Introduction
Joshua 2 is a computer virus written for the Commodore Amiga. It is a bootvirus.
Summary
- Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
- Uses BeginIO() of the trackdisk.device for infection
- Stays resident in memory by using ColdCapture
- Hooks ExecVec5 interrupt
- Encrypts itself with a random byte each infection (similar to The Lamer Exterminator)
Details
After booting with an infected disk the virus allocates 1300 byte of ChipMem. Then it hooks the BeginIO()-Vector and adds an interrupt service routine (ExecVec5). Furthermore the virus makes itself resident by using ColdCapture.
Once installed the interrupt routine will be processed in the background. This routine sets the DoIO() pointer of the exec.library to its usual value for Kickstart 1.2, which will disable other virues which are using DoIO() for infection, e.g. SCA. This routine will crash immediately on Amigas with Kickstart greater than 1.2 because the pointer is only valid for Kickstart 1.2, you will typically get this error-message:
This is the bug within the virus-code which causes this software-failure:
(...)
lea doio_pointer(pc),a0
move.l #$FC06DC,(a0) ; This DoIO()-ROM-Pointer is only valid for Kickstart 1.2!!
(...)
interrupt:
move.l 4.w,a6
(...)
move.l doio_pinter(pc),-454(a6) ; This will crash Amigas with Kickstart 1.3++
(...)
If you reset the Amiga after the crash on Kickstart 1.3++ the AmigaOS processes the virus reset-routine, this routine then will correct the bug above by getting the DoIO()-Address correctly:
reset_routine:
lea doio_pointer(pc),a0
move.l -454(a6),(a0) ; Getting the ROM-Pointer of DoIO() correctly (unlike above setting it to a predefined value for Kickstart 1.2!)
(...)
This means after the reset the virus is operating in full effect and correctly even on Kickstart 1.3, ready for disk-infection!
On Kickstart 1.2 Amigas you won't get any of the software failures shown above. It "works fine", it seems that the programmer had an 1.2 Amiga :-)
The interrupt-routine also increases a counter which will (after reaching a certain value, approximately 10 minutes) display a graphical sprite with the letters (JOSHUA). This sprite is running diagonally through your screen:
If you press the right mousebutton the sprite will vanish:
sprite_routine:
(...)
btst #10,$DFF016
bne.s not_pressed
lea do_sprite(pc),a5 ;Right mouse-button pressed: Remove sprite!
clr.l (a5) ;-"- -"-
not_pressed:
rts
On the decrypted virus there is nothing special to see (no suspicious texts etc…). You can see the data for the JOSHUA-sprite at the end of the bootblock which is kind of "crunched" to save space and will be decrunched on virus-start:
03c0h: FD 94 61 00 FD 1C 4E 75 74 72 61 63 6B 64 69 73 ; ý”a.ý.Nutrackdis
03d0h: 6B 2E 64 65 76 69 63 65 00 00 00 7E 02 02 42 42 ; k.device...~..BB
03e0h: 3C 00 7E 42 42 42 7E 00 7E 40 7E 02 7E 00 42 42 ; <.~BBB~.~@~.~.BB
03f0h: 7E 42 42 00 42 42 42 42 7E 00 7E 42 7E 42 42 00 ; ~BB.BBBB~.~B~BB.
This is the "decrunch"-routine used to get valid sprite-data:
decrunch_sprite:
moveq #$25,d0
moveq #-1,d1
move.w #$8001,d2
lea crunched_data(pc),a0
lea sprite_data_location(pc),a1
move.l d1,(a1)+
.loop:
moveq #0,d3
move.b (a0)+,d3
lsl.w #4,d3
or.w d2,d3
move.w d3,(a1)+
move.w d2,(a1)+
dbf d0,.loop
move.l d1,(a1)+
clr.l (a1)+
rts
