home *** CD-ROM | disk | FTP | other *** search
-
- Name : TeleCom
-
- Aliases : No aliases
-
- Clone : No clone
-
- Type/size : File/756
-
- Discovered : 04-03-93
-
- Way to infect: File infection
-
- Rating : Less Dangerous
-
- Kickstarts : only 1.3 with Ranger RAM ($C00000)
-
- Removal : Delete file.
-
- Comments : The virus uses the CoolCapture to stay resident
- in memory. It is always at the same adress in
- memory ($C71000). After a reset the virus patches
- the DoIO(), FindResident(), and later the Open-
- Window() vectors. If you are booting with a disk
- the virus does the following:
-
- a) It checks with the help of DoIO() if the disk
- is write protected. If not the virus
- moves a value at memory adress. This value will
- later be used from the OpenWindow-Patch to check
- if the disk was write protected.
-
- b) The virus patches the FindResident()
- vector. This new patch installs some time
- later a new patch in the OpenWindow()-vector.
-
- c) This new patch infects the root-dir of the disk
- while it creates the virusfile ($A0) and modifies
- the startup-sequence.
-
- The string "s/startup-sequence" in the virus is
- coded with a simple EOR-loop (eor.b #$27,(a1)+).
- In the decoded virus you can read "TeleCom".
-
- NOTE: I wonder how such a virus could spread itself.
- ^^^^^ -> The memory Ranger RAM is rare.
- I think this virus must be an older one.
-
- A.D 12-93
-
