Fresh Fish 4

home *** CD-ROM | disk | FTP | other *** search

/ Fresh Fish 4 / FreshFish_May-June1994.bin / bbs / amigalib / d989 / anticiclovir.lha / AntiCicloVir / AntiCicloVir.DOC < prev next >

Wrap

Text File | 1994-04-05 | 92.7 KB | 2,819 lines

AntiCicloVir V2.1-Documentation Create Date :04, March, 1994 (C) 1992-1994 by Matthias Gutt Kantstr. 16 21335 Lüneburg Germany Table of Contents: 1.0 Copyright 2.0 How to use AntiCicloVir 2.1 Checking memory by AntiCicloVir 2.2 Reset-Routine of AntiCicloVir 2.3 Checking bootsectors by AntiCicloVir 2.4 Checking Disk-Validators by AntiCicloVir 2.5 Checking files by AntiCicloVir 3.0 Documentation of some AMIGA viruses - Amiga Knight - AntiChrist - Beethoven - BGS 9 I+II - Bluebox - Bret Hawnes - CCCP - Color ( TURK V1.3 ) - COMPUPhagozyte I.1+I.2 - COMPUPhagozyte II or COMPUPhagozyte 3 - COMPUPhagozyte III A-C or COMPUPhagozyte 4-4b - COMPUPhagozyte IV or COMPUPhagozyte 4c - Crime 2 - Crime!++ - D-Structure - DAG Creator - Darth Vader 1.1 - DISASTER-MASTER V2 - Disk Killer V1.0 - Disktroyer V1.0 & V2.0 - DiskVal1234 - DM-Trash - DriveInfo V0.91 - Excrement Creator - Freedom - Golden Rider - Gotcha Lamer - HARD or HARDEX - Hochofen - Infiltrator - IRQ - JEFF Butonic V1.31 - JEFF Butonic V3.00 - LAME - LAMER LoadWb - LAMER VirusX - Liberator v1.21 - Liberator v3.0 - Liberator v5.01 - LOOOOM - MENEM`s REVENGE - Modemchecker - NANO - NANO II - NaST - No Guru V2.0 - PP-BOMB - QRDL1.1 - Red October 1.7 - Return of the Lamer Exterminator - Revenge Of The LAMER Exterminator - RISC - SADDAM - Sepultura - ShowSysop - Smily Cancer I+II - SnoopDos 1.6 - Telecom - Terrorists - T.F.C. Revenge LoadWb - Time Bomb V0.9 - Traveling Jack 1+2 - Virus Construction Set - Xeno - xprzspeed V3.2 1.0 Copyright The program `AntiCicloVir V1.8` is called PD-software, because I defined it so in the first time ! But now, I think I, must define it as Freeware, because I don`t want that everyone can change some parts of my program like in former times ... `AntiCicloVir V2.1` is a viruskiller, which checks your disk & memory for viruses. `AntiCicloVir V2.1` can check some addresses in memory, install a reset-routine and some things more ... It is a small & simple to use program to fight against AMIGA viruses! You can copy everyone this program and use it whenever you want ! You can spread this program with or without documentation on every disk. It is allowed, to install `AntiCicloVir V2.1` as utility on PD-disks. Not allowed is, the changing of any part of `AntiCicloVir V2.1` or his documentation ! I can`t take the responsibility for this program, but I`m interested in every bug report or new computerviruses !!! The following PD-series has got `AntiCicloVir V2.1` from me: `AmigaLibraryDisks`, `Amiga Szene`, `FRANZ_PD`, `GPD`, `GSF_PD`, `Kick_PD`, `TAIFUN_PD` & `TIME_PD` ! Many thanks must go to Michael Petrikowksi ( Amiga-Szene PD ) for his help, while I was debugging AntiCicloVir ... You can get the newest version of AntiCicloVir from Daniel Lars Reuß, Eschen- weg 10, 63654 Büdingen-Lorbach, Germany or from the TPDS ( Jürgen Dieterich, Rehhaldenweg 10, 73614 Schorndorf, Germany ). Feel free to spread it ! And now a message from our sponsors: --------------------------------------------------------------------------- ABOUT SAFE HEX INTERNATIONAL If you know a virus programmer you can get a reward of $ 1000 for supplying his name and address. The fact is that the law punishes data crime very severely. (5 years in jail in most countries). We are an international group with more than 500 members who have started trying to stop the spread of virus. Let me give you some example: 1. Our motto is: "Safe Hex", who dares do anything else today?". 2. A virus bank containing more than 1800 Amiga and PC viruses for supporting good shareware antivirus programs. 3. We help people to get money back lost by virus infection. 4. We write articles about virus problems for about 20 computer magazines worldwide. 5. We release the newest and the best virus killers around from about 25 wellknown programmers worldwide. 6. We have more than 35 PC and Amiga "Virus Centers" worldwide where you can get free virus help by phoning our "Hotline", and the newest killers translated in your own language at very little cost. For more information contact: SAFE HEX INTERNATIONAL (Please send 2 "Coupon-Response Erik Loevendahl Soerensen International" and a self addres- Snaphanevej 10 sed envelope, if you want infor- DK-4720 Praestoe mation about SHI by letter). Denmark Phone: + 45 55 99 25 12 Fax : + 45 55 99 34 98 --------------------------------------------------------------------------- 2.0 How to use AntiCicloVir `AntiCicloVir` is a small viruskiller, which can detect 126 Bootblock-, 17 Link-, 28 File-, & 7 Disk-Validator-viruses, 14 Trojans and 8 Bombs. in this version ! It can be started from Workbench or from AmigaDOS. In the main-function it shows you in the system-vectors-table your KickStart- Version and the addresses of 26 important vectors. After that it`ll check every disk you insert in drive floppydisk 0 for Bootblock- & Disk-Validator-viruses. `AntiCicloVir` can check all files of a choosed directory for some linkviruses and remove them. The linkviruskiller installs, after every call, a little resident program in memory, which can check your AMIGA after a reset. You could use AntiCicloVir to check your system, if you copy it into the sub- directory :c of your Workbench-disk and if you write the following call in your `:s/startup-sequence`: AntiCicloVir -c The option `-c` is very important to use AntiCicloVir in the main-function !!! So AntiCicloVir can check your system every time, when you boot from your Workbench-disk and warn you if it found one known virus in memory. Unknown viruses could be detected by correct interpreting the system-vectors- table by the user hisself ! Another help is the resident routine of AntiCicloVir, which started her action after every reset and so could prevent a new virus-infection of memory ! 2.1 Checking memory by AntiCicloVir It exists two posibilities to check the memory ! The simplest posibility is to start AntiCicloVir by choosing his icon from the Workbench. In this case, the main-function of AntiCicloVir will be used. The other posibility is to call AntiCicloVir from the AmigaDOS or CLI. But in this case you MUST use any of the three options, because if you do this not AntiCicloVir tries to check the disk !!! The following three options are allowed: `-m`, `-n`, `-c` The most important & used option will be `-m` ! Enter: AntiCicloVir -m Now, AntiCicloVir will be started and greets you with a simple color-cycling. Then it shows you the system-vectors-table. It shows you your own KickStart-version in the title of the new window. The KickStart-version is mainly for AntiCicloVir important, because it must know the right ROM addresses, if it will wipe out a virus from your AMIGA`s memory ! If AntiCicloVir can`t recognize your KickStart-version, while detecting a virus in memory, it`ll try to reset the Capture-vectors or Kick-pointer and inform`s you, why it can`t kill this virus. In the system-vectors-table you will see seven important vectors from the ExecBase-structure: ColdCapture *, CoolCapture *, WarmCapture *, KickMemPtr *, KickTagPtr *, KickCheckSum * and RasterBeam ! From the exec.library you will see the vectors of Alert (), AllocMem (), FreeMem () PutMsg (), OldOpenLibrary (), OpenDevice (), DoIO (), OpenLibrary () & SumKickData () ! From the `intuition.library` you can recognize the vectors OpenWindow () & DisplayAlert (). From the trackdisk.device you can see the vectors BeginIO () & Close (). The vectors Open (), Write (), Lock () & LoadSeg () from the dos.library will be shown, too. And last but not least the BeginIO ()-vector of the `keyboard.device` ! After this AntiCicloVir check`s your memory for all known viruses & warn`s you & tries to kill the virus. At last, after closing the intuition window AntiCicloVir installs a little resident program in memory from $7E000 ! He set`s the vectors CoolCapture * and SumKickData () on it`s address ! If you choose for option `-n` the same things happens like above mentioned, but only the color-cycling does not appear. By typing `-c` as option happens the same things like above mentioned, but without creating intuition window & installing reset-routine. 2.2 Reset-Routine of AntiCicloVir The Reset-Routine from AntiCicloVir stays every time at $7E000 in memory. It will be activate by jumping in CoolCapture * or SumKickData (). While starting about CoolCapture * the routine will be activated after a reset. The same simple color-cycling greets you ... She chechs the pointers ColdCapture *, CoolCapture *, WarmCapture * KickMemPtr * KickTagPtr * & KickCheckSum * and will clear them if she will find an unknown resident program. The routine clears the pointers not, if she found a known useful resident program. If you press the left mousebutton, while rebooting your AMIGA, the reset-routine makes `Harakiri` on herself ... Jumping into SumKickData () activates the routine, too. Then it`ll check the CoolCapture *-vector and set it on her own address, if he was cleared ! 2.3 Checking bootsectors by AntiCicloVir To check your disks for Bootblock viruses you have not more to do, than to start the main-function of AntiCicloVir. You can do that, if you call up AntiCicloVir from the workbench or if you start AntiCicloVir from the CLI by entering `-m` for option. You will pass the memorycheck and arrive at the Intuition-window at the top of the screen. In this phase you can use AntiCicloVir to check every disk you insert in drive floppydisk 0 for known bootblock viruses. AntiCicloVir can only check disks, you insert in drive unit 0 and not disk you insert into any other drive floppydisk !!! Non-Standard bootblocks will not be displayed or recognized by AntiCicloVir ! If you have low memory AntiCicloVir will display an Alert. To finish the bootsector-check please use the close-sign in the Intuition- Window. 2.4 Checking Disk-Validator by AntiCicloVir If you want to check the Disk-Validator you have to run the main-function of AntiCicloVir. To enter the main-function you have to start up AntiCicloVir from the Workbench or to call up AntiCicloVir from the CLI by using the option `-m`. If you pass the memory-check you will arrive at the Intuition-Window. If you now insert a disk into any drive, AntiCicloVir will check the disk- validator of this disk automatic and warns you if it had found one of the three disk-validator viruses: Return of the Lamer Exterminator, SADDAM and his mutants and DiskVal1234. I`m really sure, that AntiCicloVir will detect every disk-validator virus, because all new viruses of this type are being mutants of the famous SADDAM virus. You can remove a disk-validator virus from your disk with AntiCicloVir. But you can be sure, that this disk-validator virus stands the same time in memory, you insert any infected disk into any drive !!! If that happens please fininsh the disk-validator-check and restart the main-function of AntiCicloVir to use the memory-check, which can wipe out this virus from your AMIGA`s memory ! To finish the disk-validator-check please push the close-sign of the Intuition-Window ! 2.5 Checking files by AntiCicloVir To check one disk by AntiCicloVir you have not more to do, then to call AntiCicloVir by his name in AmigaDOS ( you can check disks only in AmigaDOS by AntiCicloVir ) and to name a path after the name ! The pathname stands for a main-directory or for a device. Example: AntiCicloVir Df0: ... will check all files from a disk in drive Df0: ! The viruskiller lists every filename on the screen and add the message `OK` to him, if he didn`t found a virus ! He tells you if it is a sub-directory or a file. AntiCicloVir shows you the Protection-Bits: r = readable w = writable e = executable d = deletable In the last time more and more fileviruses appears, which uses the Protection-Bits, so that you can`t delete or overwrite them from disk, with any CLI command ! Before overwriting such a file, you have to remove the Protection-Bits by using the following CLI command: PROTECT filename RWED ! AntiCicloVir can remove these Protection-Bits by itself. Further the viruskiller shows you the length of the file and if exist any comment for the file. AntiCicloVir can check out, if this file is executable or not. Linkviruses can only be started from executable files !!! At last AntiCicloVir will look if there are being any invisibe signs in the filename. I think, that 90 percent of fileviruses are using invisible filenames ! And that means, that AntiCicloVir will discover 90 percent of future fileviruses, before any other killer knows them !!! If AntiCicloVir finds such a inisible file, it will ask you if it shall rename this file. If you can agree with that, you will find this file standing in the root- directory by the name `CRITICAL-Virus` ! Now, you can delete, save up, or send to me this new filevirus ... If he found a virus, he will add the message: `... contains NAME-virus !!!` AntiCicloVir writes a short message in your startup-sequence after deleting the virus from disk. This could prevent some problems in AmigaDOS, if the virus has written his name for calling up in your startup-sequence ... 3.0 Documentation of some AMIGA viruses In the following annotation you will learn something about a few AMIGA viruses. Presupposition is only a small knowledge about ASSEMBLER-programming & the Amiga DOS: Amiga Knight This 6048 Bytes long program can we call a filevirus. It camouflages itself as the command `initial_cli` on every infected disk. The virus writes it`s name on the top of the `startup-sequence`. Every time you run the `startup-sequence` of an infected disk, the Amiga Knight virus will jump into a random position in CHIP-RAM and set the Kick-pointer to survive the reset. For it`s own increasing, the virus sets the vector DoIO (). After five resets it will create a vector-demo in red colors, which contains the following text on the top of the screen: `YEAH, THE INVASION HAS STARTED ! YOUR TIME HAS RUN OUT AND SOON WE WILL BE EVERYWHERE !` In the middle of the screen you can see this vector-demo, which will draw the the words `Toco`, `THE` & `AMIGAKNIGHTS` ! At the bottom of the screen you will see the following message: `THIS IS THE GENERATION 0039 OF THE EVIL AMIGAKNIGHTVIRUS GREETINGS TO DUFTY, DWARF, ACID CUCUMBER, ASTERIX, ANDY AND ALL AMIGIANS I KNOW !` If you insert or boot from a non-writeprotected disk, which contains a `startup-sequence`, the Amiga Knight virus will try to infect this disk and to change the `startup-sequence` ! This will it do every time, a routine tries to use DoIO () ! It might not be able to destroy disk or datas ! If AntiCicloVir found this one on disk, it deletes the file `initial_cli` ! To get rid of it in memory, AntiCicloVir restores the DoIO ()-vector and clears KickTagPtr* & KickCheckSum* Thanks most go to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark from the SHI (Safe Hex International), who was the first one, who sends this virus to me. `AntiChrist` This one is a simple mutation of the Traveling Jack linkvirus 2. You can read all about it in the chapter of Traveling Jack 1+2. AntiChrist contains an ASCII-Text: `The AntiChrist 3/4/92` and creates a file like AntiChrist.X, which contains the message `The AntiChrist is back` AntiCicloVir will recognize this virus in memory but on disk only as Traveling Jack 2. Beethoven This filevirus is a mutation of the Bret Hawnes filevirus and has the same filelength like this one that is to say 2608 bytes. Therefore you can read all about this one in the chapter of Bret Hawnes. But Beethoven differs in some points to the Bret Hawnes virus: a) While the Bret Hawnes filevirus stands every time at the memory position $7F000, uses the new Beethoven filevirus the memory position $7EF00. I think, that was done to deceive some viruskiller, so that they don`t detect the Bret Hawnes filevirus, if Beethoven was in memory. b) The new Beethoven filevirus can`t longer destroy disks or format them, because the format routine was exchanged for a DisplayAlert () routine, which displays some messages like this one in an alert box: `ICH BIN ZURUECK !!!!!!!!! -=> LUDWIG VAN BEETHOVEN <= ICH MACHE MICHT JETZT AUF DEM AMIGA BREIT !!!! DAS HIER IST BRIDGES MEIN NEUER VIRUS HE HE HE HE HE HE HE VIEL SPASS NOCH P.S.: MEINE MUSIK WAR SCHEISSE - ABER MEINE VIREN SIND GEIL !! SUCK MY DICK BITTE COMPUTER AUSSCHALTEN` AntiCicloVir detects & kills this filevirus in memory and on disk. Bestial Devastation This linkvirus ist not more than a simple Xeno mutation. Well, you can read all about this kind of linkvirus in the chapter Xeno. It differs is one point to the linkvirus Xeno, because it doesn`t change the DOS-vectors Lock () & LoadSeg ()- it uses only Open (). AntiCicloVir will detect & kill this one in memory, but on disk, it will be detected as Traveling Jack 2 ! BGS 9 I+II This filevirus possibly is a mutation of the filevirus Terrorists. This one stands upside the crowd, because all other fileviruses use another mechanism to spread itself ... The BGS9 virus looks for the first executable program from your startup- sequence and writes it from his real place to the subdirectory `DEVS:` or if it can`t find this subdirectory to the main-directory and gives him an invisible name, which is called in hexadecimal $A0A0A0202020A0202020A0 ! After executing the first program from the startup-sequence of an infected disk, which is the BGS9 virus, the virus installs itself in memory and executes the original program, which stands invisible in `DEVS:` ! In memory the BGS9 virus uses the residents to turn on itself after a reset ! It sets KickMemPtr *, KickTagPtr * & KickCheckSum *. While every reset, it sets the vector OpenWindow () from the intuition.library to it`s own address. After every using of OpenWindow () the virus tries to copy itself like the above mentioned mechanism onto the next disk or shows you after four resets the following message: A COMPUTER VIRUS IS A DISEASE TERRORISM IS A TRANSGRESSION SOFTWARE PIRACY IS A CRIME THIS IS THE CURE BBBBBB GGGGGG SSSSSS 999999 B B G S 9 9 B B G S 9 9 Bundesgrenzschutz Sektion 9 B B G S 999999 Sonderkommando "EDV" BBBBBB G GGG SSS 9 B B G G SS 9 B B G G SS 9 B B G G S 9 BBBBBB GGGGGG SSSSSSS 9 The BGS9 virus set`s the OpenWindow ()-vector to it`s ROM-address, while the first using of this routine ! This virus is very harmless and causes no damage ! It shall work with KickStart 2.04, too ! To wipe it out of memory AntiCicloVir only had to clear the three Kick-Pointer. On disk it will find the virus and delete it. The BGS9 virus II works in all points like the old BGS9 virus. It differ from the old one in a new coding of one ASCII-sign and in a new invisible name : $A0E0A0202020A0202020A0 Bluebox I`m not sure which kind of program will be represent by Bluebox. This program has a length from 5608 bytes, but I don`t own the main-program Bluebox, but only the `icon.library` of Bluebox (6680 Bytes). That`s not enough for me to analyze this kind of program completely !!! Please send Bluebox to me, if you will get it !!! There exist a name for a kind of program, which could we use to put Bluebox in it`s place ! I don`t know the anglian word for this, but in german we call this kind of programs `Bandwuermer` ! `Bandwurm`-programs were used to broke into closed Mailboxes and commercial Databank-systems ! If Bluebox is being a `Bandwurm`-program, I think it will do the following things ... ( but I`m not sure ... I need the main-program for a complete analyze !!! ) The main-program Bluebox deceives the user by simulting some sounds by using the tenthly keyboard. It`s possible that this shall deceive a SYSOP ! Bluebox can install by itself an own `icon.library` on disk and sets the protection-bits for this `icon.library`. It might be possible that Bluebox is only a trojan horse ! This `icon.library` can create a process called `input.device `. This process can seize to the serial port. Every time a user outside there, tries to login ,the process `input.device ` will capture his password and save it up into a file in the root-directory, which is called in hexadecimal $A0 ! The pirate who has written this program now, could broke into this mailbox only by reading this datafile, if he use one password name ... But I`m not sure, if that`s the sense of this program ! In this version AntiCicloVir only can find this program and warn you. Bret Hawnes This one is a classical form of a filevirus ! It`s very easy to deal with that 2608 bytes long program. On infected disks you could find it as invisible file in the root-directory: $C0A0E0A0C0 ! But it isn`t very invisible ! Indeed you can`t see it in the startup-sequence, but if you list the root- directory of an infected disk you can see some irregulare signs ... The Bret Hawnes virus also copies itself as invisible file on every disk and writes it`s name in the startup-sequence. After every running of the startup-sequence the Bret Hawnes virus will be activate ! It stands every time at $7F000 in memory and sets the pointer KickTagPtr * & KickCheckSum * & $6c ( interrupt ). At every time you cause a reset the Bret Hawnes virus will be activated by the Kick-pointer ! It sets the OpenLibrary ()-vector on it`s own address and waits for the right time, when it can set the OpenWindow ()-vector. After that it sets OpenLibrary () to it`s ROM address. Bret Hawnes now, tries about the first calling for OpenWindow () to get a chance to copy itself from memory to disk ! After that it sets the OpenWindow ()-vector to it`s ROM address, too. Instead the tenth increasing the virus destroys some tracks of your disks ... After twenty minutes it shows the following message to you: GUESS WHO`S BACK ??? VEP. BRET HAWNES BLOPS YOUR SCREEN I`VE TAKEN THE CONTROL OVER YOUR AMIGA!!! THERE`S ONLY ONE CURE: POWER OFF AND REBOOT ! To find the right time-point for this message the Bret Hawnes virus uses the interrupt at $6c, to calculate the twenty minutes ... To wipe out the virus from memory AntiCicloVir cleares the Kick-pointer and sets the vector $6c on it`s ROM addresses. AntiCicloVir too can find this filevirus on disk ! CCCP The CCCP virus was the first one, which can copy itself as bootblock-virus and as linkvirus ! This virus also can stand in the bootblock and in any programs, which it had infected ... CCCP copies itself as an own hunk into every executable program and calculates the new hunk-header ( relocs etc ... ). You could recognize an infected file by the text `CCCP.VIRUS`, which you can find in every infected file ! If you boot from an infected disk or if you start an infected program the virus copies itself in memory and sets the vector CoolCapture * and $6c on it`s own address ! 50 times per second will AmigaDOS run a routine, on which is $6c pointing. That means, that CCCP have 50 times per second the chance to control CoolCapture * !!! You can`t clear CoolCapture * without setting $6c on it`s ROM address ! If you make a reset CCCP will became very lively per CoolCapture * and set`s the vectors DoIO () & OpenLibrary () to it`s own address. If you reboot from a non-write-protected disk CCCP at first tries to copy itself onto the bootblock ... After that it set`s DoIO () on it`s ROM address. Now it waits per OpenLibrary () for the right time to set OpenWindow () on it`s own address and OpenLibrary () on it`s ROM address ! As soon as AmigaDOS opens the CLI-Window CCCP tries to infect one file from your disks and sets OpenWindow () on it`s ROM address ! The CCCP virus is relative harmless, because it makes no damage, but it is very troublesome because the links ... If AntiCicloVir finds it in memory it sets $6c on it`s ROM address and cleares the vector CoolCapture * Now, this version can find it on disk ! Color ( TURK V1.3 ) This 2196 bytes long program is not really a virus, it`s a Trojan Horse ! It simulates a simple Color-demo, to deceive the user. If you start this program a little graphic demo will be shown to you. But careful ! This Trojan Horse contains the bootblock-virus TURK V1.3. Color is another form of Trojan Horses than the most of them, because it is very active participated in installing the TURK virus. It does not only install the virus TURK V1.3 in memory - No, it copies itself at $70000 into memory and copies the including bootblock-virus to $7F000 into memory ! Then it sets the vector DoIO () on it`s own address and CoolCapture * on a senseless address ! Every time you insert a disk into your drive Color tries to copy TURK V1.3 from $7F000 in memory to the bootblock of this disk. If you make a reset the senseless address in CoolCapture * crashes down your machine and you can nothing further do than to turn the power off ... AntiCicloVir can find and kill this virus in memory and on disk ! COMPUPHagozyte I.1/I.2 This two programs could we define as a mix of filevirus and a Trojan Horse ! Because this two programs camouflaged itself as viruskiller !!! COMPUPhagozyte I.1 is 1492 bytes long and simulates `Virus-Checker V4.0`. COMPUPhagozyte I.2 is 1148 bytes long and simulates `VirusX 5.00`. ( But I`d never heard anything about `VirusX 5.00`. I think the last version was 4.01 or so ... ) This both programs are not very professian ... They work only if they stand as `VirusX` or `Virus-Checker` in the subdirectory `c` of a disk, from that you`re booting. They try to copy itself to $7C000 into memory, but they does not change any vectors - thats good. The COMPUPhagozyte fileviruses create an intuition window, which have likeness with `Virus-Checker` or `VirusX`. They wait for every inserted disk and copies themselfes from memory to subdirectory :c of that disk or they wait therefore that you close the window. I think this fileviruses can destroy disks ... AntiCicloVir have not to kill this viruses in memory, because they never stand in memory, but it can warn you if it founds some bytes of them at $7C000 ! On disk AntiCicloVir kills both fileviruses ! COMPUPhagozyte II/3 This 568 bytes long program could we call a bomb ! It simulates the clear screen command by clearing the window. But that does it not by using a ROM-routine, but by 30 return codes ... I think it was camouflaged as `cls` on every disk. After using this command it copies a reset-routine to $7C000, which does nothing more , than clearing ColdCapture *, WarmCapture *, KickMemPtr *, KickTagPtr* and KickCheckSum * after every reboot. That could cause, that another resident program will wiped out of memory while rebooting. This bomb is also very very harmless. AntiCicloVir can kill it in memory and on disk. Another viruskiller names this bomb COMPUPhagozyte 3 ! COMPUPhagozyte III A-C This group of fileviruses is a very strange form and stand upside the crowd ! All three types of this virus works with the same mechanism. They stand as invisible file in the root-directory, which is named in hexadecimal $A0A0A0A0 ! If you start those viruses, they try to copy the invisible file from the root- directory to $7C000 into memory, to install a reset-routine at $7C600, to install routine for increasing at $7E000, to set CoolCapture * on reset-routine and to set OldOpenLibrary () on routine for increasing. Every time one program uses the routine OldOpenLibrary () those viruses will wake up and try to copy the file from $7C000 to the root-directory of the next disk as invisible file, again. After that they overwrite the first four bytes of your startup-sequence with their name. If any program was called up at this place, which name was longer than four bytes, you will get an error-code at the next time you run your startup-sequence, because irregulare signs were left. But the fileviruses has copies theirself into memory before you get this error-code ! But because this error-code those fileviruses will betray theirself ... This three fileviruses will cause no damage and display no message. The following types exists: COMPUPhagozyte III A / 4 = 916 bytes COMPUPhagozyte III B / 4a = 892 bytes COMPUPhagozyte III C / 4b 0 900 bytes There is no differ between type B & C but many differs to type A: Type A can copy itself only onto a disk in drive df0: Type A needs KickStart 1.2 to work ! Type A causes in much cases GURU`s after it has increases ( program errors ) ! Type A contains the ASCII-text not in the head of the file like type B & C. AntiCicloVir have only to clear CoolCapture * and to reset OldOpenLibrary () to kill those fileviruses in memory. AntiCicloVir can kill those fileviruses on disk, too. COMPUPhagozyte IV/4c This 1048 bytes long filevirus stands as invisible name in the root-directory: $A0A0A0A0 It stands at every time at $7C000 in memory and uses CoolCapture *, OldOpenLibrary (), SumKickData (). If one program uses the routine OldOpenLibrary (), the virus comes in action and copies itself from memory onto that new disk as invisible file. Then it writes its name in the startup-sequence. After that it checks the vectors CoolCapture * & SumKickData () for it`s right addresses. If some program uses the routine SumKickData (), COMPUPhagozyte IV checks the vectors CoolCapture * & OldOpenLibrary () for it`s own address. This virus makes no damage. But it is very inconspicuous, so that you can`t recognize it for a long time ... AntiCicloVir have to clear CoolCapture * and to reset OldOpenLibrary () and SumKickData () to kill this virus in memory. COMPUPhagozyte IV will be detect on disk, too. Another viruskiller names it COMPUPhagozyte 4c ! Crime 2 This 1000 bytes long file must we call a linkvirus. It is every time hanging around the first hunk of an infected executable file. To infect files this virus looks at the end of the first hunk for 68000 codes like RTS or BRA xx and exchanges them for the code NOP. After that it joins itselft to the end fo the first hunk and adds it`s own filelength in longwords to the first lengthworth in the hunk-header and to the second lengthworth at the beginning of the first hunk ! If you run such an infected file, the Crime linkvirus 2 will be started too and copies itself to a random position in CHIP RAM and sets the vector CoolCapture to it`s own reset-routine. The virus changes the following vectors: AllocMem (), Open () & LoadSeg () and a vector of the DosBase structure, which is pointing to ROM. Because the last vector, the virus won`t work longer with KickStart versions higher than 1.3 ! The reason therefore is the new dos.library, because the DosBase structure, which is called a private structure, was updated by Commodore in KickStart version 2.0 ! This linkvirus causes no damages and prints no messages. AntiCicloVir can recognize & kill this linkvirus only in memory ! Crime!++ This linkvirus with a filelength from 872 bytes is the successor of the above mentioned linkvirus ... It infectes files by the same mechanism like Crime 2 ! Crime!++ is resident via CoolCapture and patches the vectors Wait () and again this one vector from the DosBase structure ... ... and that`s the reason, because it doesn`t work with higher KickStart version than 1.3 ! Crime!++ causes no damages & prints no messages, too. AntiCicloVir can recognize & kill this linkvirus only in memory ! D-Structure This 464 bytes short program is a malignant structure, which can increase like a filevirus. It can stand under every name on disk ! That`s new by fileviruses ... If you start it, it copies itself at $7C000 and sets OldOpenLibrary () to its own address. D-Structure isn`t resident. If any program use OldOpenLibrary () to open a library, D-Structure tries to find out which library shall be opened and if it is the dos.library, it opens this one by herself. Then it get the Dosbase-address and set`s OldOpenLibrary () to it`s ROM address. After that it sets Write () on it`s own address and installs a copy counter. After every five Write Processes, D-Structure tries to copy herself from memory to the new destination. It makes not more, than changing the rigster D2 for the buffer address on it`s own address and the register D3 for the length on it`s own length ... If one other program want to write a file on disk, now instead this file D-Structure will be written on disk ! This means: This structure can be everywhere ... She can stand as executable file on disk, as part of a datafile on disk, as block on disk etc. D-Structure could copy herself per modem or per printer ... That makes no sense, but so D-Structure can disturb some processes ... This is a new form of virus programming, I think. Because D-Structure causes her increasing not active but passive by changing some registers. She doesn`t contain a routine to open any library, to create a file or to write datas from memory to disk ... this one changes only a few registers ! The damages caused by D-Structure can be very multiple ! AntiCicloVir have to set OldOpenLibrary () or Write () to it`s ROM address to kill D-Structure in memory like on disk. DAG Creator This 7000 bytes long program is not a virus, but a virusmaker ! It creates a very simple mutation of the bootblock-virus SCA named DAG on every disk in drive DF1:, if you want that. But if you don`t have drive DF1: it causes a GURU !!! This program is very harmless, but very unuseful too. So that I think it`s right, if AntiCicloVir will wipe out it of your disk ... Darth Vader 1.1 Darth Vader is a relative simple form of filevirus. It has a length from 784 Bytes. It`ll only work, if it stands by the hexadecimal name $A0 in the root-directory. If it was saved up with another name, it will cause GURU`s, because the virus looks for this invisible file on disk and tries to copy it into a random memory position, but it can`t stop malfunctions if there isn`t any invisible file on disk ! This virus will called up from the `startup-sequence` ! It copies its invisible file to a random memory position and installs the virus-code at another random memory position ! You will never find the virus-file and the viruscode at the same position in CHIP-RAM ! Darth Vader uses the CoolCapture*-vector to survive the reset. After a reset it sets, by using the Exec-routine SetFunction (), the OldOpen- Library ()-vector to its own address. I think it`s much more cleverer to set this vector per hand, without using any system-routine ... Every time a program you run uses OldOpenLibrary (), the virus looks for your disks, if it is non-writeprotected and tries to infect it. It writes his invisible name into the `startup-sequence` and copies the virus-file from memory to disk. After some time, the Darth Vader virus looks for an actual output channel and prints the message: `VIRUS (1.1) by DARTH VADER` This filevirus is very harmless and can`t destroy disks or datas ! AntiCicloVir removes this invisible file from disk ! If AntiCicloVir finds this filevirus in memory it restores OldOpenLibrary () and cleares CoolCapture*. This filevirus was send to me by Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. Thanks, Erik ! DISASTER-MASTER V2 This 1740 bytes long filevirus camouflaged itself as clear screen command in the subdirectory :c. Every time if you start it, it`ll clear your screen and set the cursor on the top of the new screen. But that`s not all ... It copies itself into AMIGA`s memory and sets the resident-pointer KickTagPtr * & KickCheckSum * to an own resident-routine. After every reboot it`ll set the vector DoIO () to it`s own address and waits as long as the intuition.library is available. From the intuition.library now, the virus will patch the vector of the routine OpenWindow () to it`s own address and reset DoIO () to the ROM address. If any task try to use OpenWindow () the DISASTER MASTER virus tries to copy itself on disk by the name `cls` in subdirectory `:c`. Then it writes it`s name into the startup-sequence with one option: cls * The option causes, that the virus, every time it`ll called from this startup- sequence, doesn`t clear the screen, therefore it can`t betray itself ... After one using of OpenWindow () DISASTER-MASTER sets this vector on it`s ROM address, again ! This filevirus can close the AmigaDOS window and create a screen like we know it from the workbench or it let disappear the AmigaDOS title or so on ... Be careful ! This virus has an counter and will destroy your disks after you have ressetted x times ... AntiCicloVir can kill that filevirus in memory and on disk ! Disk Killer V1.0 This file with a length from 1368 bytes is a bomb ! It doesn`t stands in memory, patches any vectors or can survive the reset ! After running this one, the following message will be shown to you: `DISK-KILLER V1.0 HEY YOU IN FRONT OF THE SCREEN ! YOU ARE A LAMER !!!! HE HE HE WHY ???? - BECAUSE YOU HAVE A VIRUS !! HE HE HE THIS WAS DONE IN TEN MINUTES BY THE MEGA-MIGHTY MAX BYE BYE DISK !! GREET ARE GOING TO: > LAMER EXTERMINATOR < SUFFER ...` After that Disk Killer V1.0 will destroy your disks in all connected drives ! AntiCicloVir can remove this bomb in the filetest ! Disktroyer V1.0 & V2.0 This 804 bytes long bomb camouflaged herself as clear screen command like DISASTER MASTER V2, but it`s very dangerous ... Whenever you start this program it`ll clear the screen and set the cursor on the top of them. But it sets the AllocMem ()-vector on it`s own address in memory and installs a counter ! If the counter reached the worth 150 Disktroyer V1.0 destroys all disks in your connected drives and displays an alert ! AntiCicloVir can detect this one in memory and on disk and kills it! Disktroyer V1.0 is not resident. Disktroyer V2.0 works like Disktroyer V1.0, but it differs only in one point ! This new 812 bytes long bomb patches GetMsg () to its own address and installs a counter. If the counter reached the Worth $22222222 Disktroyer V2.0 destroys disks in all your connected drives and displays an alert ! AntiCicloVir can detect this one in memory and on disk and kills it ! DiskVal1234 This 1848 Bytes long file should we call a Disk-Validator-virus, because it is using the routine of a Disk-Validator for its own increasing ! DiskVal1234 is not a complete new virus, but it`s a mutation of the famous SADDAM virus. If you want to know how this kind of viruses work, where they are to find in memory, how they work on disk and which specifical damages they cause, then I suggest you, to read the part about the SADDAM virus from this documentation ! Now, I will only explain you, in which points the DiskVal1234 virus differs from the SADDAM virus ! The DiskVal1234 virus don`t copy itself onto every disk you insert in drive DF0: like the SADDAM virus, but it can infect every disk you insert in drive DF1: ! Because many AMIGA users today, work with two floppy drives, it seems much more efficient to infect disks in drive DF1:, than in drive DF0:. Many people work with their Workbench in drive unit 0 and insert new disks in drive DF1: - I think that was the reason for this changing ! The other part, which differs from the SADDAM virus is the destruction routine ! DiskVal1234 don`t code some OFS or FFS Datablocks, like the SADDAM virus, but it changes Datablocks, which begin with the cipher 8, whilst writing 1234 to Offset $5A and overwriting 66 times the code from Offset $64 with the assembly code $4E71 ( = nop ) ! Now, many program code will be lost at this position in such a Datablock and this is the reason therefore, that every program, which Datablocks was been overwritten by the DiskVal1234 virus, will cause Software Errors and GURU`s every time you run it !!! But you will get NO `read/write errors` on such a disk !!! I think, the DiskVal1234 virus will deceive you, that the program has some bugs, but that`s not true ! You could differ programs with real bugs from programs with DiskVal1234 damages, if you use a disk-monitor and checks these datablocks ... But the damages, caused by DiskVal1234, can`t be repaired by any program !!! AntiCicloVir only can liberate your system from this nasty one ... It will find and kill it on disk and in memory. This virus was send to me by Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. DM-Trash This program has a filelength from 4764 bytes and is some kind of trojan horse. This program will be used to break into the mailbox-system AmiExpress ! DM-Trash is not resident, patches no vectors and can`t copy itself onto disks. It`s only dangerous for SYSOP`s !!! DM-trash contains the following text to deceive the user: `New virus ... caused by the new FIXED (?) Version of DMS 1.11 Turbo ! It is some kind of linkvirus and uses Devices like DH0:, LIBS:, and BBS: (!!) ...` DM-Trash changes, adds something and writes `ZAPA` in the files `bbs:config1`, `bbs:user.data` & `bbs:user.key`. AntiCicloVir can remove DM-Trash, while using it`s filetest. DriveInfo V0.91 This one with a filelength from 1704 bytes is another kind of trojan horse. DriveInfo tries to deceive the user by displaying some drive datas. But the program does much more ... It installs an interrupt with the name `Install yeah!`. The new interrupt now, will install the above mentioned Crime!++ linkvirus in the AMIGA system ! AntiCicloVir can recognize & kill DriveInfo in the filetest & Crime!++ in the memorytest. Excrement Creator This file with a length from 1180 bytes does not more do, than only to install the bootblock virus Excrement. AntiCicloVir will recognize the Excrement Creator, while you run the filetest and remove it, if you want that. Freedom The Freedom file is a bomb, which tries to deceive the user by simulating a viruskiller from Steve Tibbett, who has written the famaous VirusX ! Freedom has a length from 10876 bytes. It tries to deceive the user by the following title: `Freedom! by Steve Tibbett Checking df0: for 126 viruses` This file can`t survive a reset, can`t patch any vectors and doesn`t copy itself onto any disk ! But therefore it`ll destroy disks while deceiving the user by the following messages: `SADDAM-Virus removed!` or: `SMILY-CANCER-Virus removed!` Freedom writes now in every fifth datablock senseless datas from random memory positions and destroys so the whole disk !!! AntiCicloVir will recognize & kill the Freedom bomb in the filetest. Golden Rider This one represents a new generation of linkviruses. Because it does not copy itself as own hunk into an infected file like old linkviruses did it, but it looks for the first hunk of an executable program and adds itself on it. Golden Rider changes the last command of this hunk ( mostly $4E75 = `rts` ) to $4E71 ( `nop` ), which causes, that the processor thinks, if he run`s this code, that the first hunk of the program doesn`t end at this position. Behind this position can Golden Rider write his virus-code. Now, Golden Rider have to add it`s own length to the two length worths in the hunk-header and the link is complete ! Every time you start an so infected program the linkvirus can install itself in memory. But in not every cases must that work ! If Golden Rider hangs on a routine in the first hunk, which only will be called from the main-program, if an error was caused, then Golden Rider will probably never activated ... Golden Rider stands every time at $7C000 in memory and sets the vectors CoolCapture *, DoIO () & Open () to it`s own address. After you reboot, Golden Rider will waked up by jumping in CoolCapture * ! Now it sets DoIO () to it`s own address and waits so long, if it can open the dos.library and set Open () to it`s own address. If you insert a new disk Golden Rider tries to copy itself from memory into one file of this disk. If any program use Open () Golden Rider tries to infect new files, too. Golden Rider causes no damages and displays no alerts or so ... AntiCicloVir only can detect and kill this linkvirus in memory ! Gotcha Lamer This one is a 372 bytes long bomb, which will be installed by a program named MINIDEMO.EXE, which links Gotcha Lamer into the following commands on dh0: c/dir, c/run, c/cd, c/execute The bomb itself copies it into memory and sets DoIO () to it`s own address. After some time it destroys your disks and displays an alert ( ` HAHAHE ... Gotcha LAMER !!!` ) ! AntiCicloVir can kill this bomb in memory but I`m not sure, if it can kill it on hard-disk ... Therefore it can detect and kill the creater of Gotcha Lamer MINIDEMO.EXE ! HARD or HARDEX The HARDEX virus is only a mutant of the famous SADDAM Disk-Validator virus. You can therefore everything read about this kind of viruses in the chapter of the SADDAM virus ! The new HARDEX virus shall infect the harddisk, but the Lamer, who has created this one did an important bug !!! He has removed the ASCII-string `trackdisk.device` !!! Without the ASCII-string `trackdisk.device` the virus can`t find this device in AMIGA`s system and so it can`t patch the vectors BeginIO () & Close () from that device ! And that means the new HARDEX virus can`t spread itself !!! Further the virus is not able to look for the datablocks on disk, to code them, because it needs `trackdisk.device`, I think ... HARDEX does not more do, than hanging around via ColdCapture after every reset ! Further the path `DF0:` in the viruscode was exchanged for `DH0:`. AntiCicloVir will recognize & kill this one in memory & on disk. Hochofen This is a 3000 Bytes long Linkvirus. Hochofen is not resident in memory and uses no system-vector ! That`s it, because it could work with KickStart V2.04, too. It infects every executable program, whilst writing an own hunk to the first position of this file. Then it calculates all hunk-worths (hunk-number,hunk-length, reloc-worths ...) and adds the rest of this file behind the new hunk. These linkvirus scans the whole directory for executable files and infects one after the other ... Hochofen can install an own task with the name `Greetings to Hochofen`. This task will offer you after some time a Requester with the message: `Fasten seat-belt` and draw the flag of the Federal Republic of Germany and play the hymn. This task can`t destroy anything and can`t spread the virus itself. If I tried to remove it, I will get at every time task held errors ... That`s the reason therefore, that AntiCicloVir can find this task and warn you, but not delete it ! AntiCicloVir can find Hochofen on disk, too, but not remove it from an infected file ! Please use another viruskiller or delete this infected file ! The linkvirus causes no damages, but it has a bug, which will destroy some files, because Hochofen don`t know all types of hunks ... If it didn`t know one hunk type, it could be, that it is then creating an erroneous hunk type ! This linkvirus I got from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. Infiltrator This 1052 bytes long linkvirus infectes every executable file by exchanging the last MC 68000 code $4E75 = RTS or BRA xx for the code $4E71 = NOP. Then it writes it`s own viruscode behind the new code and adds it`s length in longwords to the first lengthworth in the hunkheader and to the length- worth in the first hunk - and complete is the link ! Not every time, if you run such a file, the linkvirus will be started ! For example: If you use a KickStart version lower than 2.0, Infiltrator will not jump into memory ! The linkvirus testes the DOS version and everytime the versions number is lower than 36 it won`t be started ! But if it`ll be startup you can find it in system hanging around the patched LoadSeg ()-vector. Everytime a tasks tries to run the LoadSeg ()-routine, Infiltrator tries to infect any file. Infiltrator is not resident -> can`t survive a reset ! One part in the viruscode containing ASCII signs is coded: `Howdy hacker! This is the Infiltrator` Further the virus tries to open `user.data` - a new trojan against AmiExpress !?!? AntiCicloVir can recognize & kill this one only in memory ! IRQ This famous old linkvirus was the first one on the AMIGA ! It looks in the startup-sequence for an executable file and tries to infect it. If it can`t find the startup-sequence it looks for the command DIR in the subdirectory :c and tries to infect it. IRQ extented a file to 1096 bytes. The linkvirus writes it`s own hunk at the first position into that file. Then it calculates all worths for a new hunk-header and the reloc-worths. If you start an infected program IRQ copies itself into memory and uses the residents by setting KickTagPtr * & KickCheckSum *. Further the virus sets the vector OldOpenLibrary () to it`s own address. Everytime when one program starts the routine OldOpenLibrary () the IRQ virus tries to infect the next disk. It`s harmless, but disturbing, because it prints the following text: `AmigaDOS presents a new virus by the IRQ-Team V41.0` This old linkvirus works only with KickStart V1.2 ! It makes no damges. AntiCicloVir can detect it on disk and in memory and kills it. JEFF Butonic V1.31 This filevirus stands every time as executable file on disk and will be called up from the `Startup-Sequence`. It copies itself into one place in CHIP-RAM and survives the reset via the residents by using KickTagPtr * & KickCheckSum *. Further the virus sets the vectors of DoIO () & $68 (Interrupt). It cleares the vectors ColdCapture * & CoolCapture * and calculates a new ChkSum for ExecBase. After a reset, it can dislplay the following message about an Alert: `Einen wunderschoenen guten Tag I am JEFF - the new virus generation on Amiga * (w) by the genious BUTONIC dHV 1.31 /05.01.88 - Generation Nr. 00011 Greetings to Hackmack*,* Atlantic*, Wolfram, Frank, ... Miguel, Alex, Gerlach, and the whole Physik - LK from MPG !!` About DoIO () this virus can spread itself. It will infect every non-write-protected disk, which contains a `Startup-Sequence` ! It uses twelve different filenames to camouflage itself on disk ! The following entries we can find in the `Startup-Sequence`: - `AddBuffers 20` - `Add21K` - `Fault 106` - `break 1 D` - `changetaskpri 5` - `wait` - `Arthus` - `Helmar` - `Aloisius` - $A0A0A020 - $A020 - $2020 The filevirus can`t spread itself by using the filename $2020, because the AmigaDOS won`t start a file from `Startup-Sequence`, which name contains spaces ! The virus checks the right address of it`s Kick pointer via using this vector, too. About the interrupt vector $68 it can show your some messages about the CLI title: - `Ich brauch jetzt`n Bier !` - `Stau auf Datenbus 128 bei Speicherkilometer 128 !` - `Mehr Buszyklen fuer den Prozessor !` - `Ein dreifach MITLEID fuer Atari ST !` - `BUTONIC !` - `Schon die Steinzeitmenschen benutzten MS-DOS ... einige sogar heut noch !` - `Schon mal den Sound von PS/2 gehoert ???` - `PC/XT - AT: Spendenkonto 004` - `Unabhaengigkeit & Selbstbestimmung fuer den Tastaturprozessor !` - `Paula meint, Agnus sei zu dick.` - `IBM PC/XT: Ein Fall fuer den Antiquitaetenhaendler ...` - `Sag mir, ob du Assembler kannst und ich sage dir wer du bist ...` Well, it jumps back from this routine to an absolut KS1.2 ROM address, too. It stands every time coded on disk, but it`s harmless, because it will make no damages. AntiCicloVir has to restore DoIO () & $68 and to clear the Kick pointer, to wipe it out from memory ... It can kill it on disk, too. JEFF Butonic V3.00 This 2916 bytes long filevirus stands as insible file with a name, which is called in hexadecimal $A0A0A0, in the root-directory of an infected disk. JEFF Butonic V3.00 writes his name in the startup-sequence. Whenever you run the startup-sequence the filevirus will be started and infects the memory of your AMIGA ! It uses the residents to survive the reset by setting KickTagPtr * & KickCheckSum *. The virus sets the vector DoIO () on it`s own address. Every time you boot or insert an non-write protected disk the filevirus copies itself from memory to the root-directory of that disk. JEFF Butonic V3.00 causes no damage, but prints some textes about the screen title ... About DoIO () the virus checks permanent the addresses of the Kick-pointers. A program named *JEFF* VIRUSKILLER creates this filevirus. AntiCicloVir can detect and kill this filevirus on disk and in memory. LAME This is only another SADDAM Disk-Validator virus mutant, which gives the coded datablocks the name `LAME` instead `IRAK` ... You can read everything about this kind of viruses in the chapter SADDAM. AntiCicloVir detects it in memory as LAME and on disk as SADDAM virus. Lamer LoadWb This 4172 bytes long LoadWB command is a Trojan Horse, because it contains the old bootblock-virus LAMER Exterminator ! If you call this program, it installs the bootblock-virus in memory and then executes the LoadWb command ! The virus-code of LAMER Exterminator stands uncoded in this Trojan Horse. AntiCicloVir detects Lamer LoadWB on disk and kills it. My viruskiller can recognize the bootblock-virus LAMER Exterminator in memory, too. Lamer VirusX This program with a lenght from 13192 bytes is a mutation of Steve Tibbett`s VirusX ! This Trojan Horse camouflages itself with the name VirusX 3.10. This program can detect the following bootblock-viruses: Obelisk, North Star, SCA, Byte Bandit, Byte Warrior, Revenge, Pentagon-Slayer. Further it can detect the linkvirus IRQ. This is the one side ... But the other side is, that this program installs the bootblock-virus LAMER Exterminator VIII in memory. AntiCicloVir detects this Trojan Horse and kills it. It detect the bootblock-virus LAMER Exterminator VIII in memory, too. Liberator v1.21/3.0 This one can we not really name a virus, because it can`t spread itself. Liberator v1.21 is a form of filevirus with a length from 10936 bytes. It works like Liberator v3.0, which has a length from 10712 bytes ... Both fileviruses are being not resident in memory and can`t change any vectors ! That`s it, because they can work with KickStart V2.04, too. The Liberator viruses shall deceive the user by simulating a viruskiller: `Check Vectors rev.5.1 All Rights Reserved more TUPperware @ by Mike Hansell Reset vectors ok, Nothing resident, Trackdisk.device not intercepted, DoIO ok, VBlank ok, dos.library not intercepted. System appears to be free of viruses and trojans !` But in real, the virus copies itself onto the hard disk with the name `cv` and creats there a file named `.fastdir `. This file is a kind of copy-counter. Liberator can changes the `startup-sequence` of every hard disk ! It uses different patches for the four types of hard disks: DH0: execute s:startup-sequence 2 cv >NIL: endcli >NIL: DH2: LoadWb cv >NIL: EndCLI >NIL: DH3: LoadWB -debug cv >NIL: endcli >NIL: NIL: is a kind of device in which you can write everything, but AmigaDOS left all this datas ! The device NIL: could we call a `Data-Trashcan` ! Liberator writes in every `startup-sequence` behind his name `NIL:`, because it doesn`t want betray itself, while running this `startup-sequence` and showing the user that it stands on his hard disk ... Every time you run the `startup-sequence`, Liberator adds #1 to the worth in `.fastdir ` on hard disk. If the worth 100 is reached in `.fastdir `, the Liberator virus shows you the following message: `Congratulations your hard disk has been liberated of virus protection !! Hello from the liberator virus v3.0 - Digital Deviant The anti-anti-virus is here again ! Lets play trash the hard disk and ram the disk heads Only hardcore belgian rove can truely liberate the mind The liberator 15/01/92` Liberator v3.0 can`t cause any damage and can`t spread itself, but I think, it`s not very useful to have it on hard disk ... AntiCicloVir hopefully will it find on hard disk, too and deletes it ! Thanks Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the SHI (Safe Hex International) for being the first one, who send this virus to me ! Liberator v5.01 The new Liberator filevirus has a length from 16924 bytes and infects not longer the hard disks, but your floopy disks ! It is not resident in memory, changes no vector and works therefore with KickStart V2.04, too. It shall deceive the user by printing the following text: `PV (Protect Vectors)v1.02 by Peter Stuer July 22, 1992 FREEWARE Reset vectors ok, Nothing resident, Trackdisk.device not intercepted, DoIO ok, VBlank ok, low interrupts ok, dos.library not intercepted. monitoring vectors ... Fully KickStartv2.xx compatible, stops all viruses, checks disk-validators. Use run to push this programm into background.` But in realety copies the program itself by the name `:c/PV` to the floppy- drive DF1: and installs there the files `:c/run`, `:c/br` & `:c/sl.info `. `sl.info `is a kind of copy-counter ! While copying itself to drive DF1:, the virus will change the last letter of it`s filename ! That shall camouflage the virus. Liberator v5.01 changes the `startup-sequence`: br c:pe If the copy-counter in `sl.info ` has reached the worth 100, the following message will be displayed: `Congratulations this disk has been liberated of virus protection !! Hello from the Liberator virus v5.01 - Random Disaster The anti-anti virus is here again ! Lets play trash the hard disk and ram the disk heads The piracy curse Liberator V - The future is near. Look out for Liberator VI - The final nightmare ... coming soon from a lame swapper near you ! Respect to the virus masters Lamer Exterminator, Crime & Contrast. And remember - be excellent to each other ! The liberator 27/07/92 Virus Generation:` The Liberator v5.01 filevirus is harmless like the old Liberator viruses. It`ll never destroy disks or datas. But now, it can spread itself with above mentioned mechanism. AntiCicloVir can find and remove it from your disk. Thanks to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. LOOOOM This 1848 bytes long Disk-Validator-virus is only a simple mutation of the SADDAM virus ! If you want to know how this kind of viruses work, where they are to find in memory, what kind of damages they cause, how you could to get rid of it, I suggest you, to read the part about the SADDAM virus in this documentation. There are only two differences to the original SADDAM virus ! This virus now, contains another name : `LOOOOM VIRUS` for `SADDAM VIRUS` ! And it shall copy itself not on every disk, you insert into the internal drive, but on every disk, you insert into the external drive ! I got this one from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. MENEM`s REVENGE This 3076 Bytes long linkvirus is a new kind of this species like the Golden Rider virus. It copies itself into the CHIP-RAM, if you run an infected program. There will it change the address of the routine LoadSeg () to its own address and waits until you call up a program. If you start a program, MENEM`s REVENGE waits so long until you start another program and then it will infect the first program called up by yourself ! If that is being an executable file, it will look for the last assembly instruction $4E75 ( RTS ) and changes it to $4E71 ( NOP ). MENEMs REVENGE will copy its own viruscode behind this assembly instruction and adds the rest of the file behind itself. Then it adds its own length to the both length worths in the hunk-header of an infected file. MENEM`s REVENGE is harmless, because it can`t destroy disks or files ! But it can create an own task with the name ` `,0. This task displays after some time an Alert, which contains the following message: `MENEM`s REVENGE HAS ARRIVED !!! ARGENTINA IS STILL ALIVE` AntiCicloVir can kill this linkvirus in memory, but not find it in infected files ! I`ve got this one from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark (SHI). Modemcheck This program may we not call a virus, because it doesn`t patch any vector, can`t survive the reset and can`t spread itself, but therefore it can cause many damages on your disks ... This Trojan Horse has a filelength from 15516 bytes. We can find it camouflaged as modemcheck program, which deceives the user by simulating a test of the modem lines at the serial port. But in reality the program copies an 3604 bytes long LoadWb command onto your disk, which is just another Trojan Horse !!! The new LoadWB command created by Modemcheck won`t work under KickStart 1.2/1.3 ! If this command will be started - for example from the Startup-Sequence, while booting the disk - it installs an process namend `Diskdriver.proc` ! The process will after terminating some tests, fill all the datablocks with the word FUCK and so destroy the whole medium !!! AntiCicloVir will recognize the modemcheck & the LoadWB file on disk & deletes them ... AntiCicloVir will seek for a process named `Diskdriver.proc` and warn you, but it can`t remove them - please reset your machine !!! NANO This program with a length from 1484 bytes is a classical filevirus ... It stands by the name $A0A0A0A0A0A0 invisible in the root-directory of an infected disk and has written it`s name in the startup-sequence. Whenever you run the startup-sequence NANO will run, too. It copies itself to $7C000 into memory and sets the vectors CoolCapture *, OldOpenLibrary () & SumKickData (). After six resets the filevirus draws the flag of the german federal republic. If any program uses OldOpenLibrary () NANO tries to copy itself from memory onto the new disk. After six copies NANO displays the following alert: ... another masterpiece by N A N O !!! GREETINGS TO: Byte Bandit, Byte Warrior, DEF JAM, DiskDoktors, FANTASY, Foundation For The Extermination Of Lamers, I.R.Q. Team, Obelisk Softworks Crew, S.C.A., UNIT A ... Every time a program tries to use SumKickData () NANO can check the vectors CoolCapture * & OldOpenLibrary () to set them again on the virus addresses, if someone had cleared them. NANO is harmless and causes no damages. AntiCicloVir have to reset OldOpenLibrary () & SumKickData () and to clear CoolCapture *. AntiCicloVir can kill NANO on disk, too. NANO II This is only another version of the NANO filevirus, which has a length from 1472 bytes. The new NANO virus stands still in root-directory by the new invisible name $A0A0A0A0 and will be called up from the `Startup-Sequence`, while running it. I think, this one was the first filevirus, which uses the protection bits for it`s own protection ! NANO II makes the files $A0A0A0A0 & `Startup-Sequence` write-, read- & delete- protected. Even the new NANO filevirus copies itself to an absolute memory position in CHIP-RAM ... It is resident via CoolCapture and sets after a reset the vectors DoIO (), SumKickData () and Interrupt 3 to it`s own virus adresses. The virus-routine now, running about the patched DoIO () vector, still tries to open the `dos.library` as long as if she is available. Then the routine patches the vectors Open (), Lock () & LoadSeg () to the own virus addresses. About these DOS vectors the filevirus will spread itself to every disk ! But the filevirus doesn`t recognize the write-protection, so that you will get, until the filevirus is running, Requester from the type `volume xyz is write- protected` ... About the virus-routines, running through the patched vectors of SumKickData & Interrupt 3, the filevirus will permanent control it`s own vectors and restore every changing ! I think NANO II won`t work with KickStart versions higher than 1.3, because the offset table of the `dos.library` was changed in KickStart 2.04 !!! The vectors of the old `dos.library` offset table are pointing to GlobeVec structures, while the vectors of the new offset table in KickStart 2.04 are pointing to ROM. That means, the jump codes from this two offset tables differs and every programm,, using the old jump codes, crashes the machine under higher KickStart versions ... If I tested NANO II with OS3.0, the system crashes down ! This filevirus causes no damages & displays no messages. AntiCicloVir will recognize & kill this filevirus in memory & on disk. NaST The NaST filevirus with a length from 2608 bytes uses the same mechanism like the fileviruses BGS9/Terrorists for it`s own spreading ! It looks for the first executable program, called up from the `Startup-Sequence`, and writes it by an invisible name ($A020A020A020202020A0202020A0) to the subdirectory `:c`. After that is writes an own virusfile by the name of the original program on disk. Every time you boot from or run the `Startup-Sequence` of such an infected disk, the NaST filevirus will be called up and copies themselves in a random memory position in CHIP RAM. The NaST filevirus uses the vectors KickMemPtr, KickTagPtr, KickCheckSum, FindTask (), OldOpenLibrary (), OpenLibrary (), OpenWindow () and Interrupt 3. After installing in system, the filevirus loaded the original file from subdirectory `:c` via LoadSeg () into a segment list and startes it as task, by using the DOS-routine CreateProc () ! If the task ends, the filevirus removes him from the segment list via UnLoadSeg (). This is the way the NaST virus deceives the AMIGA user ! The virus writes the address of its own MemList structure to KickMemPtr and its own reset-program to KickTagPtr, so it can survive every reset. After rebooting the virus patches the OpenWindow ()-vector to an own routine, which installs it on a new disk, before it must reset the vector to his ROM address. But NaST can spread itself too, if any task jump to the patched vectors of OldOpenLibrary () or OpenLibrary () !!! The vector Interrupt 3 is pointing to a NaST virus routine, which is controlling permanent the own addresses for changing ! AntiCicloVir will recognize & kill this filevirus in memory & on disk. No Guru V2.0 The program No Guru V2.0 with a filelength from 1224 bytes is called a Trojan Horse, because it tries to deceive the user by simulating a useful utility: `Making life with AmiExpress just that little bit easier ...` The program copies itself to a random memory position as utility and patches the vectors Alert () & AutoRequest () to the addresses of its own routines. This Trojan Horse is only dangerous for AmiExpress user = SYSOPs !!! Because it looks for the file `user.data` and searches in them for the words `renegade`, `jock rockwell` or `spiral` and patches some bytes ... AntiCicloVir can recognize & kill this Trojan Horse in memory & on disk. PP-BOMB This 71308 bytes long file is the orign version 3.0b of the `powerpacker. library` by Nico Francios. But a group called QUARTEX, I think has added a routine, which could be danger for your hard disk ! Because the PP-BOMB looks in dh0: & dh1: for the file `why`, tries to set it on zero, looks for AmiExpress & tries to patch it and looks for some other files ... PP-BOMB cannot copy itself onto another disk, is not resident in memory and sets no vectors. We needn`t to look in the memory after this bomb ! Check your sub-directory `LIBS` with AntiCicloVir for this bomb !!! QRDL1.1 The QRDL1.1 virus is a 2320 Bytes long linkvirus. I`m sorry, that I can`t analyze it, but it won`t work with KickStart 1.2 in memory. It is hanging around in memory via CoolCapture * and patches the vectors DoIO (), OpenLibrary () & OpenWindow () ! It infects an executable file, whilst installing an own hunk at the first position in this file and calculates the hunk-worths (hunk-number, hunk-length, reloc- worths ...). QRDL1.1 contains the following message: `(C)1992-04-16 QRDL. RELEASE 1.1 Born in Poland, Grt to Jack` This linkvirus is very dangerous, because it could destroy your datas ! It looks for the BitMap-Block of your disk and deallocates all used data- blocks !!! If that was happened, AmigaDOS won`t know longer, which datablocks are used and which datablocks are free !!! Now, if you save up a program on such a disk, it could be happened, that AmigaDOS writes the datas into datablocks, which will be used for another program ... You will get code from one program into another program and final the complete chaos on your disks ! AntiCicloVir only can detect the QRDL1.1-linkvirus on disk, but not remove it from an infected file. AntiCicloVir can`t detect QRDL1.1 in memory. Thanks must go to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the SHI ( Safe Hex International ) ! Red October 1.7 This linkvirus has a length from 1296 bytes. It will not use any vector and don`t stand resident in memory ... That`s it, because it`ll work with KickStart V2.04, too ! I think, that this linkvirus was published as PD-software, because there exist the following DOC-File for it: `The Red October Virus 1.7 (901029) This virus program is for demonstration and testing purpose only. The Red October virus is a non-overwriting virus and was developed and tested under AmigaDOS 1.3. The following points influenced the development of the program: 1. The virus should infect other programs only when system clock seconds are evenly divisible by three. 2. All of the infected files should continue to work properly. 3. The manipulation task in the virus causes a system crash when the system clock seconds are 16, 32 or 48 (evenly divisible by sixteen). 4. The virus only infects files which are shorter than 50000 bytes in the current directory. Delete the virus and the infected programs on the computer when you are done. WORK WITH COPIES ONLY.` If you run an infected file, Red October comes in action. The linkvirus is working with the `timer.device` ! If you can divide the seconds through three, then Red October tries to increase. It reads the whole directory of your disk and tries to infect every executable file, it will find ! Red October installs an own hunk into this infected file and calculates the new hunk-table ( hunk-number, hunk-length, reloc-worths ... ) Because the linkvirus has a bug, it could be happened, that some infected files won`t work longer and causes Software Errors & GURU`s ... But you could repair this damages by yourself ( not by AntiCicloVir ), if you want get back this datas ! If you can divide the seconds through sixteen, then Red October 1.7 causes a reset. Well, AntiCicloVir can find Red October in infected files, but not remove them from this files ... I got this linkvirus from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark (SHI). Return of the Lamer Exterminator This one is a complete new form of AMIGA virus. It`s called Disk-Validator virus, because it is using the mechanism of the Disk-Validator routine to increase ! This virus copies itself after every reboot over the original Disk-Validator in the subdirectory :L. Then it sets the BitMap-Pointer from the Root-Block to a senseless address on disk and causes so a Disk Validating Error. The Disk Validating Error will force AmigaDOS permanent to startup the Disk- Validator to create a provisional BitMap in memory, so that AmigaDOS can work with that disk. But that means, that every time you insert an infected disk, the Return of the Lamer Exterminator virus will automatic activates and can install itself in memory ... It`s resident in memory via KickTagPtr * & KickCheckSum * ! It sets InitCode (), OpenWindow (), BeginIO () & Close () from the trackdisk.device, BeginIO () from the keyboard.device and the RasterBeam-Interrupt. Because that, AntiCicloVir can only recognize that virus in memory, but not kill it ... On disk AntiCicloVir can recognize that virus, but must rename it ! It can`t kill it, because every time you insert an infected disk, Return of the Lamer Exterminator stands in memory. And even then, if this virus stands in memory, it opened the file Disk- Validator or uses a Write Lock on him. That means you can`t delete this file ! But if you rename :L/Disk-Validator to :L/LAMER-Virus - for example - it will not again started from AmigaDOS and can`t infect your memory ! After that your disk have a Disk Validating Error. That was the work of the virus ... To get rid of the Disk-Validating Error, you must boot from a disk, which contains the original Disk-Validator and then insert the disk with the Disk-Validating Error. Now the disk will be validate ... To get a valid BitMap you have to write or delete anything to/from this disk. Now the disk is health ! Another possibility is, to use a diskmonitor, to look for the original BitMap on disk and to set this worth into the BitMap-Pointer of the Rootblock. This virus is very malignant, because it can destroy your disks ! After some time it begins to look for some OFS or FFS data blocks on your disks & fills them with the word `LAMER!`. This destroys some of your files and causes read/write errors. But that`s not all ! The virus can destroy disks in all connected drives, whilst format them root- blocks !!! This disks are completely destroyed !!! Then it displays an alert: Return of the Lamer Exterminator You can health disks with read/write errors by using the command DISKDOCTOR. This virus will only work with KickStart V1.2/1.3. Revenge Of The LAMER Exterminator This filevirus exists in two variants: Revenge Of The LAMER Exterminator I & Revenge Of The LAMER Exterminator II From variant I exitsts two types ! I will mainly explain type 1 of variant I. The variants I+II stands as invisible file with the name $A0A0A0A0A0 in the root- directory. Type 2 of variant I camouflages itself as command DosSpeed ! But back to type 1 of variant I ! This virus writes it`s invisible name in the startup-sequence and will so every time you run the startup-sequence be started. To survive the reset it uses the residents and sets KickTagPtr * & KickCheckSum* But this virus sets a lot of other vectors more ... I don`t know them all and that`s the reason, why AntiCicloVir can`t kill it completely in memory ! AntiCicloVir offers you, that it had recognized this virus and cleared the Kick-pointer. If you really wont get rid of it, you have to make a reset !!! This virus is very malignant like Return of the Lamer Exterminator ! But I think, it have some errors. If it`ll started via startup-sequence, you get some problems with irregulare signs in the AmigaDOS window. It could happen, that you can`t find some subdirectorys on your disk, while working with the workbench and so on ... After eight minutes or four resets, begins the virus to destroy your disks. It formats the complete disk and displays a three page long alert: Revenge Of The LAMER Exterminator RED ALERT: It has come to my attention that the person using this computer is a LAMER (+) we the people , who are responsible for the "Revenge Of The LAMER Exterminator` Virus, believe that only intelligent folk are fit to use the AMIGA Personal Computer. Since you were apparently not smart enough to prevent infection of your computer and software by this virus ( You should have used a condom ), we must assume that you are a LAMER ( a.k.a. LOSER ) and therefore we had no alternative but to erase your floppy disk(s) in order to get your attention. - Press Any Mousebutton - We are eagerly looking forward to the first Amiga magazine that explains the inner workings of this brilliant ( at least we think so ) virus. However, we are not very confident, since the three versions of the original LAMER Exterminator virus have never really been analysed in any Amiga magazine. we have made this virus a little bit more aggressive so that more people will recognize it and hopefully will learn something as to overcome the dreadful disease of LAMERism By the way, the A in LAMER is pronounced like the A in DAY ( LAMER peolpe do not know proper English in our experience ) - Press Any Mousebutton - Signed Foundation for the Extermination of LAMERS. (++) (+) You can recognize a LAMER or LOSER as someone who can only use the Ctrl - Amiga - Amiga keys on his Amiga, and might even know how to load X-Copy ... (++) Due to the primitive and violent nature of some LAMERS, we have decided against revealing our real identies, so as to prevent unnecessary visits to the local hospital on our part ! Coming sonn to a theatre near you: +++ The Lamer Exterminator - A new Beginning +++ Rated PG - Press any Mousebutton to Continue Being a LAMER - AntiCicloVir can`t detect this virus on disk, if it stands in memory, because it manipulates the contens of some registers so, that no viruskiller will find this invisible file in the root-directory ! If you list the startup-sequence or if you list the root-directory, you will nowhere find the invisible $A0A0A0A0A0 because the virus in memory. Make also a reset and check your disks after removing Revenge Of The LAMER Exterminator from memory. RISC This here is only a mutation of the famous SADDAM-Disk-Validator-virus. If you want to know how this kind of viruses work, where they`re to find in memory, which damages they cause and how you could get rid of it, then I suggest you, to read the part about the SADDAM virus in my documentation ! There was no other patch found in this mutation, than the new virusname ... I`ve got this virus from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the Safe Hex International ( SHI ). SADDAM This one is called a Disk-Validator virus, because it uses the routine of a Disk-Validator for it`s own increase. SADDAM copies itself onto every disk you insert or boot from and overwrites the original Disk-Validator in subdirectory :L ! If that disk doesn`t contain this subdirectory, SADDAM creats by itself this subdirectory ! It can infect every disk ! After that it sets the BitMap-pointer in the Root-Block to a senseless address, which will cause a Disk Validating Error ! This will force in later times AmigaDOS to startup the new Disk-Validator, which is in real the SADDAM virus ! Only to insert an infected disk reaches to get this virus in memory. It is resident via ColdCapture *. That means, that it`ll work with KickStart 1.3 too, if you make a reset without installing SetPatch r ! Because KickStart 1.3 has a bug in it`s system, will all other viruses wiped out from memory after a reset - not so the SADDAM virus !!! The virus sets the vectors BeginIO () & Close () from the trackdisk.device and comes so every time in action, if you insert a disk in your drive or if you boot from a disk or if you use in any other case the trackdisk.device ! Further the virus sets the vector of the Raster-Beam-interrupt on it`s own address ! Now, it can control permanent the right address of ColdCapture * and sets the vector again, if any other program had cleared it ! Only in the resetphase, it patches the vectors InitCode () & OpenWindow () for virus internal works ... The SADDAM virus is very malignant and causes different damages !!! After a time it startes to look for some OFS or FFS data blocks, gives them the name IRAK and coded the contents with a worth ! The programs, standing in those data blocks, won`t longer work and the disk get`s read/write errors ! But if the SADDAM virus stands in memory, it`ll decode such a datablock, if AmigaDOS loads him and so can prevent a read/write error message! Another damage has likeness with the virus Return of the Lamer Exterminator ! After a few time the virus startes to format disks in all connected drives ! This disks are completely destroyed !!! And shows you an alert: SADDAM Virus If AntiCicloVir finds the SADDAM virus in memory it sets the vectors Raster- Beam-interrupt, BeginIO () & Close () from the trackdisk.device on it`s ROM addresses and cleares ColdCapture * ! AntiCicloVir can kill the SADDAM virus on disk, but not repair the damages ! At first you have to correct the Disk Validating Error ! Please boot from one disk which contains the original Disk-Validator and insert after that the disk, with the Disk-Validating Error ! The original Disk-Validator creates a provisional BitMap in memory, so that AmigaDOS can work with those disk. To get a valid BitMap you have to write/delete anything to/from this disk ! Another possibility is to use a diskmonitor, to look for the original BitMap of that disk and to set the BitMap-Pointer from the Rootblock of the position of the original BitMap-Block ! If you want health a disk with SADDAM damage please use an universal virus- killer, which can check the blocks of a disk, too ! You must uncode the coded data blocks to get rid of the read/write errors ! But you can`t health disks, which the virus has formated ! I got this new virus from Gregory Sapsford, Fohlenkamp 33, W-4600 Dortmund 13, Germany. Sepultura This one is a filevirus with a length from 1876 bytes. You can find it every time by the invisible name $A0A0A0A0 in the root-directory of an infected disk. It writes its own invisible name to the first position in the `Startup-Sequence`. So it will called up every time you boot from such a disk ! The Sepultura filevirus can only infect disks you insert in the drive loppydisks df0:, df1: or df2: ! It can`t infect a disk in drive floppydisk df3: or the RAM: or harddisk ! Because the virus is for its own spreading using the path dfx:, in them it will change the last number of the drivename after some infections. After running the filevirus it copies itself to a random position into CHIP- RAM. Sepultura can survive the reset by an own reset-program, which will be started about KickTagPtr. The filevirus patches the vectors FindRes (), Open (), DeleteFile (), Rename (), Lock (), LoadSeg () & Interrupt 3. While rebooting your system Sepultura sets the vector FindRes () to its own virus address and waits as long as if the `dos.library` is available ... If that happens the filevirus sets the DOS-vectors Open (), DeleteFile (), Rename (), Lock () & LoadSeg () to its own virus address. By using the virus-routine, to which the DOS-vectors are pointing, Sepultura can copy itself on every non-writeprotected disk ! The Interrupt vector No. 3 has the filevirus setted on an own routine for displaying this alert: Hi Guyz !! SEPULTURA strikes back with their new VIRUS ... Look ...` Sepultura won`t work with heigher versions, than KickStart 1.3, because it has the same problem with the different `dos.library` offset tables like the filevirus NANO II (please read in this chapter all about this problem !). In KickStart V2.04 Sepultura will cause GURU`s after every reset !!! AntiCicloVir can recognize & kill the virus in memory & on disk. ShowSysop This is only one program more to annoy AmiExpress users ! AntiCicloVir can recognize & kill this file, while running the filetest. Smily Cancer I + II The Smily Cancer virus is a 3916 bytes long linkvirus. It infects the first executable program it finds in the startup-sequence ! Smily Cancer works like all old linkviruses ( IRQ, CCCP and so on ... ). It copies itself as first hunk into the infected file and calculates a new hunk-header for the reloc worths for memory position correction and something more ... Every time you run the startup-sequence or an infected program, the linkvirus jumps at an absolut position into memory. Smily Cancer is resident via using KickTagPtr * & KickCheckSum * ! For increasing it sets BeginIO () from the trackdisk.device on it`s own address. Further it set`s SumKickData () on it`s own address, to check the Kick-pointer, if any other program uses this routine and set them again on the virus address, if it had cleared them ! After twenty increasings becames the Mousepointer a yellow head and the following text will be offered to you: Hi There !!! A New Age In Virus Making Has Begun THANK TO US ... THANK TO: --- CENTURIONS --- AND WE HAVE THE PLEASURE TO INFORM YOU THAT SOME OF YOUR DISKS ARE INFECTED BY OUR FIRST MASTERPIECE CALLED: `THE SMILY CANCER` HAVE FUN LOOKING FOR IT ... AND STAY TUNED FOR OUR NEXT PRODUCTIONS. CENTURIONS: THE FUTURE IS NEAR ! The Smily Cancer linkvirus causes no damges. AntiCicloVir can detect & kill this virus in memory, and on disk in this version. But it can`t get them out of an infected file !!! Don`t use this file !!! Smily Cancer II is called a 4676 bytes long Trojan Horse, which camouflages itself as LoadWB command on disk. If you run this program it installs the linkvirus Smily Cancer in memory and executes after that the LoadWB routine ! AntiCicloVir can detect & kill this Trojan Horse ! SnoopDos 1.6 This here is only one program more to annoy AmiExpress user ! Filelength: 11312 bytes AntiCicloVir will recognize & kill it in the filetest. Telecom Telecom is a simple filevirus with a length from 756 bytes. You can find it, using the invisible name $A0, in the root-directory of every infected disk. It`ll be activated if you run the `Startup-Sequence`. Then it jumps into CHIP-RAM and sets the CoolCapture vector to its own reset- routine. Telecom patches the vectors DoIO () & FindRes (). But it works only with KickStart V1.3, because it is using absolute ROM addresses. That is the reason why AntiCicloVir can`t find it in memory, because I use not KickStart V1.3 ! But in the filetest AntiCicloVir will recognize the Telecom filevirus and remove it from disk ! Terrorists The Terrorists virus has a length from 1612 bytes and works like the BGS9 virus. This filevirus looks for the first executable program in the startup-sequence and writes it from it`s original place on disk to an invisible file in the root-directory, which is called in hexadecimal $A0202020A02020A020A0A0 ! Itself copies itself at the old position of the original program. If you now run the startup-sequence at first the Terrorists virus will be started and copies itself into memory and later the virus executes the invisible file, which is the original program. Terrorists uses the residents to survive the reset via KickMemPtr *, KickTagPtr * & KickCheckSum *. After every reset it sets the vector OpenWindow () to it`s own address in memory and tries to copy itself from memory to disk, if AmigaDOS startes the routine OpenWindow () to create the AmigaDOS window ! After that it sets the vector OpenWindow () to it`s ROM address ! After four resets it offers you the following message: THE NAME HAVE BEEN CHANGED TO PROTECT THE INNONCENT ... THE TERRORISTS HAVE YOU UNDER CONTROL EVERYTHING IS DESTROYED YOUR SYSTEM IS INFECTED THERE IS NO HOPE FOR BETTER TIMES THE FIRST TERRORISTS VIRUS !!! The Terrorists virus is very harmless and destroys nothing ! AntiCicloVir have to clear the Kick-pointer to wipe it out of memory. It can detect it on disk, too. T.F.C. Revenge LoadWb This one is a 2804 bytes long Trojan Horse, which is camouflaged as LoadWB command on every disk, it was installed. If you run it, it`ll install the bootblock-virus T.F.C. Revenge in memory, at two positions: $7F800 & $FF800 The T.F.C. Revenge virus is a mutation of the EXTREME virus ! After that it executes the LoadWB routine ! AntiCicloVir kills this Trojan Horse & the bootblock-virus in memory ! Time Bomb V0.9 This 7840 bytes long file must we call a bomb. Time Bomb V0.9 is not resident, patches no vectors & can`t spread itself ! It tries to deceive the user by simulating a viruskiller: `RAM CHECKED - NO VIRUS FOUND.` But in reality copies the bomb itself to the subdirectory `:c`, by using the name `.info`, and creates some kind of counter in the root-directory named `pic.xx`. The counter has the worth #6. While every time you run the Startup-Sequence, the bomb in the file `:c/.info` tries to open the counter in the file `pic.xx` and to subtract the worth #1 from the worth in the counter. Now, if the disk is write-protected, the bomb displays a requester: `User Request: Please remove write Protection and press left Mouse Button to continue.` So long as you don`t do that, the bomb stops the running of the `Startup- Sequence` ! If the worth in the file `pic.xx` has reached zero, the bomb formates the whole disk and destroys so all disk datas !!! AntiCicloVir will recognize & kill Time Bomb V0.9, while running the filetest. Traveling Jack 1+2 This both little linkvirus differs in some points from the most other linkviruses. If they infect one file they can use two different hunk-length to deceive viruskiller ! But these linkviruses can create an own file on disk too, which have the name: VIRUS.xy The variables x & y stands for hexadecimal ciphers, which will determined via $BFE001. This file has a length from 198 bytes and contains the following text: The Traveling Jack ... I`m traveling from town to town looking for respect, and all the girls I could lay down make me go erect. - Jack, 21st of Semptember 1990 These linkviruses uses only one vector from the Dosbase-structure and were not resident ! They uses dl_A5 ( Offset $2E ), which contains datas from the addressregister A5 to buffer them. The Traveling Jack linkviruses causes no damage ! The two viruses differs only in a different routine for calculating the new hunk-length and in a different routine for coding the linkvirus on disk. These linkviruses will not work with KickStart V2.04 ! AntiCicloVir can find both linkviruses on disk and in memory. Virus Construction Set Now, this here is no virus, but a program, which you can use, to create your own virus ... If you start the program, it will suggest you, to enter your own virus message. After that you can insert any disk, to infect the disk with your own virus. These new bootblock virus will display in an alert box after every fifth Copy your message, but in the end of the bootblock viruscode, you can find a coded ASCII-text from the real virus programmer ... The Virus Construction Set is 10192 bytes long. AntiCicloVir will recognize & kill this program in the filetest, if you want that. Xeno This linkvirus has a length from 1124 bytes. It infects the first executable program, it finds in the startup-sequence. But it doesn`t infect every program. It looks only for programs, which have the following signs in it`s filename: 0-9, a-z, A-Z It doesn`t infect programs with special signs ! This linkvirus don`t increases the hunk-number ! Xeno isn`t resident and uses only three vectors from the dos.library: Open (), LoadSeg () & Lock () Every time you or a program open a file, you or the AmigaDOS loads a file to run it or you or AmigaDOS sets a Lock for a directory, the Xeno virus becomes lively and tries to infect a file. The Xeno virus can display the following message: Greetings Amiga user from the Xeno virus ! The Xeno virus makes no damage. If AntiCicloVir finds it in memory, it`ll set the vectors Open (), LoadSeg () & Lock () to their ROM addresses. In this version now, AntiCicloVir can find the Xeno-Linkvirus on disk, too ! xprzspeed V3.2 This file now, is another Trojan Horse to annoy AmiExpress users ... xprzspeedV3.2 has a filelength from 9556 bytes. It tries to deceive the users with the following startup-message: `This tool was coded in order to improve your Z-Modem transfers. And it works really good in 30 % of our TEST-Downloads there was an acceleration of nearly 6-7 % !!!` xprzspeed V3.2 opens a port, which will run at 4:13 am and delete ALL files in BBS: !!! Then it deletes a file named `ram:temp` and after that it creates a file with the name `Dip_in_DUDE` and writes memory waste into it as long as if the medium is full. AntiCicloVir will recognize & kill this Trojan Horse, while you run the file- test. Have a nice day !!! Matthias Gutt (Member of SHI Anti Virus Group)