Introduction
Jeff v1.31 is a virus written for the Commodore Amiga. It is very common in Germany and neighboring countries and was first discovered in 1988. It is a filevirus.
Summary
- Writes itself to unprotected floppy disks when inserted in the floppy drive
- Without using any dos-library functions but altering the diskstructure directly, this is very advanced (at least 1988)
- Uses different names which are choosen randomly as filename
- Extends the startup-sequence of an inserted disk, writing its filename (see above) in the first line
- Stays resident in memory by using KickTagPtr
- Has a total length of 3408 bytes
- Alters some operating-system routines:
- DoIO() of exec.library
- $68 (Interrupt-Vector)
- Randomly displays an alert-messages when resetting the Amiga
- Randomly alters the caption of an active AmigaDOS window with random messages
- All virus texts are encrypted withing the file
Details
The virus randomly1 shows the following alert-message while resetting the computer:
1At least for the victim it appears randomly, in fact every 15th reset the alert is shown, take a look at this code:
; This code will by processed every reset:
lea counter(pc),a0
addq.b #1,(a0)
move.b (a0),d0
and.b #$F,d0 ; <--- $F = 15
bne.s do_not_show_alert
bsr show_alert
do_not_show_alert:
(...)
Also the virus alters the caption of an active AmigaDOS window with random messages.
An AmigaDOS window before alteration by the virus:
The same AmigaDOS window after alteration by the virus:
This is just one possible text of twelve texts in total the window caption can be altered to:
- Ich brauch jetzt'n Bier!
- Stau auf Datenbus bei Speicherkilometer 128!
- Mehr Buszyklen für den Prozessor!
- Ein dreifach MITLEID für Atarist!
- BUTONIC!
- Schon die Steinzeitmenschen benutzten MS-DOS…einige sogar heut noch!
- Schon mal den Sound vom PS/2 gehört???
- PC/XT-AT: Spendenkonto 004…
- Unabhängigkeit & Selbstbestimmung für den Tastaturprozessor!
- Paula meint, Agnus sei zu dick.
- IBM PC/XT: Ein Fall für den Antiquitätenhändler…
- Sag mir, ob du Assembler kannst, und ich sage dir, wer du bist.
Also the virus uses different filenames while writing itself to the disk:
| Name on disk | Appearance in startup-sequence |
|---|---|
| AddBuffers | AddBuffers 20 |
| Add21k | Add21k |
| Fault | Fault 206 |
| break | break 1 D |
| changetaskpri | changetaskpri 5 |
| wait | wait |
| 0xA02 | 0xA020 |
| 0xA0A0A03 | 0xA0A0A020 |
| Arthus | Arthus |
| Helmar | Helmar |
| Aloisius | Aloisius |
| 0x204 | 0x2020 |
While altering the startup-sequence the virus uses a very aggressive solution: The space which is needed to add the filename of the virus will be cut from the original startup-sequence at the end.
Take a look at the following unaltered startup-sequence of an Amiga disk:
C:SetPatch QUIET
C:Version >NIL:
After alteration by the virus (assuming Aloisius as filename) the (above) startup-sequence looks like this:
Aloisius
C:SetPatch QUIET
C:Vers
As you can see the resulting startup-sequence is corrupted because the AmigaDOS will search for a command C:Vers instead of C:Version. This means that the last command won't be processed anymore but "ignored" (infact it will raise a command not found exception to be precise).
Clones and variants
2 & 3 These filenames appear invisible for the AmigaDOS when listing the contents of a disk by using the CLI command dir.
4 This filename is a space. AmigaDOS doesn't allow spaces to be filenames hence disks infected by the virus using this filename doesn't start the virus at all!
