Joshua 1

Introduction

Joshua 1 is a computer virus written for the Commodore Amiga. It is a bootvirus.

Summary

  • Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
  • Uses BeginIO() of the trackdisk.device for infection
  • Stays resident in memory by using KickTag
  • Hooks ExecVec5 interrupt
  • It is not encrypted

Details

After booting with an infected disk the virus allocates 1266 byte of ChipMem. Then it hooks the BeginIO()-Vector and adds an interrupt service routine (ExecVec5). Furthermore the virus makes itself resident by using KickTag.

Once installed the interrupt routine will be processed in the background. It increases a counter which will (after reaching a certain value, approximately 10 minutes) display a graphical sprite with the letters (JOSHUA). This sprite is running diagonally through your screen:

joshua.png

After approximately 50 seconds the sprite will vanish:

sprite_routine:
(...)
  lea     counter,a5
  cmpi.l  #$7EF4,(a5)   ;Initialized to $7530
  bcs.s   do_nothing
  clr.l   (a5)
  clr.l   -4(a5)
do_nothing:
  rts

The virus uses ChipRam directly without allocation:

(...)
  cmpi.l  #$2029002C,$7E9B8
  bne.w   loc_D4
  move.l  $7EBDA,$94(a6)
  move.w  #$4EF9,$7E9B8
  move.l  #$7EAC4,$7E9BA
(...)

This is will cause the Amiga to crash if another programm overwrites this memory-location!

In the virus-bootblock there is nothing suspicious to see, except the data for the JOSHUA-sprite at the end of the bootblock which is kind of "crunched" to save space and will be decrunched on virus-start:

03c0h: FD 94 61 00 FD 1C 4E 75 74 72 61 63 6B 64 69 73 ; ý”a.ý.Nutrackdis
03d0h: 6B 2E 64 65 76 69 63 65 00 00 00 7E 02 02 42 42 ; k.device...~..BB
03e0h: 3C 00 7E 42 42 42 7E 00 7E 40 7E 02 7E 00 42 42 ; <.~BBB~.~@~.~.BB
03f0h: 7E 42 42 00 42 42 42 42 7E 00 7E 42 7E 42 42 00 ; ~BB.BBBB~.~B~BB.

This is the "decrunch"-routine used to get valid sprite-data:

decrunch_sprite:
  moveq   #$25,d0
  moveq   #-1,d1
  move.w  #$8001,d2
  lea     crunched_data(pc),a0
  lea     sprite_data_location(pc),a1
  move.l  d1,(a1)+
.loop:
  moveq   #0,d3
  move.b  (a0)+,d3
  lsl.w   #4,d3
  or.w    d2,d3
  move.w  d3,(a1)+
  move.w  d2,(a1)+
  dbf     d0,.loop
  move.l  d1,(a1)+
  clr.l   (a1)+
  rts

Clones and variants

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License