Introduction
Zombi I is a computer virus written for the Commodore Amiga. It is an old bootvirus.
Summary
- Overwriting the original bootblock of an unprotected disk when bootet with it
- The virus is not encrypted (only the virus-text)
- Uses DoIO()-vector from the exec.library for infection
- Makes itself reset resident by using the CoolCapture
Details
After booting with an infected disk the virus copies itself to memory-location $7A000 this memory area will not be set as reserved by the virus hence other programms could overwrite this location resulting the Amiga to crash.
Then the virus makes itself reset resident by using the CoolCapture.
On next reset the virus alters the DoIO()-vector of the exec.library. Next time the Amiga will be bootet by a unprotected disk the virus will write itself onto the bootblock of the disk. After that the DoIO()-vector-hook will be removed. Each 15th infection a hidden text within the virus will be decrypted to ChipRAM-location $70000 by using following routine:
decode:
lea $7A29E,a0
move.w #$22,d0
.loop:
eori.l #$AAAAAAAA,(a0)+
dbf d0,.loop
lea $7A29E,a0
lea $70000,a1
move.l #$8C,d0
.loop2:
move.b (a0)+,(a1)+
dbf d0,.loop2
lea $7A29E,a0
move.w #$22,d0
.loop3:
eori.l #$AAAAAAAA,(a0)+
dbf d0,.loop3
clr.l d0
Then this text will be shown as an alert:
After clicking away the alert the disk will be renamed to Zombi I by directly writing a completely new disk-rootblock (where the disk-name, among other things, is stored):
Due the fact that the virus writes a completely new root- and bitmap-block the AmigaDOS won't find any files on the affected disk anymore. It's empty. You can try to rescue data by using DiskSalv by Dave Haynie.
