Amiga Virus Encyclopedia: The Lamer Exterminator

The Lamer Exterminator

Introduction

The Lamer Exterminator is a computer virus written for the Commodore Amiga. The virus has been discovered in the year 1989 in Germany. It is well know within the Amiga community and one of the most spread viruses on the Amiga ever. It is a bootvirus.

Summary

Overwrites the original bootblock of any unprotected disk inserted in the floppy drive of an Amiga computer
Writes itself encrypted on the floppy disk
Stays resident in memory by using the KickTagPtr
Changes operating system calls
Destroys disk blocks randomly by putting the word "LAMER!" (or in some variants also the word "Lamer!") on the affected block
Uses stealth mechanism to hide virus bootblock

Details

This is the en/decryption code of a variant of the virus

decode_virus:
  lea     cryptstart(pc),a0 ; Begin of crypted area 
  lea     cryptend(pc),a2   ; Endaddress of crypted area
  move.b  (a2),d0           ; Decode-byte for XOR

.loop:
  eor.b   d0,(a0)+          ; Decode Virus code with a simple XOR
  cmpa.l  a0,a2             ; Until Startaddress not reached endaddress...
  bne.s   .loop             ; ...loop

A floppydisk block of an Amiga OldFileSystem disk before destruction by the virus (hex dump):

000h: 00 00 00 08 00 00 03 7A 00 00 00 01 00 00 01 E8 ; .......z.......è
010h: 00 00 03 F5 BF 17 41 51 63 6F 75 73 69 6E 73 73 ; ...õ¿.AQcousinss
020h: 6F 6E 67 31 00 00 00 00 00 00 00 00 73 74 2D 30 ; ong1........st-0
030h: 31 3A 70 6F 70 62 61 73 73 00 00 00 00 00 00 00 ; 1:popbass.......
040h: 00 00 05 46 00 40 00 00 00 01 73 74 2D 30 31 3A ; ...F.@....st-01:
050h: 73 6E 61 72 65 31 00 00 00 00 00 00 00 00 00 00 ; snare1..........
060h: 03 E8 00 34 00 00 00 01 73 74 2D 30 31 3A 70 6F ; .è.4....st-01:po
070h: 70 73 6E 61 72 65 31 00 00 00 00 00 00 00 03 E8 ; psnare1........è
(...)

The same floppydisk block of an Amiga OldFileSystem disk after destruction by the virus (hex dump):

000h: 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 6D 65 ; Lamer!Lamer!Lame
010h: 72 21 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 ; r!Lamer!Lamer!La
020h: 6D 65 72 21 4C 61 6D 65 72 21 4C 61 6D 65 72 21 ; mer!Lamer!Lamer!
030h: 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 6D 65 ; Lamer!Lamer!Lame
040h: 72 21 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 ; r!Lamer!Lamer!La
050h: 6D 65 72 21 4C 61 6D 65 72 21 4C 61 6D 65 72 21 ; mer!Lamer!Lamer!
060h: 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 6D 65 ; Lamer!Lamer!Lame
070h: 72 21 4C 61 6D 65 72 21 4C 61 6D 65 72 21 4C 61 ; r!Lamer!Lamer!La

If the virus is decrypted you can see the following string typically found in the original versions of this virus:

0360h: 24 D8 51 C8 FF FC 4E 75 74 72 61 63 6B 64 69 73 ; $ØQÈÿüNutrackdis
0370h: 6B 2E 64 65 76 69 63 65 00 00 54 68 65 20 4C 41 ; k.device..The LA
0380h: 4D 45 52 20 45 78 74 65 72 6D 69 6E 61 74 6F 72 ; MER Exterminator
0390h: 20 21 21 21 00 0D AB CD 00 FC 0A 78 00 FE 9C 3E ;  !!!..«Í.ü.x.þœ>

The Lamer Exterminator virus family uses a simple but effective stealth mechanism to hide its virus bootblock:
If the virus is not active in memory and you are trying to display the bootblock of an infected disk¹ you will see the encrypted virus-bootblock.
However, if the virus actually is active in memory and you are trying to display the bootblock of an infected disk¹ the virus will become active showing you a normal and clean Commodore standard bootblock.

Here is an example of displaying an infected bootblock of a disk² while the virus is not active:

You clearly can see the encrypted virus. Well, or at least something suspicious as this is obviously no standard bootblock.

And this is the same disk while the virus was active in memory:

Wow! a clean Commodore standard bootblock… well at least this is what you should think.

Clones and variants

The Lamer Exterminator $392
The Lamer Exterminator $396
The Lamer Exterminator $3A6
The Lamer Exterminator $3AA
The Lamer Exterminator $3AE
The Lamer Exterminator $3F4
The Lamer Exterminator $342
The Lamer Exterminator $362
- aka CList virus
The Lamer Exterminator $39A
The Lamer Exterminator $3C2
MAD IV virus
Starcom Return virus
Starcom 4 virus
TAI 7 virus
Guardians Boot Aids virus
Ingo's Return virus

¹ By using a diskmonitor or similar tools
² I used an old bootblock-managing-tool called The Virus Expert 1.4

Amiga Virus Encyclopedia

Descriptions of amiga viruses

Introduction

Summary

Details

Clones and variants