Pestilence v1.15

Introduction

Pestilence v1.15 is a computer virus written for the Commodore Amiga. It is a bootvirus discovered in 1994, so one of the newer bootviruses on Amiga.
All in all a very dangerous and one of the "better" ones among the other bootviruses.

Summary

  • Overwrites the original bootblock of any unprotected disk inserted in the floppydrive.
  • Uses BeginIO()-vector of the trackdisk.device for infection
  • Alters DisplayAlert()-vector of the intuition.library
  • Alters SumKickData()- and Disable()-vector of the exec.library
  • Stays resident in memory by using the CoolCapture
  • Is fully encrypted, each infection new by using register $dff006.
  • Decrypts FileSystem datablocks
  • Works also with newer Amigas (Kickstart 2.0, 3.0) and higher CPUs (68020,030,040)
  • Destroys whole data on disks depending on a trigger

Details

After booting with an infected disk the virus allocates and registers 3072 bytes of ChipRAM and copies itself to this memory location. After that the virus alters the BeginIO()-vector of the trackdisk.device, the DisplayAlert()-vector of the intuition.library and finally the SumKickData()- and the Disable()-vector of the exec.library. Then the virus uses the CoolCapture to stay resident in memory.

The DisplayAlert()- and the SumKickData()-hooks are used to disable these vectors by using the following code, which is executed now if the AmigaOS calls the vectors:

donothing:
  moveq #0,d0
  rts

This is done to
  1. prevent programs to display an alert (DiplayAlert()-hook), maybe anti-virus programs who want to tell the user that something suspicious is in memory
  2. to disable other viruses to make themself resident by using KickTagPtr (SumKickData()-hook)

The Disable()-hook is used to alter the above vectors again each time Disable() is called by the AmigaOS (very often :-)).

If an unproteced disk is entered the virus will infect the bootblock. While this process takes place the virus checks if the Amiga hardware-register $dff006 contains the value 176. If yes, the whole disk will be overwritten with memory garbage:

kill:
  addq.b  #1,$1D(a1)
  move.l  #$D4800,$24(a1)

You can format such a disk without worries, its content is gone :-(

Besides infection, the BeginIO()-hook is also used to en- and decrypt datablocks: If files on unprotected disks are accessed (reading files, starting executables etc…) the virus will en- and decrypt them respectively. A normal OldFileSystem datablock begins with the longword $00000008, this will be marked with the word $AFFE (resulting in $AFFE00008) and the whole block will be crypted with following loop:

crypt:
  addq.l  #2,a0
  move.w  #$FC,d0
.loop:
  eori.w  #$DEAD,(a0)
  eor.w   d0,(a0)+
  dbf     d0,.loop
  rts

This data will be decrypted if the virus is active in memory (encrypted blocks will be recognized by the $AFFE-tag). This means if you remove the virus you cannot read the affected data correctly anymore and following dialog will be shown by the AmigaOS:

pest_error.gif

If the virus is active the data will be read fine. This technique has been introduced by the Saddam virus.

Here is a diskblock before encryption:

400h: 00 00 00 08 00 00 04 F7 00 00 00 03 00 00 01 E8 ; .......÷.......è
410h: 00 00 04 FB C9 8B 30 B4 12 19 10 18 66 0A 0C 01 ; ...ûÉ‹0´....f...
(...)
4e0h: 9B 33 33 6D 56 69 72 75 73 4D 65 6D 4B 69 6C 6C ; ›33mVirusMemKill
4f0h: 20 56 31 2E 30 30 20 A9 20 43 68 72 69 73 20 48 ;  V1.00 © Chris H
500h: 61 6D 65 73 9B 6D 00 0A 43 6F 6C 64 43 61 70 74 ; ames›m..ColdCapt
510h: 75 72 65 00 43 6F 6F 6C 43 61 70 74 75 72 65 00 ; ure.CoolCapture.
520h: 57 61 72 6D 43 61 70 74 75 72 65 00 4B 69 63 6B ; WarmCapture.Kick
530h: 54 61 67 50 74 72 00 4B 65 79 52 65 73 65 74 00 ; TagPtr.KeyReset.
540h: 00 0A 0A 56 4D 4B 20 66 6F 75 6E 64 20 20 20 20 ; ...VMK found    
550h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
560h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
570h: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;                 
580h: 20 20 20 20 20 20 20 20 20 2E 00 01 00 05 65 3D ;          .....e=
590h: 00 01 00 2A C8 50 72 65 73 73 20 4C 45 46 54 20 ; ...*ÈPress LEFT 
5a0h: 6D 6F 75 73 65 20 62 75 74 74 6F 6E 20 74 6F 20 ; mouse button to 
5b0h: 43 4F 4C 44 20 52 45 53 45 54 28 43 6C 65 61 72 ; COLD RESET(Clear
5c0h: 29 2E 20 20 52 49 47 48 54 20 74 6F 20 44 4F 20 ; ).  RIGHT to DO 
5d0h: 4E 4F 54 48 49 4E 47 2E 00 01 FF 52 41 57 3A 31 ; NOTHING...ÿRAW:1
5e0h: 30 2F 32 30 2F 34 34 30 2F 31 35 30 2F 56 4D 4B ; 0/20/440/150/VMK
5f0h: 00 6B 65 79 62 6F 61 72 64 2E 64 65 76 69 63 65 ; .keyboard.device

… and here the same block after encryption by the virus (please note the $AFFE-tag at the beginning):

400h: AF FE 00 08 DE 51 DA A1 DE 57 DE 57 DE 55 DF B2 ; ¯þ..ÞQÚ¡ÞWÞWÞUß²
410h: DE 5B DA A3 17 D2 EE EA CC 46 CE 44 B8 57 D2 43 ; Þ[Ú£.ÒîêÌFÎD¸WÒC
(...)
4e0h: 45 10 ED 4D 88 48 AC 53 AD 6A BB 49 95 4C B2 46 ; E.íMˆH¬S­j»I•L²F
4f0h: FE 7D EF 06 EE 19 FE 87 FE 6C B6 5E B7 5E FE 9A ; þ}ï.î.þ‡þl¶^·^þš
500h: BF BE BB A3 45 BC DE DC 9D B8 B2 B0 9D B4 AE AE ; ¿¾»£E¼Þܝ¸²°´®®
510h: AB A9 BB D8 9D B6 B1 B2 9D BE AE A8 AB AF BB C2 ; «©»Ø¶±²¾®¨«¯»Â
520h: 89 A2 AC AD 9D A0 AE B2 AB B5 BB C4 95 AC BD A1 ; ‰¢¬­ ®²«µ»Ä•¬½¡
530h: 8A AA B9 98 AA BB DE 85 BB B6 8C A9 AD A8 AA F2 ; Šª¹˜ª»Þ…»¶Œ©­¨ªò
540h: DE F9 D4 A6 93 BA FE 90 B1 82 B0 90 FE D5 FE DA ; ÞùÔ¦“ºþ±‚°þÕþÚ
550h: FE DB FE D8 FE D9 FE DE FE DF FE DC FE DD FE C2 ; þÛþØþÙþÞþßþÜþÝþÂ
560h: FE C3 FE C0 FE C1 FE C6 FE C7 FE C4 FE C5 FE CA ; þÃþÀþÁþÆþÇþÄþÅþÊ
570h: FE CB FE C8 FE C9 FE CE FE CF FE CC FE CD FE B2 ; þËþÈþÉþÎþÏþÌþÍþ²
580h: FE B3 FE B0 FE B1 FE B6 FE B9 DE 95 DE 90 BB A7 ; þ³þ°þ±þ¶þ¹Þ•Þ»§
590h: DE 9A DE B2 16 C9 AC FB AD EC FE D0 9B DB 8A A2 ; ÞšÞ².ɬû­ìþЛۊ¢
5a0h: B3 EC AB F3 BB A1 BC F3 AA F3 B1 EA FE F1 B1 AA ; ³ì«ó»¡¼óªó±êþñ±ª
5b0h: 9D C4 92 CC FE DB 9B DD 9B DB F6 CF B2 E8 BF C0 ; Ä’ÌþۛݛÛöϲè¿À
5c0h: F7 9D FE 90 8C F8 99 FE 8A 97 AA DB FE F1 91 9A ; ÷þŒø™þŠ—ªÛþñ‘š
5d0h: 90 F4 8A F0 97 F7 99 90 DE BE 21 EE 9F EA E4 93 ; ôŠð—÷™Þ¾!îŸêä“
5e0h: EE 8C EC 90 F1 95 EA 96 F1 96 EB 94 F1 F3 93 E1 ; îŒìñ•ê–ñ–ë”ñó“á
5f0h: DE C0 BB D1 BC C6 BF DC BA 81 BA C9 A8 C4 63 65 ; ÞÀ»Ñ¼Æ¿ÜººÉ¨Äce

Also the virus uses a simple but effective stealth mechanism to hide its virus bootblock (similar to the The Lamer Exterminator viruses):
If the virus is not active in memory and you are trying to display the bootblock of an infected disk you will see the encrypted virus-bootblock.
However, if the virus actually is active in memory and you are trying to display the bootblock of an infected disk the virus will become active showing you a normal and clean Commodore standard bootblock.

Here is an example of displaying an infected bootblock of a disk while the virus is not active:

pest_s1.gif

You clearly can see the encrypted virus. Well, or at least something suspicious as this is obviously no standard bootblock.

And this is the same disk while the virus was active in memory:

pest_s2.gif

You will just see a standard Commodore bootblock.

At the end of the decrypted bootblock you can see the following text:

03e0h: 79 00 50 45 53 54 49 4C 45 4E 43 45 20 76 31 2E ; y.PESTILENCE v1.
03f0h: 31 35 20 28 63 29 20 31 34 2F 30 35 2F 39 34 21 ; 15 (c) 14/05/94!

Clones and variants

None

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License