Easy identification: typical text on bootblock: ' THIS IS THE ALIEN NEW BEAT BOOT! THE BOOT ' 'WHICH CREATES A NEW DIMENSION IN MEMORY. THIS' ' IS A NEW STYLE OF VIRUS HUNTING!!! 179092 V' '1.0 Ir 04/01/1989 ' ' You won't believe it, but this thing' ' kills the SCA, ByteBandit, Dasa (ByteWarrior)' ', AIDS AND NorthStar virus!!!!!'

Type of Infection: Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. (this longword exists in EBOLA-I virus) - Searches for $24121996 at the end of the first hunk (selfrecognition) - Searches for $1080402 at the end of the first hunk (this is the recognition of the Strange Atmosphere linkvirus) Self-identification method in memory: Searches for $3D385E29 at offset -6 from the Dos LoadSeg() function. If $1020304 will be found at this position, the destruction counter will be manipulated (somekind of test for the programmer of this virus ?) System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Dos ReadARGS(), Exec Findname(), Exec Findtask, Exec SetFunktion() and Exec Addport() Infection preconditions: - File to be infected is bigger then 2600 bytes and smaller then 290000 bytes - Device must have more than 6000 sectors - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found

Easy identification:Typical text: string "initial_cli" visible in an infected file; file "initial_cli" in root directory; string "initial_cli" as first entry in startup-sequence.

Damage Trigger: Permanent damage: insertion of a floppy disk Transient damage: directly before 5th infection

Particularities: The crypt/decrypt routines are aware of processor caches and cleares them if necessary. If the Launch routine gets control the virus creates a kind of infection process. This process is completely re-entrant so that this virus can infect several files and volumes simultaneously. The virus is programmed very effective, the author uses excessively V37+ functions and unusual coding methods. Anyway the programmer left some tracks behind - "MS" in the volume name, and the magic number of -$17 =-23 used for several purposes should make it possible to find the author. I think only a dozend people worldwide can program like this. The linking method is very poor compared to the other functions in this virus - it recognises very few filetypes. Maybe this virus is only a test-baloon.

Easy identification: typical text: "TTV1" at end of virus (length=2608 byte) identification on disk: a file in ROOT- and/or DEVS-directory is named with following unprintable string: $A0,$20,$20,$20,$A0,$20, $20,$A0,$20,$A0,$A0; length of first command in startup-sequence seems to be altered to 2608 byte (because file isnot original anymore)

Type of Infection: self-identification method: virus searches for a file in devs- or root directory named with this unprintable string: $A0,$20,$20,$20,$A0, $20,$20,$A0,$20,$A0,$A0 system infection: RAM resident, reset resident

Easy identification: Identification by the following entry (hex) in "startup-sequence" as first entry: $C0,$A0,$E0,$A0,$C0 (invisible in most ASCII editors)

Easy identification: typical text: --- identification by the following entry (invisible in ASCII editors) in startup-sequence as 1st entry: "$A0,$A0,$A0,$20,$9B,$41"; identification using a disk manager: a file $A0,$A0,$A0 (invisible) exists in root directory, with length=2916 byte; identification by text in memory: "Hi. Jeff's speaking here... (w) by the genious BUTONIC... V3.00/9.2.89 - Gen.0026 Greetings to *Hackmack*,*Atlantic*, & Alex,Frank,Wolfram, Gerlach,Miguel,Klaus,Snoopy-Data!"; this text is displayed as alert message after destruction of a disk structure; identification by transient damage: window titles are changed to following ones: "Ich Brauch jetzt Alk!", "Bitte keinen Wodka!", "Mehr Buszyklen fuer den Prozessor", "Paula meint, Agnus sei zu dick"

Damage: Permanent damage: overwriting bootblock, maybe destroying opened files when screen and key- board are shut off and user has to restart system using CONTROL+LEFT-AMIGA+RIGHT-AMIGA Transient damage: Screen buffer manipulation: screen becomes dark, keyboard seems to mal- function. Transient damage may be released by pressing a special key combination: LEFT-ALT+LEFT-AMIGA (on newer AMIGAS, the COMMODORE key)+SPACE+RIGHT-AMIGA+RIGHT ALT (but virus will still be active)