TeleCom

Introduction

TeleCom is a computer virus written for the Commodore Amiga. It is an old filevirus.

Summary

  • Write its virusfile into root of an unprotected disk while boot-process
  • Changes (and in some cases damages) the startup-sequence
  • It is not encrypted
  • Hooks DoIO(), FindResident() of exec.library and OpenWindow() of intuition.library for infection
  • Works only with Kickstart 1.3
  • Works only if Amiga is equipped with 512kb SlowRam/RangerRam extension
  • Resident by using CoolCapture
  • Filesize of the virus: 756 bytes

Details

If the virus is first executed it only makes itself resident by using the CoolCapture and copies itself to the Ranger/SlowRam location $C71000. The infection triggers become active next time you reset the Amiga. Then the virus will hook the DoIO()- and FindResident()-vector of the exec.library in a very system-unfriendly1 way:

hook:
  move.l  #$C710B0,$C00218   ; This is the location for FindResident() in exec.base assumed in RangerRam at $C00000
  move.l  #$C710CA,$C000B0   ; This is the location for DoIO() in exec.base assumed in RangerRam at $C00000

Assuming your Amiga survived this code above the next time you boot with an unprotected disk the following process will happen:
The DoIO()-hook will be activated first and checks if the inserted disk is write-protected or not by using the following code:

checkprotection:
  cmpi.b  #2,$1D(a1)    ; ------------------------------------
  bne.w   doio_kick13   ; Read-request for the bootblock?!
  tst.l   $2C(a1)       ; no -> end
  beq.w   doio_kick13   ; ------------------------------------

  movem.l d0-a6,-(sp)
  bsr.w   doio_kick13
  move.w  #$F,$1C(a1)   ; Get Disk-info
  bsr.w   sub_C71108
  tst.l   $20(a1)       ; Write-protected?
  beq.w   not_protected
  bra.w   protected
not_protected:
  move.b  #1,$7FFA0
protected:
  movem.l (sp)+,d0-a6
  rts
doio_kick13:
  jmp     $FC0718

As you can see a flag will be set to $7FFA0 if the disk is not write protected, furthermore the original DoIO()-ROM-address $FC0718 will be used to exit this routine. However, $FC0718 is only valid for Kickstart 1.3!
The next thing which will be executed is the FindResident()-hook at this state of the boot-process the virus can be sure the intuition.library is actually available and it will hook OpenWindow() of it. The FindResident()-hook will be uninstalled.

Then the AmigaOS will open the default window which triggers the OpenWindow()-hook. This routine will actually infect the disk if the flag at $7FFA0 is set (=then the disk is unprotected) by writing an invisible2 file called $A0 in the root of the disk. After that the virus extends the first line of the startup-sequence and adds this filename so the virus will be activated next time again automatically. Finally the OpenWindow()-hook will be uninstalled.

If the startup-sequence of the disk is bigger than 1024 byte then it will be cut. The virus only reads 1024 byte of data.

There is an encrypted area which reads the following when decrypted:

0000h: 73 2f 73 74 61 72 74 75 70 2d 73 65 71 75 65 6e ; s/startup-sequen
0010h: 63 65 00 00 20 54 65 6c 65 43 6f 6d 20 d8 00 00 ; ce.. TeleCom ...

Clones and variants

None

1 I saw alot of system-unfriendly code in my Amiga-life but this one is a killer - This virus doesn't even try to get the correct exec.base address from RAM-Offset $4. Wow! this is scary! :-)
2 This filename appears invisible to the AmigaDOS when listing the contents of a disk by using the CLI command dir.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License