Kauki

Introduction

Kauki is a computer virus written for the Commodore Amiga. It is an old an very simple bootvirus.

Summary

  • Overwriting the original bootblock of an unprotected disk when booting with it
  • The virus is not encrypted
  • Uses DoIO()-vector from the exec.library for infection
  • Makes itself reset resident by using the CoolCapture
  • Works only with Kickstart 1.2

Details

After booting with an infected disk the virus copies itself to memory-location $7EC00. This location won't be reserved by the virus, so other programs can use this area, too which will cause the Amiga to crash on next reset. Then the virus makes itself reset resident by using the CoolCapture. It is possible that the CoolCapture hook won't be processed by the AmigaOS since the virus does not compute the neccessary checksum but puts it directly assuming Cold- and WarmCapture as zero:

coolcapture:
  move.l  #$7EF5A,$2E(a6)
  move.w  #$AC1,$52(a6)
  rts

Finally the virus shows a graphical routine:
kauki.png

On next reset the virus hooks the DoIO()-vector of the exec.library. If then the Amiga is booted by an unprotected disk the virus will infect the its bootblock.
While infection the virus assumes DoIO()-ROM locations which are only valid on Kickstart 1.2 so this means, that the virus will only work on this version:

doio_hook:
  clr.l   (a4)
  jsr     $FC06DC             ; DoIO()-ROM address for Kickstart 1.2 only!
  cmpi.l  #$444F5300,(a4)
  bne.s   .end
  move.l  #$FC06DC,-$1C6(a6)  ; DoIO()-ROM address for Kickstart 1.2 only!
  (...)

Clones and variants

None

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License