home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software 2000
/
Software 2000 Volume 1 (Disc 1 of 2).iso
/
utilities
/
u552.dms
/
u552.adf
/
Virus_Checker.doc
< prev
next >
Wrap
Text File
|
1997-10-30
|
45KB
|
939 lines
Virus Checker
-------------
This Program
Virus_Checker is a freely distributable, copyrighted piece of software.
You do not have to pay money to use it, and may upload it wherever you
choose, but you are not allowed to sell Virus_Checker for profit, or
include Virus_Checker on a disk which is sold for profit, without the
author's (John Veldthuis) permission.
Commodore have this permission already.
MegaDisk also have this permission.
Money is not solicited but would be welcome.
I can be contacted at the address below.
Please send me any more new viruses so I can update Virus_Checker
But please don't send a letter asking for a copy without sending me at
least a disk to send it back on. I just cannot afford to do this.
John Veldthuis
21 Ngatai Street
Manaia, Taranaki
New Zealand
Phone (0624) 8409
Email addresses:
FIDO 3:771/400.0
USENET johnv@tower.actrix.gen.nz
I have been asked to include the following:
Virus_Checker can be kept up to date thanks to the energy and work put into
a global anti-virus information bank founded by Erik Løvendahl Sørensen
from Denmark.
This group has over 120 international members now, among them some of the
programmers of well known anti-virus programs like Steve Tibbet and Jonathan
Potter. Among the activities of this group are:
- Spreading information to anti-virus programmers as fast as
possible.
- Trying to get names and proof against virus programmers and
giving the information to the justice department of his/her
country to press charges.
- Writing articles in popular magazines to inform new Amiga
users about viruses and how to protect themselves.
All this is volunteer work. If you want some more information about this
organization or you want to sponsor our work, contact Erik at the following
address:
REWARD $ 1000:
-------------
Do you know a virus programmer, you can get a reward $ 1000 for his name
and address. The fact is that the law punish data crime very, very.. hard.
(5 years in jail in most countries). We are an international group with
200 members, who have started a work to try stop virus spreading . Let me
give you some examples:
Erik Løvendahl Sørensen
Snaphanevej 10
4720 Præstø
Denmark - Europe
Phone: 00 45 53 79 25 12
Fidonet 2:230/114.26
Notes for Enforcer Users
========================
If you run the program called Enforcer then you will get a few hits when
Virus_Checker starts up as it looks for viruses. You will also get hits if
you do the memory scan again.
Nothing can be done about this as this is the only way to find some
viruses.
To use Virus_Checker , place in your startup-sequence the following line -
Virus_Checker
This will run virus_checker.
Or from the CLI Type Virus_Checker and hit return.
You can also double-click on Virus_Checker's icon from Workbench
****** Special Notice for Users of File Packers and Crunchers ******
If you use a program such as PowerPacker to make your files smaller then be
aware to check these files before you crunch them. If the file is infected
and you crunch them then VC will not find the virus in the file and each
time you use that file it will infect your machine.
VC will still detect the virus in memory and remove it okay.
So if you get VC telling you your memory is infected but you cannot find it
on any disks then start unpacking any of these files and check them
UNPACKED.
**New features**
----------------
New Features added to Virus_Checker are added to the command line.
The syntax is Virus_Checker -l### -t### -w### -b -q -n -c -u dirname
where ### is any decimal number
-l### Tells Virus_Checker how far from the left edge of the screen to open
the Virus_Checker window.
-t### Tells Virus_Checker how far down from the top edge of the screen to
open the Virus_Checker window.
-w### Tells Virus_Checker how wide you want the window. It has a maximum
size of 386 pixels and a minimum of 200. Any numbers out of this
range are ignored.
-b Tells Virus_Checker to send its window to the back of all the other
open windows.
-n Tells Virus_Checker not to open a window. It will check memory and
disks inserted but you will have to use the ARexx port to get it to
scan the whole disk for Link/File viruses.
To stop VC, run VC again or use the ARexx port.
Versions prior to 5.33 opened a 1x1 bit backdrop window but 5.33 on
do not open any window except requester windows when needed.
-q Virus_Checker will check all memory, files, and disks for viruses
then exit. To check the dh0: partition and exit do the following -
Virus_Checker -q dh0:
This will check memory, disks, files, and dh0:, then exit.
-c Disable loading of Config file. You get the defaults.
-u Tempory Option for WB2 user untill other interface is done
Bring up the User Interface before starting Virus_Checker.
Only available under WB2.
dirname is the directory/file you want checked for File Viruses on startup.
An example to open the window at x/y position of 200/100 and check DH0:
is Virus_Checker -l200 -t100 dh0:
Any values outside the size of the WB screen are ignored and any non
numerical values are ignored. There must be no spaces between the options
and the numbers. Options may be given in any order.
*** AREXX PORT added ***
-------------------------
An Arexx port has been added to VC so you can make VC do things from an
ARexx script. The port name is Virus_Checker. Be aware that case is
important and ARexx will not find it if the name is not spelt right.
Here is an example
address 'Virus_Checker' /* Talk to Virus_Checker */
'checkdrive\df0:' /* Make virus_Checker check df0: for viruses */
'scanforsaddam\df0:' /* Make VC check df0: for Saddam virus damage
'quit' /* Make Virus_Checker shut down */
Notice the '\' between the command and the drive name in the middle
examples. This must be put between all commands and their options. 'quit'
does not take an option so does not need the '\' character there.
Virus_Checker will understand the following commands
checkdrive\drivename Check drive drivename for file viruses.
scanforsaddam\drivename Check drive (DF0:-DF3) for Saddam damage.
quit Make Virus_Checker shut down.
Added for the configuration control
-----------------------------------
(on\off) means enter one eg. resident\on
*** These will change as well when new interface is done.
resident\(on/off) If off VC will check then quit (affects startup)
backdrop\(on/off) If on make VC window a backdrop window
window\(on/off) If off VC will not open it's window
saveconfig Save the configuration file to S:VCConfig
openwindow Make User Interface screen open
These next ones will change
checkbb\df?: (on/off) Turn on/off checking of BootBlocks (? = 0-3)
checkfile\df?: (on/off) Turn on/off checking of Files on floppies (? = 0-3)
None of the ARexx commands returns results to Arexx.
As from Version 5.27
--------------------
If Virus_Checker is already running and you give it a blank command line
then it will ask you if you want to stop Virus_Checker. If you give it a
directory/File name then it will be passed on to the running Checker and
the scan will start straight away.
If you select the VC window and press the s key this will bring up the disk
scan requester and if you press the m key, VC will do another complete
memory scan.
Upon running Virus_Checker will first check your memory for viruses and
tell you if any were detected. They will either be removed or disabled. Next
all disks in the drives will be checked. Any disk put into any drive
(df0: to df3:) will be checked. The rest is easy.
Sometimes the machine may GURU when it disables the LAMER Exterminator virus
in memory but if you reboot it should be gone.
Keys Active when Virus_Checker window is active
-----------------------------------------------
The Following keys will activate the following functions
s - Will activate the Scan mode (Or Right-AMIGA S key)
m - Will immediately do a complete memory scan (same as startup)
f - Will activate the Saddam Disk Scan (used to fix Saddam virus damage)
(or Right-AMIGA F key)
0 - 3 Will check the First File in startup-sequence and bootblock on disk
in drive which matches number
Right-AMIGA Q. Will shut down Virus_Checker
Link/File virus check
---------------------
If you want to check a disk for Link/File viruses then put the disk in
any drive. Make sure the Virus_Checker window is active and use the right
mouse button to bring up the Project Menu. Select the "Link/File Scan"
and release the mouse button.
An alternative way is to just press the 's' key on the keyboard.
This will bring up a requester asking you which drive to check. Enter the
drive name in the box, eg. DF0:, DH1:,RAD: etc.
Under WB2.0 you can also use the "Use Requester" option
It will then check all the files on that drive. You can also enter
directories if you want to eg, c: df0:c, df0:libs etc
When Virus_Checker is scanning the disk and you know that a directory is
clear and don't want to check it press control-d in the window with the
filenames and Virus_Checker will ignore that directory and go back up one
level.
If you want to stop the check completely press control-c in the window with
the filenames and Virus_Checker will print a break message then stop
scanning the disk and go back to normal scanning.
If Virus_Checker brings a requester up that says a program just run has
infected your memory with the Xeno Virus, it has already disabled it.
You should immediately check all files on the disks that are in the drives
at that time. This means that a program that you just ran or a program
some other program just ran is infected with the virus and all files
should be checked to find out which one it was.
With viruses which use a RomTag I have decided to clear out all RomTags to
make sure I remove the Viruses from the list. In doing this you will lose
things like Recoverable ram disks such as RAD:, VD0: etc. If you have a
virus make sure that you save anything in the ram disks that you want
before rebooting. The ramdisks and others will disappear on a reboot.
My policy is better safe than sorry.
BRAINFILE ADDITION
------------------
I have added a BrainFile to Virus_Checker as of Version 5.13. When VC finds
a Non-Standard bootblock it will bring up 4 gadgets. The new Gadget is Learn.
Pressing this will allow VC to remember this BootBlock and not bother you
again with it.
To do this VC writes a file called VCBrainFile to the S: directory.
If you have a single drive this will invoke a requester asking that Volume
something be put in the drive. This will then save to the file.
On Startup VC will check for the file in the S: directory and read it if it
is there. If not it will carry on without it. If you get an error then VC
will tell you about it and will happily write over the file next time.
CONFIG FILE ADDITION
--------------------
This is a tempory thing and will change with teh next release
Use it at your own risk.
Virus_Checker will now look in the S: directory for a file of VCConfig.
This file can be used to turn on/off certain parts of Virus_Checker.
It is intended to be changed with a User Interface under WB2.
Under 1.3 you will have to use a Binary File Editor or use the AREXX
interface to set things the way you like them and save the config file.
Here is the layout.
Offsets
----
0-3 VCCF ;Text Chars to show VC it is a config file
4-5 Num ;Window Left Edge (Binary in range of 0-400)
6-7 Num ;Window Top Edge (Binary in range of 0-200)
8 0 or 1 ;1 = turn on checking of BootBlock in drive 0
9 0 or 1 ;1 = turn on checking of BootBlock in drive 1
10 0 or 1 ;1 = turn on checking of BootBlock in drive 2
11 0 or 1 ;1 = turn on checking of BootBlock in drive 3
12 0 or 1 ;1 = turn on checking of Files in drive 0
13 0 or 1 ;1 = turn on checking of Files in drive 1
14 0 or 1 ;1 = turn on checking of Files in drive 2
15 0 or 1 ;1 = turn on checking of Files in drive 3
16 0 or 1 ;0 = do checks and then stop Virus_Checker
17 0 or 1 ;1 = Open a window for Virus_Checker
18 0 or 1 ;1 = Virus_Checker uses a Backdrop window
19 0 ;Just a filer
20-139 Text ;Name of Virus_Checker brain File (S:VCBrain)
All numbers except the VCCF and the Text of the BrainFile name are binary
numbers.
REMEMBER this will change so be warned.
Versions
--------
1.0 - Was an arp.library version.
1.1 - Was an port to the normal libraries.
1.2 - Had the ByteBandit virus detection added into it.
1.3 - Had detection of the 3 Viruses in memory and removal of them.
1.4 - Added code to detect + remove the Byte Warrior Virus from memory
and disk.
1.41 - Found a slight bug when using DSM to disassemble this. The program
was testing low memory instead of a value when checking for the Revenge
Virus.
1.42 - Changed code to be assembled by the CAPE 68K assembler. which is
much faster than A68k or Assem. Now also uses base register addressing
mode for data access.
1.43 - Changed code to cut down executable code.
2.0 - Added Pentagon, System Z, North Star, Obelisk and the
new IRQ virus which lives in files and not in the Boot Block.
2.1 - Corrected a few little bugs in program.
3.0 - Did a listing of Source code and found many bugs. Did a major
rewrite to clean it up and saved about 400 bytes.
3.0 - Now checks for these viruses - SCA, AEK, Byte Bandit, Byte Warrior,
Revenge, Pentagon Circle System Z, North Star, Obelisk, Disk-Doktors and
the latest IBM type virus the IRQ virus.
3.01 - Got a new virus, Lamer Exterminator. Added code to get rid of it.
3.02 - Got a second version of the Lamer Exterminator virus.
3.03 - After many requests decided to add checking of BootGirl BootBlocks
which were being registered as Non-Standard. It now just ignores BootGirl
BootBlocks.
4.00 - Updated to make better use of the Stack. Now store all variables on
the stack for a saving of 124 bytes in the executable.
4.10 - TimeBomb virus added to code.
4.20 - Altered startup code to start a separate process to avoid doing
a RunBack -2 Virus_Checker.
4.22 - Added Gadaffi virus to checker.
4.23 - Found a potentially Fatal Error in Code when accessing Unit
Byte off the Stack.
4.24 - Added Graffiti, Ultra Fox, and Phantasmumble Viruses.
4.25 - Added BSG9 virus to code.
4.26 - Changed Error Checking on BSG9 virus a bit.
4.27 - Got the War Hawks virus and added it. Also added V3 of Lamer
Exterminator virus. Changed checking for BSG9 virus. Now checks when disk
is inserted into drive.
4.28 - Found I was losing the memory that was used by the program when it
exited. This was caused by me not UnLoading the Segment used for the
program. Fixed.
4.29 - Found program got into a continuous loop when there where no RomTags
present in the system. Fixed. Also cut code size down a bit more by
combining a few checks.
4.30 - Put further checking in for the BSG9 virus as sometimes the checker
would not find the file on the disk depending on which directory it was in.
Put VKill virus checking in. Also Ultra Fox and PVLProtector virus
checking added.
4.40 - Put in DosSpeed virus and an Unknown virus.
4.41 - Stopped Requester that comes up after pulling disk out.
4.42 - Added JITR virus which was sent to me by Jonathan Potter (AUST).
4.43 - Added MicroSystems virus checking to code and BootBlock checking of
the HCS II, Opapa, BackFlash, and Australian Parasite viruses.
4.44 - Changed code around a bit to get better use of tables and added
Xeno virus check for Memory only.
5.00 - Changed user interface to give a new look and better messages.
5.01 - Major Bug repaired. V5.00 GURU'ed when checking disk. Worked with
68020 CPU but failed on standard Amigas due to a bad address.
5.02 - Was not checking startup-sequence properly when disk was put in 3
1/2" drive when a filename was given as C:SetCPU or something like that.
Came up with a strange filename not being checked. Fixed. Added second
version of Byte Bandit Virus, Someone hacked it. Added code to remove Xeno
virus from files.
5.03 - Slight bug corrected in code.
5.04 - Have changed this from PD to Freely Redistributable after an offer
from someone to sell Virus_Checker. I feel this still needs to be at
minimal (copying charge) or no charge to be effective. Also cleaned up the
code a bit. This may introduce new bugs so please tell me about them if
you find them Added checking of IRQ virus when checking for Xeno files on
disk. As the file is in the buffer already this adds very little extra
time to the check. And better safe than sorry.
5.05 - Changed text when Xeno Virus found after a program has been run
to warn that the program just run may be the culprit.
5.06 - Added 16 Bit crew Virus, New Alien Beat Virus, Digital Emotions
virus, Graffiti Virus, two new versions of the Byte Bandit virus, ScarFace
virus, Turk virus, Joshua virus. Also a little bug when used with NTSC
machines. You could not display the Boot Block Sectors. Now Startup
alters for which machine it is on. The Startup code is only used once and
then the memory for it is freed.
5.07 - Added better Error messages when an error occurs with files. It
will now say File protected from deletion when the file is protected
instead of just saying could not open file. Added Butonic virus to
checker.
5.08 - Added Centurions virus to checker.
5.09 - Got Aids virus but this is a mutant VKill virus and is found
already. Added Coders nightmare virus to checker. Added Forpib, GX Team,
Gremlins, and Kauki Virus. Added Centurions and Butonic virus check when
scanning disk.
5.10 - Finally got IRQ virus and corrected a few bugs in its code. Added
Target, Clist, Abraham, and FAST virus. This FAST virus is supposed to be
from the Federation Against Software Theft. If it is, then they are just
as big arseholes as the pirates themselves. Added Tick virus. Added
control-c, control-d to multiscan pass so as to stop the scan if you got
the wrong directory or drive.
5.11 - Slight bug in removing BSG9 virus if virus not in devs: directory.
Also was picking up some game files as Butonic virus.
5.12 - Virus_Checker was finding WB2.0 reboot code as the HCS II virus.
This code may not be in the final release but it is at the moment.
Also SetPatch code moved a bit. Seems to be the same but different.
5.13 - Added a Brain File so that you can remember the BootBlocks that
You want to. Games etc.
5.14 - Added a feature to allow checking for link viruses on startup
eg. virus_checker dh0: will check dh0: before carrying on as usual.
5.15 - Slight bug found with brain file.
5.16 - ULDV8 virus added. Uses VertB int and RomTag. Very Tame virus.
Also fixed up bugs when using Enforcer. Showed up some reads to
non-existent memory.
5.17 - Added OP1 virus. Seemed to confuse VC into think it had a standard
Boot block unless write protected.
5.18 - Had to add extra checking for IRQ virus as it found a program that
matched IRQ and VC crashed trying to remove the IRQ virus which
wasn't there.
5.19 - Added a much asked for feature so that you can tell VC where to put
its window.
5.20 - Added a width parameter as well. Also added 1 new virus called the
SADDAM virus. This virus lives as the Disk-Validator and can infect
an Amiga simply by putting a disk in the drive.
5.21 - Added the CCCP virus to the checker.
5.22 - Added another version of the Joshua virus. Also fixed bug that
occurred when checking for file viruses and a name was in the File Header.
Added -q option to make VC check and then quit.
5.23 - Added ARexx port to Checker. Will Take commands via Arexx. See
info above. Added Disaster Master Virus 2, another file type virus.
5.24 - Added checking memory for Australian Parasite virus, added BootBlock
viruses:- BlowJob ,Butonic-Bahan, Byte Voyager I, Byte Voyager II,
Destructor, DiskGuard, Fast1, ByteWarrior FastLoader (not really a virus),
FICA, Mad II, Hilly, Changed OP1 virus to real name (Joshua), Changed Tick
virus to real name (Julie), Another version of Lamer Exterminator,
MegaMaster, Paradox, Saddam Hussein (Paradox copy), Termigator, SuperBoy,
UltraFox, Vermin viruses. Another version of the BSG9 file virus was found
so I changed the checking to find both versions. Added second version of
Butonics File virus, added Hawnes file virus. Added another version of the
BSG9 virus and Return Lamer File virus. Did a big rewrite of the checking
for file viruses. Now reads file once and scans a table of data. Will do
the same with Link viruses later.
5.25 - VC was finding BootMenu as the Destructor virus. Changed scanning
of startup-sequence so disks with the cmd sys:c/command would have the sys:
stripped off them. VC could not find these before. Fixed bug which
sometimes screwed the virus name reported in the requester. 1 BB virus
added. Changed name of DOSSPEED virus to its real name. Revenge Lamer
Ext.
5.26 - Fixed bug that was shown when disk in df1: had a startup-sequence
entry that said df0:filename. Tried to access df0: when no disk in drive.
Added Turk Virus file carrier. This was a file that carried to Boot Block
virus Turk. Added a logic bomb file virus. This would wipe out a floppy
after the the file had been run so many times. Added about 10 new
BootBlock viruses.
5.30 - Fixed bug that showed up as DF0:2has... and no learn gadget on
display. Added -n option to make VC window 1x1 pixel/backdrop effectively
no window. Also added keys to VC. Press 's' key to start Disk Scan (same
as right mouse button), 'm' to do a memory check. Added a Lamer TimeBomb
Virus, EMWurm logic bomb, and another version of the Travelling Jack virus.
FixSaddam code added to Checker instead of a seperate program
5.31 - Small problem with startup from Workbench corrected.
5.32 - Fixes a major bug in the FixSaddam code. It Guru'ed under 68000
sometimes and never fixed the Checksums properly.
5.33 - Released 6 November 1991.
WB2.0 BootBlock added to code.
True no window option added for those users of WB2.0.
Added liberator virus and fixed slight bug with Saddam virus,did not reset
TD BeginIo Close vectors.
5.34 - Released 12 November 1991
Increased stack size to 4000 bytes as it was crashing when used with
PowerPacker Patcher. Added Hackers Etic BB virus Little problem with the
CTRL-C and CTRL-D when used in FixSaddam mode
5.35 - Released 21 November 1991
Added support for the asl.library FileRequester when running under WB2
When you select scan disk you can now select Use Requester gadget and this
will bring up the asl FileRequester
5.36 - Released 23 November 1991
Added better handling of Proportional fonts. Requesters look much better now
5.37 - Released 22 December 1991
When scanning the disk for Saddam virus damage and the disk is
unvalidated, VC will change the disk so that it looks validated. VC will
not validate the disk but will make AmigaDOS think it is. VC will warn you
when it does this so you can check the disk with a program such as FixDisk,
Quarterbacktools or (God help me) DiskDoctor.
Small bug in ARexx interface. If you used OPTIONS RESULTS then VC did
not recognize the command.
Added WB2.0 ExAll() code for Link/File scan. This fixes the bug with
RAM: and deleting files while scanning. Only works with WB2. Using WB2
and ExAll() is alot faster than WB1.3. A test on my DH0: showed WB1.3
took 1 minute 28 seconds while WB2 took 1 minute. This was on 531 files in
about 12 directories.
Found furthur bug in Requester with Fonts in WB2.04. Window opens up
with normal default font and not what was set. Now do a SetFont() so I
know what I am getting. Real big fonts eg 24 point still seem to muck up
placement of the gadgets but at least it stills readable.
Added menus to VC window. This means right mouse button for Disk Scan
will no longer work.
Bug found in shutdown code. If you pressed the right mouse button after
clicking on the close gadget then VC would GURU.
5.38 - Released 15 January 1992
Started adding options screen to VC under WB2.0.
Configure file is added as S:VCConfig. Set using options screen under WB2
but under 1.3 you will have to edit by using a binary file editor or the
AREXX commands.
Added Exec DoIO and Trackdisk.device beginio to vector scan. If these
change VC will warn you.
Small bug, when you removed disk while scanning it. WB2 would recover but
1.3 started putting out rubbish.
Added 2 versions of Byte Parasite File Virus, another Lamer Trojen, Freedom
file virus,
Added BootBlock viruses, Dotty, another Mad version, Fast Eddie, French -
Kiss, NastyNasty, TriSector, Taipan, Many other new BootBlock viruses but
these are all just mutants of other viruses (Messages changed)
************************************************************************
NON-STANDARD BOOT CODE
- When Virus_Checker brings up a Requester that says the disk has
non-standard boot code this means that the code in the boot block is not
what should be there. This does not mean that it is a virus as many games
use copy protection in their boot blocks. You should however be cautious if
it is not a game. DO NOT REPLACE THEW BOOT BLOCK IF YOU ARE NOT SURE. If
something strange happens then please send a copy of the disk to me so that
I can check it out.
Here is a way of checking non-standard boot code
1. Format a blank disk so you know it is clear.
3. Make sure all disks except the one just formatted are write protected
3. Boot from the disk that you suspect.
4. Place formatted disk in drive zero and then reboot.
5. Take disk out of drive zero and turn off computer for about 30 secs.
6. Run the Virus_Checker program. If the Virus_Checker finds
non-standard boot code on the newly formatted disk you have found a
new virus. Please send it to me.
Viruses Dealt With:
-------------------
SCA
- The SCA is the simplest virus to deal with, as it's not actually DOING
anything except hiding in memory, until you reboot. We just look at
CoolCapture and fix it to get it out of RAM.
AEK
- This is a clone of the SCA virus and we get rid of it in the same
manner.
LSD
- Another SCA clone and uses the same code.
Byte Bandit (Now 4 versions)
(Amiga Freak)
- The Byte Bandit virus takes the DoIO() vector and re-directs it through
itself. Thus, any attempt to read or write the boot block (ie, AmigaDOS
trying to figure out what kind of disk it is) results in the BB writing
itself onto that disk. We couldn't just rewrite the boot block, we have to
get him out of RAM first. This virus also has an interrupt that crashes the
machine every 5 minutes or so after it's infected a few of your disks. Ow.
It stays in memory not via the Capture vectors, but by a Resident module.
When machine looks crashed press these keys at the same time from left to
right LAlt,LAmiga,Space,RAmiga,RAlt.
This will restore things for another 5 minutes.
Revenge
- Basically, a Byte Bandit clone except it will bring up an obscene pointer
a few minutes after you reboot. We treat it much like the byte bandit.
Byte Warrior
- Jumps right into 1.2 Kickstart. Won't work under 1.3.
Hangs around via Resident struct, doesn't do any damage.
North Star/ StarFire
- Like SCA, hangs around via CoolCapture, killing CoolCapture kills the
North Star.
Obelisk Softworks Crew
- Hangs around via CoolCapture, also watches reads of DoIO() (but doesn't
infect EVERY disk - only ones you boot from).
IRQ
- This is the FIRST Non-Bootblock Virus. It copies itself from place to
place via the first executable program found in your startup-sequence. It
SetFunction's OldOpenLibrary(), has a KickTagPtr, and lives in the first
hunk of an infected program.
Pentagon Circle
- This one looks at the DoIO vector, and has a CoolCapture vector. It will
write itself over any virus inserted, but not onto anything else. No
danger, easy to eliminate. Holding left button while booting with this one
shows different screen colour, but doesn't get rid of it.
HCS Virus
- Hooks into the System Z protector
- This is another virus protector that can write itself to disks. Anything
that spreads itself, under any name, is a virus. Doesn't do anything except
during a reboot, then examines disks and writes over viruses.
Disk-Doktors
- This is another virus which looks at the DoIO routine for the reading of
any bootblocks. If it finds one it will rewrite a copy of its code to it if
it can. This one also patches into the Vertical Blank interrupt and seems
to format your disk after a certain number of interrupts (can't be sure
though).The nasty bit is it also creates a task called clipboard.device
which spends its life copying itself through memory fragmenting the memory
into small blocks. Calls ROM CODE direct so won't work under V1.3. We
restore the DoIO routine, the Vert Blank interrupt and RemTask the
clipboard.device
LAMER Exterminator
- This virus was sent to me by Andrew Mercer of the Palmerston North group.
His letter said that He noticed strange things on his disks. On
disassembling the virus I found that most of it was encrypted and the data
was encrypted randomly using the beam position of the screen. Thus it
appears different each time. It patches the trackdisk.device to look at
reads and writes, It patches the Sumkick vector in exec in case someone
tries to get rid of it. When it detects a read or a write it will randomly
select a sector on the disk and will check if it is a data block. If it is
it will write LAMER! all over the sector and rewrite it. Some say this
Virus will write to write protected disks. I have not had this happen to me
and I can see no special code in the disassembly to accomplish this feat.
TimeBomb Virus
- This is a strange Virus. It does not insert itself into any vectors.
However it will copy itself back to the disk it came from. When the
count gets to 2 it will wipe out the Root Directory of the boot disk and
display an alert. If the count is over 2 it will just display an alert.
GADAFFI Virus
- Inserts itself into the CoolCapture vector, Uses a RomTag structure and
patches the DoIO vector. Jumps directly into the Kickstart so will only work
under V1.2 Kickstart. After 13 copies it will step the heads of drives 0
and 1 in and out. We simply clear all vectors and Use the old V1.2 DoIO
code entry point.
BSG9 Virus
- This is similar to the IRQ virus in that it does not live in the Boot
Block. It operates differently. Inserts itself into the RomTag pointer.
It then loads the program it replaced and executes it. On Reboot the RomTag
is called. It patches the Intuition OpenWindow Routine to its code. It
then returns. Once AmigaDos opens up the CLI window the virus code gets
run. This gets the startup-sequence file and gets the first command that
is run. It then checks if it is already here. If not, then it moves this
program from its directory into the devs: directory and renames it a
strange name.It then copies itself to replace the command it just moved. A
give away is the file size. The Virus size is 2608 bytes and there will be
a file with what looks like spaces for its name in the devs: directory. To
get rid of it we copy the file in devs: back to the c: directory and rename
it.Then delete the file in the devs: directory. In memory all we do is
change the RT_INIT code which is run on reboot to do an immediate RTS. The
memory for the program is still used but the Virus is disabled. It will
display a screen of its own which says:
A Computer Virus is a disease
Terrorism is a Transgression
Software Piracy is a crime
This is the Cure
BSG9 plus some other junk
War Hawks
- This Virus installs itself into the CoolCapture Vector. It copies itself
to the disk when the computer is warm booted. After every four copies it
displays a message. To get rid of it we simply clear the CoolCapture vector.
VKill or Aids Virus
- This is another virus hidden as a Virus protector. When booted it copies
itself to the stack area that is not used. It then patches the CoolCapture
vector to survive a reboot. It patches the PutMsg vector of ExecBase to
watch for BootBlock reads and writes.When it finds one it checks it and
tells you if a virus is present.If you want to get rid of it it will copy
itself to the disk.To remove it we Clear the CoolCapture Vector and
SetFunction the PutMsg vector
Ultra Fox
- This one lives in the CoolCapture vector. When you reboot it will change
the DoIO vector and wait for a BootBlock read.When it finds one and the disk
is not already infected it will write itself to the bootblock.After every 16
copies it will put a custom copper list which displays greetings.
PVLProtector
- This one is another bootblock protector.When it finds a virus it will
write itself to the disk instead of a proper bootblock. All we do is set
the RomTag to do a RTS.
Revenge Lamer Exterminator (previously DOSSPEED)
- This is another file virus. It is supposed to speed up disk operations
by 800%. This was found on a BBS and when run patches itself into several
places. It will read the s:startup-sequence file on reboot and will edit it
so that it runs itself as the program. It sticks out because the first line
in the startup-sequence will be blank.When the Checker finds it look in the
Root directory and you will find what looks like a blank filename. Virus
Checker will rename this virus for you. You can then delete the virus and
alter your startup-sequence to get rid of the first blank line
UnKnown
- This is a virus that has no names anywhere and will only work under V1.2
Kickstart. Very easy to get rid of.
JITR Virus
- Very mild sort of virus this one. Only writes itself to the BootBlock.
Does nothing else. Easily fixed by clearing the CoolCapture vector.
MicroSystems
- Haven't got this one yet so can't tell you much about it. Just have to
restore a vector in the Exec.library and clear the Exec CoolCapture vector.
Xeno Virus
- This virus is a very nasty one in the way that it infects all programs
that can be run. It does not need the program to be run but even someone
doing a list or dir on a disk when the virus is present will infect all
those other files on disk. It patches into the dos.library and takes over
the OPEN,LOCK and LOADSEG calls in dos. This way it can intercept the files
being looked at. It will copy itself to the start of every runnable program
and alter the file so that it still works. There is also an encrypted
message which says 'Greetings from the Xeno Virus' but I have not worked out
when this appears yet. To get rid of it from memory we have to reset the
changed vectors. To get rid of it from the file is very much harder. First
the file has to have the virus removed from the code. Then the relocation
data pointers have to be changed so that everything still works.
16 Bit Crew
- This virus does not do much and only infects disks that you boot with.
To get rid of it from memory we clear the CoolCapture Vector and restore
the DoIO vector.
New Alien Beat Virus
- This one will only work under Version 1.2 Kickstart as it jumps into
the ROM code directly. To fix in memory we have to manually patch the
DoIO vector and FindResident Vector with the correct values for 1.2.
and clear the Capture vectors.
BlackFlash virus
- This virus will display a message after a certain amount of copies of
it have been made. It says that your computer is sick and has a virus. To
remove it we just restore the DoIO vector and clear out the capture
vectors.
Digital Emotions virus
- This is another tame virus. Only infects disks when it is rebooted.
Clean out the Captures vectors and it is gone.
ScarFace Virus
- This takes over the BeginIO routine in the trackdisk.device to watch for
reads and writes to the disk. When it finds one it will write itself to the
disk. It also has a VertBlank interrupt which will do something after
a while. I think it only reboots the machine. It also has a romtag which we
have to clear out.
Turk Virus
- Another simple virus. Does not do very much. Simple to get rid of.
Joshua Virus
- Again, lives in the TrackDisk BeginIO and VertBlank Interrupt.
Also has a RomTag to survive reboots. This one will display a sprite after
so many interrupts. I am not sure what it looks like but maybe someone
wants to wait until it is triggered. It counts interrupts. It will also
infect every disk but in the drive that is not write protected. Data in it
that says something is encoded. To remove we simply restore the BeginIO
code and VertBlank Interrupt and wipe out the RomTag.
Butonic Virus
- This is another file type virus. It uses the DoIO vector to check for
reads to the Root Block of a disk. It will then write the virus to the disk
and add it to the startup-sequence as the first instruction. The filename
of the virus and its comment make it invisible when doing a dir but shows
up with a list. This will also bring up GURU messages and change the title
of the active window to some german stuff.
To get rid of it we clear the ROMTAG, restore the DoIO vector and delete
the file off the disk. You will need to remove the blank line from the
startup-sequence where the virus was.
The second version of this infects the Level 2 Interrupt as well and uses
different file names to hide itself in the startup-sequence.
Centurions Virus
- Another file type virus. It hooks into the Trackdisk BEGINIO vector and
waits for reads to the boot block of a disk. It changes the SumKickData
vector so that it will survive a checksum. To get rid of it in memory we
simply kill the RomTag vector, restore the SumKickData vector and patch the
trackdisk code it uses to skip over the virus.
When it finds a read to the bootblock it will check the write protect. It
will then find the startup-sequence and find the name of the first command.
It then looks for the command in the root directory, then the c directory.
Once found it adds itself to the front of the file and is run when the
startup-sequence is run again. Signs of infection are that it adds 3916
bytes to the size of the file it infects.
After every ten copies it will change the pointer to a smiley face and a
message will scroll across it.
Coders Nightmare Virus
- A boot block virus. Fairly tame this one but it will wreck copy
protected disks. It takes over the DoIO vector waiting for reads to track
zero block 0 then it writes itself to the disk if it can. It has a level 2
interrupt which after a time will display a message and then reboot the
machine. To remove we just reset the DoIO and Level 2 Interrupt vectors and
clear out the RomTag.
Forpib Virus
- Another boot block virus. It takes over the Trackdisk BeginIO vector and
waits for reads to block 0. Then it copies itself if it can. It also has a
VertBlank Interrupt and after a certain time a message will appear. (I
think). There is a bug in this in that it tries to use a color register but
it has got the wrong value in there. To remove just restore both vectors
and remove the RomTag.
GX Team virus
- Yet another bootblock virus. This just takes over the DoIO vector and
after a certain number of copies it will bring up a requester then guru.
To remove replace the DoIO vector and clear RomTag and Capture vectors.
This virus will only work under version 1.2 kickstart.
Gremlins virus
- Yes another bb virus. Sickening isn't it. Don't know what this one does but
very easy to remove. Just zero the Capture vectors, restore the SumKickData
vector and DoIO vector and it's gone.
Kauki virus
- This boot block virus will only work under Version 1.2 kickstart. As I
don't have it I can't tell you what is displayed but something is
displayed. Easy to get rid of. Just clear the Capture vector and set the
DoIO vector to $FC06DC just to make sure.
Have given up Telling what BootBlock viruses do as they are mostly the same
and all work the same way. From now on I will only give descriptions on File
Type viruses.
SADDAM virus
- This is a file type file that hides itself as the Disk-Validator. The
disk on which it came was unvalidated so AmigaDOS loaded it to try and
validate the disk. This causes the virus to run and infect your machine.
It does infect a lot of vectors that need fixing when it is found. I just
wipe it off the disk and it is left to the user to put a new Disk-Validator
on the disk.
It will change the root block BitMap pointer so that if the virus is not
running AmigaDOS will think the disk is UnValidated and load the virus.
It will also change DATA blocks so DOS does not know them unless the virus
is running. When the virus is triggered it will wipe out the whole disk and
bring up a Requester telling you it is the SADDAm virus.
CCCP virus
- This a combination Bootblock and file virus. It changes itself so that it
will write to the BootBlock and to random files on the disk. The only way
to find it on disk is to scan the whole disk.
Disaster Master 2
- This is a fairly simple File type virus. It will write to a disk after a
warm boot and if there is enough room on the disk will make a file called
cls in the c directory and add cls * as the first line in the
startup-sequence.
We just clear the RomTag and Capture vectors, check the DoIO vector and
that's it for memory. Just wipe the file off the disk and warn the User
about the startup-sequence.
Hawnes virus
- A simple file type virus. It infects the OpenLibrary vector waiting for an
opening of intuition.library. It then patches OpenWindow to it's own
routine. When a window opens it checks the startup-sequence and if not
already present copies itself to the disk using DOS. It patched the VertB
int and will display something after a while. It will Wipe out a disk after
so many copies as well. Simple to remove and alter the first line in your
startup-sequence which will hold in hex $C0A0E0A0C0.
Return Lamer virus
- Another file type virus which replaces the Disk-Validator.It uses a
RomTag to stay in memory, infects vectors, VertBlank Int, TrackDisk.device
BeginIO, and another vector in the trackdisk. When the RomTag is called it
infects the OpenWindow vector.
Just delete the Disk-Validator and replace it from a good disk.
In memory, just restore the vectors and clear the RomTag out.
Travelling Jack virus
- A Link type virus this one installs itself into the internals of AmigaDOS
taking over the BCPL inner workings. To check in memory we have to wind our
way thru many vectors and then reinstall the original from the virus.
To remove from file we just remove the first code hunk.
Seems to copy itself to each file that has been read but not sure on this.
Liberator virus
- This is a file virus that says it will remove all viruses but is in fact
a virus itself.
It copies itself to the s/startup-sequence with a line that says
memcheck s
You will also find a file called .FastDir on the disk.
After a certain count it will delete the entire s/startup-sequence and
display a message, stop access to the floppy drives and DH0:
It will also stop most virus checking programs by RemTask()ing them.
Virus_Checker 5.30 and above is safe from the current version as the Task
name has been changed.
Easy to remove, we just delete the file.
Byte Parasite
- A simple virus. Does not infect memory, opens a window claiming to be
VirusX checking df0:, if the file df0:c/virusx exists it will copy it to
df1:c/virusx. Thats it.
Byte Parasite II
- This one calls itself Virus-Checker. This one will copy itself to memory
and when it sees a disk change will copy itself onto the disk. After 7
copies it will try and wipe out the disk. Takes over the Level 3 interrupt
and cool-capture vectors. Easy to remove from disk and memory
Lamer Trojen
- This file has a copy of the Lamer Exterminator BootBlock virus in it.
Running it will infect your memory and then infect bootblocks as normal.
Freedom
- This one does not seem to infect memory or copy itself but says it is
trying to check df0: for 126 viruses. If the disk is write protected it
says sorry, otherwise it sounds like it is scanning the disk. It will say
it has removed the smily cancer and saddam virus a few times. The disk
afterward is usually corrupted.
