ; noimia: The earl
0300h: 79 20 72 65 6C 65 61 73 65 20 6F 66 20 58 2D 4F ; y release of X-O
0310h: 75 74 20 77 61 73 20 6E 6F 20 65 78 63 65 70 74 ; ut was no except
0320h: 69 6F 6E 20 73 6F 20 73 74 6F 70 20 70 72 65 74 ; ion so stop pret
0330h: 65 6E 64 69 6E 67 20 74 68 61 74 20 79 6F 75 20 ; ending that you
0340h: 22 68 65 6C 70 22 20 75 73 20 62 79 20 64 65 6C ; "help" us by del
0350h: 61 79 69 6E 67 20 63 72 61 63 6B 73 20 10 45 F9 ; aying cracks .Eù
0360h: 00 07 F0 00 41 FA FC CA 30 3C 03 2D 14 98 0A 1A ; ..ð.AúüÊ0<.-.˜..
