It is notable as the first virus known to be defensive. It hooks into the system in such a way that examining a bootblock will return a normal result and upon replicating will also encrypt itself.
Variants of the virus are known to use one of three different decrypt routines defined by The Amiga Virus Encyclopedia. A detection program can look for any of the known decrypt routines on the boot block area of the disk, or alternatively try to blindly brute force decrypt them. The first decrypt routine is a simple XOR of every byte which only takes a maximum of 256 attempts to decrypt. The next includes an add byte in its decrypt routine, and takes a maximum of 256x256 attempts. The third uses 16 bit words in its decrypt routine, and takes a maximum of 65535x65535 attempts which makes it an impractical approach with modern computers. The first two versions (and variants that use the same decrypt routines), can also be identified as containing an identification word 0xABCD, as the last data on the boot block containing anything but zero values.
- Over-writes the bootblock
- Remains RAM resident (allocating 1024 bytes and identifying itself: 'The LAMER Exterminator !!!')
- Hooks into the system (remaining reset-resident)
- Destroys media blocks by overwriting them 84 times with the string 'LAMER!', causing read/write errors on affected storage media. This causes filesystem corruption and data loss, which is unrecoverable.
|This malware-related article is a stub. You can help Wikipedia by expanding it.|