Amiga Collections: Franz PD

home *** CD-ROM | disk | FTP | other *** search

/ Amiga Collections: Franz PD / Franz PD Disk #230 (1993)(Rhein-Sieg-Soft).zip / Franz PD Disk #230 (1993)(Rhein-Sieg-Soft).adf / AntiCicloVir_V1.9 / AntiCicloVir.DOC < prev next >

Wrap

Text File | 1993-04-15 | 70KB | 2,006 lines

AntiCicloVir V1.9-Documentation Create Date :01, April, 1993 @ 1992/1993 by Matthias Gutt Kantstr. 16 W-2120 Lüneburg Germany Table of Contents: 1.0 Copyright 2.0 How to use AntiCicloVir 2.1 Checking memory by AntiCicloVir 2.2 Reset-Routine of AntiCicloVir 2.3 Checking disks by AntiCicloVir 3.0 Documentation of some AMIGA viruses - Amiga Knight - BGS 9 I+II - Bluebox - Bret Hawnes - CCCP - Color ( TURK V1.3 ) - COMPUPhagozyte I.1+I.2 - COMPUPhagozyte II or COMPUPhagozyte 3 - COMPUPhagozyte III A-C or COMPUPhagozyte 4-4b - COMPUPhagozyte IV or COMPUPhagozyte 4c - D-Structure - DAG Creator - Darth Vader 1.1 - DISASTER-MASTER V2 - Disktroyer V1.0 - DiskVal1234 - Golden Rider - Gotcha Lamer - Hochofen - IRQ - JEFF Butonic V1.31 - JEFF Butonic V3.00 - LAMER LoadWb - LAMER VirusX - Liberator v1.21 - Liberator v3.0 - Liberator v5.01 - LOOOOM - MENEM`s REVENGE - NANO - PP-BOMB - QRDL1.1 - Red October 1.7 - Return of the Lamer Exterminator - Revenge Of The LAMER Exterminator - RISC - SADDAM - Smily Cancer I+II - Terrorists - T.F.C. Revenge LoadWb - Traveling Jack 1+2 - Xeno 1.0 Copyright The program `AntiCicloVir V1.8` is called PD-software, because I defined it so in the first time ! But now, I think I, must define it as Freeware, because I don`t want that everyone can change some parts of my program like in former times ... `AntiCicloVir V1.9` is a linkviruskiller, which checks your disk & memory for linkviruses. It can detect known bootblock-viruses in memory, too. `AntiCicloVir V1.9` can check some addresses in memory, install a reset-routine and some things more ... It is a small & simple to use program to fight against AMIGA viruses - mainly linkviruses ! You can copy everyone this program and use it whenever you want ! You can spread this program with or without documentation on every disk. It is allowed, to install `AntiCicloVir V1.9` as utility on PD-disks. Not allowed is, the changing of a part of `AntiCicloVir V1.9` or his documentation !I can`t take the responsibility for this program, but I`m interested in every bug report or new computerviruses !!! The following PD-series has got `AntiCicloVir V1.9` from me: `AmigaLibraryDisks`, `TIME_PD`, `FRANZ_PD`, `Kick_PD`, `Exec_PD`, `Amiga Corner`, `Amiga Szene` & `GFS_PD`. and `GPD` ! Many thanks must go to Michael Petrikowksi ( Amiga-Szene PD ) for his help, while I was debugging AntiCicloVir ... You can get the newest version of AntiCicloVir from Daniel Lars Reuß, Eschen- weg 10, W-6470 Büdingen-Lorbach, Germany or from the TPDS ( Jürgen Dieterich, Rehhaldenweg 10, W-7060 Schorndorf, Germany ). Feel free to spread it ! 2.0 How to use AntiCicloVir `AntiCicloVir` is a small linkviruskiller, which can detect 30 linkviruses in this version ! It can detect 124 bootblock-viruses in memory, too ! It can be started from Workbench or from AmigaDOS. In the main-function it shows you in the system-vectors-table your KickStart- Version and the addresses of 26 important vectors. `AntiCicloVir` can check all files of a choosed directory for some linkviruses and remove them. The linkviruskiller installs, after every call, a little resident program in memory, which can check your AMIGA after a reset. You could use AntiCicloVir to check your system, if you copy it into the sub- directory :c of your Workbench-disk and if you write the following call in your `:s/startup-sequence`: AntiCicloVir -m The option `-m` is very important to use AntiCicloVir in the main-function !!! So AntiCicloVir can check your system every time, when you boot from your Workbench-disk and warn you if it found one known virus in memory. Unknown viruses could be detected by correct interpreting the system-vectors- table by the user hisself ! Another help is the resident routine of AntiCicloVir, which started her action after every reset and so could prevent a new virus-infection of memory ! 2.1 Checking memory by AntiCicloVir It exists two posibilities to check the memory ! The simplest posibility is to start AntiCicloVir by choosing his icon from the Workbench. In this case, the main-function of AntiCicloVir will be used. The other posibility is to call AntiCicloVir from the AmigaDOS or CLI. But in this case you MUST use any of the three options, because if you do this not AntiCicloVir tries to check the disk !!! The following three options are allowed: `-m`, `-n`, `-c` The most important & used option will be `-m` ! Enter: AntiCicloVir -m Now, AntiCicloVir will be started and greets you with a simple color-cycling. Then it shows you the system-vectors-table. It shows you your own KickStart-version in the title of the new window. The KickStart-version is mainly for AntiCicloVir important, because it must know the right ROM addresses, if it will wipe out a virus from your AMIGA`s memory ! If AntiCicloVir can`t recognize your KickStart-version, while detecting a virus in memory, it`ll try to reset the Capture-vectors or Kick-pointer and inform`s you, why it can`t kill this virus. In the system-vectors-table you will see seven important vectors from the ExecBase-structure: ColdCapture *, CoolCapture *, WarmCapture *, KickMemPtr *, KickTagPtr *, KickCheckSum * and RasterBeam ! From the exec.library you will see the vectors of Alert (), AllocMem (), FreeMem () PutMsg (), OldOpenLibrary (), OpenDevice (), DoIO (), OpenLibrary () & SumKickData () ! From the `intuition.library` you can recognize the vectors OpenWindow () & DisplayAlert (). From the trackdisk.device you can see the vectors BeginIO () & Close (). The vectors Open (), Write (), Lock () & LoadSeg () from the dos.library will be shown, too. And last but not least the BeginIO ()-vector of the `keyboard.device` ! After this AntiCicloVir check`s your memory for all known linkviruses & warn`s you with a little text in AmigaDOS & tries to kill the virus. Now the linkviruskiller check`s once more the memory, but now he looks for all types of known viruses - for example bootblock-viruses ! At last, after closing the intuition window AntiCicloVir installs a little resident program in memory from $7E000 ! He set`s the vectors CoolCapture * and SumKickData () on it`s address ! If you choose for option `-n` the same things happens like above mentioned, but only the color-cycling does not appear. By typing `-c` as option happens the same things like above mentioned, but without creating intuition window & installing reset-routine. 2.2 Reset-Routine of AntiCicloVir The Reset-Routine from AntiCicloVir stays every time at $7E000 in memory. It will be activat by jumping in CoolCapture * or SumKickData (). While starting about CoolCapture * the routine will be activated after a reset. The same simple color-cycling greets you ... She chechs the pointers ColdCapture *, CoolCapture *, WarmCapture * KickMemPtr * KickTagPtr * & KickCheckSum * and will clear them if she will find an unknown resident program. The routine clears the pointers not, if she found a known useful resident program. If you press the left mousebutton, while rebooting your AMIGA, the reset-routine makes `Harakiri` on herself ... Jumping into SumKickData () activates the routine, too. Then it`ll check the CoolCapture *-vector and set it on her own address, if he was cleared ! 2.3 Checking disks by AntiCicloVir To check one disk by AntiCicloVir you have not more to do, then to call AntiCicloVir by his name in AmigaDOS ( you can check disks only in AmigaDOS by AntiCicloVir ) and to name a path after the name ! The pathname stands for a main-directory or for a device. Example: AntiCicloVir Df0: ... will check all files from a disk in drive Df0: ! The linkviruskiller lists every filename on the screen and add the message `OK` to him, if he didn`t found a virus ! If he found a virus, he will add the message: `... contains NAME-virus !!!` heck with AntiCicloVir ! AntiCicloVir writes a short message in your startup-sequence after deleting the virus from disk. This could prevent some problems in AmigaDOS, if the virus has written his name for calling up in your startup-sequence ... 3.0 Documentation of some AMIGA viruses In the following annotation you will learn something about a few AMIGA viruses. Presupposition is only a small knowledge about ASSEMBLER-programming & the Amiga DOS: Amiga Knight This 6048 Bytes long program can we call a filevirus. It camouflages itself as the command `initial_cli` on every infected disk. The virus writes it`s name on the top of the `startup-sequence`. Every time you run the `startup-sequence` of an infected disk, the Amiga Knight virus will jump into a random position in CHIP-RAM and set the Kick-pointer to survive the reset. For it`s own increasing, the virus sets the vector DoIO (). After five resets it will create a vector-demo in red colors, which contains the following text on the top of the screen: `YEAH, THE INVASION HAS STARTED ! YOUR TIME HAS RUN OUT AND SOON WE WILL BE EVERYWHERE !` In the middle of the screen you can see this vector-demo, which will draw the the words `Toco`, `THE` & `AMIGAKNIGHTS` ! At the bottom of the screen you will see the following message: `THIS IS THE GENERATION 0039 OF THE EVIL AMIGAKNIGHTVIRUS GREETINGS TO DUFTY, DWARF, ACID CUCUMBER, ASTERIX, ANDY AND ALL AMIGIANS I KNOW !` If you insert or boot from a non-writeprotected disk, which contains a `startup-sequence`, the Amiga Knight virus will try to infect this disk and to change the `startup-sequence` ! This will it do every time, a routine tries to use DoIO () ! The filevirus contains an `ILLEGAL`-command ! Amiga Knight uses many KickStart 1.2 ROM addresses and jump`s to an absolute position into the reset-routine. I think, it won`t work with higher KickStart versions than 1.2 ! It might not be able to destroy disk or datas ! If AntiCicloVir found this one on disk, it deletes the file `initial_cli` and overwrites the first bytes of your `startup-sequence` ! To get rid of it in memory, AntiCicloVir restores the DoIO ()-vector and clears KickTagPtr* & KickCheckSum* Thanks most go to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark from the SHI (Safe Hex International), who was the first one, who sends this virus to me. BGS 9 I+II This filevirus possibly is a mutation of the filevirus Terrorists. This one stands upside the crowd, because all other fileviruses use another mechanism to spread itself ... The BGS9 virus looks for the first executable program from your startup- sequence and copies it from his real place to the subdirectory `DEVS:` or if it can`t find this subdirectory to the main-directory and gives him an invisible name, which is called in hexadecimal $A0A0A0202020A0202020A0 ! After executing the first program from the startup-sequence of an infected disk, which is the BGS9 virus, the virus installs itself in memory and executes the original program, which stands invisible in `DEVS:` ! In memory the BGS9 virus uses the residents to turn on itself after a reset ! It sets KickMemPtr *, KickTagPtr * & KickCheckSum *. While every reset, it sets the vector OpenWindow () from the intuition.library to it`s own address. After every using of OpenWindow () the virus tries to copy itself like the above mentioned mechanism onto the next disk or shows you after four resets the following message: A COMPUTER VIRUS IS A DISEASE TERRORISM IS A TRANSGRESSION SOFTWARE PIRACY IS A CRIME THIS IS THE CURE BBBBBB GGGGGG SSSSSS 999999 B B G S 9 9 B B G S 9 9 Bundesgrenzschutz Sektion 9 B B G S 999999 Sonderkommando "EDV" BBBBBB G GGG SSS 9 B B G G SS 9 B B G G SS 9 B B G G S 9 BBBBBB GGGGGG SSSSSSS 9 The BGS9 virus set`s the OpenWindow ()-vector to it`s ROM-address, while the first using of this routine ! This virus is very harmless and causes no damage ! It shall work with KickStart 2.04, too ! To wipe it out of memory AntiCicloVir only had to clear the three Kick-Pointer. On disk it will find the virus and delete it. The BGS9 virus II works in all points like the old BGS9 virus. It differ from the old one in a new coding of one ASCII-sign and in a new invisible name : $A0E0A0202020A0202020A0 Bluebox I`m not sure which kind of program will be represent by Bluebox. This program has a length from 5608 bytes, but I don`t own the main-program Bluebox, but only the `icon.library` of Bluebox (6680 Bytes). That`s not enough for me to analyze this kind of program completely !!! Please send Bluebox to me, if you will get it !!! There exist a name for a kind of program, which could we use to put Bluebox in it`s place ! I don`t know the anglian word for this, but in german we call this kind of programs `Bandwuermer` ! `Bandwurm`-programs were used to broke into closed Mailboxes and commercial Databank-systems ! If Bluebox is being a `Bandwurm`-program, I think it will do the following things ... ( but I`m not sure ... I need the main-program for a complete analyze !!! ) The main-program Bluebox deceives the user by simulting some sounds by using the tenthly keyboard. It`s possible that this shall deceive a SYSOP ! Bluebox can install by itself an own `icon.library` on disk and sets the protection-bits for this `icon.library`. It might be possible that Bluebox is only a trojan horse ! This `icon.library` can create a process called `input.device `. This process can seize to the serial port. Every time a user outside there, tries to login ,the process `input.device ` will capture his password and save it up into a file in the root-directory, which is called in hexadecimal $A0 ! The pirate who has written this program now, could broke into this mailbox only by reading this datafile, if he use one password name ... But I`m not sure, if that`s the sense of this program ! In this version AntiCicloVir only can find this program and warn you. Bret Hawnes This one is a classical form of a filevirus ! It`s very easy to deal with that 2608 bytes long program. On infected disks you could find it as invisible file in the root-directory: $C0A0E0A0C0 ! But it isn`t very invisible ! Indeed you can`t see it in the startup-sequence, but if you list the root- directory of an infected disk you can see some irregulare signs ... The Bret Hawnes virus also copies itself as invisible file on every disk and writes it`s name in the startup-sequence. After every running of the startup-sequence the Bret Hawnes virus will be activate ! It stands every time at $7F000 in memory and sets the pointer KickTagPtr * & KickCheckSum *, further $6c ( interrupt ) and SumKickData (). At every time you cause a reset the Bret Hawnes virus will be activated by the Kick-pointer ! It sets OpenLibrary ()-vector on it`s own address and waits for the right time, when it can set the OpenWindow ()-vector. After that it sets OpenLibrary () to it`s ROM address. Bret Hawnes now, tries about the first calling for OpenWindow () to get a chance to copy itself from memory to disk ! After that it sets the OpenWindow ()-vector to it`s ROM address, too. Instead the tenth increasing the virus destroys some tracks of your disks ... After twenty minutes it shows the following message to you: GUESS WHO`S BACK ??? VEP. BRET HAWNES BLOPS YOUR SCREEN I`VE TAKEN THE CONTROL OVER YOUR AMIGA!!! THERE`S ONLY ONE CURE: POWER OFF AND REBOOT ! To find the right time-point for this message the Bret Hawnes virus uses the interrupt at $6c, to calculate the twenty minutes ... If some program tries to use the routine SumKickData () the Bret Hawnes virus will be activated and reinstalls itself in memory, if a former program has cleared the Kick-pointer ! To wipe out the virus from memory AntiCicloVir cleares the Kick-pointer and sets the vectors $6c & SumKickData () on it`s ROM addresses. AntiCicloVir too can find this filevirus on disk ! The Bret Hawnes virus destroys disks for the tenth increasing !!! CCCP The CCCP virus was the first one, which can copy itself as bootblock-virus and as linkvirus ! This virus also can stand in the bootblock and in any programs, which it had infected ... CCCP copies itself as an own hunk into every executable program and calculates the new hunk-header ( relocs etc ... ). You could recognized an infected file by the text `CCCP.VIRUS`, which you can find in every infected file ! If you boot from an infected disk or if you start an infected program the virus copies itself in memory and sets the vector CoolCapture * and $6c on it`s own address ! 50 times per second will AmigaDOS run a routine, on which is $6c pointing. That means, that CCCP have 50 times per second the chance to control CoolCapture * !!! You can`t clear CoolCapture * without setting $6c on it`s ROM address ! If you make a reset CCCP will became very lively per CoolCapture * and set`s the vectors DoIO () & OpenLibrary () to it`s own address. If you reboot from a non-write-protected disk CCCP at first tries to copy itself onto the bootblock ... After that it set`s DoIO () on it`s ROM address. Now it waits per OpenLibrary () for the right time to set OpenWindow () on it`s own address and OpenLibrary () on it`s ROM address ! As soon as AmigaDOS opens the CLI-Window CCCP tries to infect one file from your disks and sets OpenWindow () on it`s ROM address ! The CCCP virus is relative harmless, because it makes no damage, but it is very troublesome because the links ... If AntiCicloVir finds it in memory it sets $6c on it`s ROM address and cleares the vector CoolCapture * Now, this version can find it on disk ! Color ( TURK V1.3 ) This 2196 bytes long program is not really a virus, it`s a Trojan Horse ! It simulates a simple Color-demo, to deceive the user. If you start this program a little graphic demo will be shown to you. But careful ! This Trojan Horse contains the bootblock-virus TURK V1.3. Color is another form of Trojan Horses than the most of them, because it is very active participated in installing the TURK virus. It does not only install the virus TURK V1.3 in memory - No, it copies itself at $70000 into memory and copies the including bootblock-virus to $7F000 into memory ! Then it sets the vector DoIO () on it`s own address and CoolCapture * on a senseless address ! Every time you insert a disk into your drive Color tries to copy TURK V1.3 from $7F000 in memory to the bootblock of this disk. If you make a reset the senseless address in CoolCapture * crashes down your machine and you can nothing further do than to turn the power off ... AntiCicloVir can find and kill this virus in memory and on disk ! COMPUPHagozyte I.1/I.2 This two programs could we define as a mix of filevirus and a Trojan Horse ! Because this two programs camouflaged itself as viruskiller !!! COMPUPhagozyte I.1 is 1492 bytes long and simulates `Virus-Checker V4.0`. COMPUPhagozyte I.2 is 1148 bytes long and simulates `VirusX 5.00`. ( But I`d never heard anything about `VirusX 5.00`. I think the last version was 4.01 or so ... ) This both programs are not very professian ... They work only if they stand as `VirusX` oder `Virus-Checker` in the subdirectory `c` of a disk, from that you`re booting. They try to copy itself to $7C000 into memory, but they does not change any vectors - thats good. The COMPUPhagozyte fileviruses create an intuition window, which have likeness with `Virus-Checker` or `VirusX`. They wait for every inserted disk and copies themselfes from memory to subdirectory :c of that disk or they wait therefore that you close the window. I think this fileviruses can destroy disks ... AntiCicloVir have not to kill this viruses in memory, because they never stand in memory, but it can warn you if it founds some bytes of them at $7C000 ! On disk AntiCicloVir kill both fileviruses ! COMPUPhagozyte II/3 This 568 bytes long program could we call a bomb ! It simulates the clear screen command by clearing the window. But that does it not by a using ROM-routine, but by 30 return codes ... I think it was camouflaged as `cls` on every disk. After using this command it copies a reset-routine to $7C000, which does nothing more , than clearing ColdCapture *, WarmCapture *, KickMemPtr *, KickTagPtr* and KickCheckSum * after every reboot. That could cause, that another resident program will wiped out of memory while rebooting. This bomb is also very very harmless. AntiCicloVir can it kill in memory and on disk. Another viruskiller names this bomb COMPUPhagozyte 3 ! COMPUPhagozyte III A-C This group of fileviruses is a very strange form and stand upside the crowd ! All three types of this virus works with the same mechanism. They stand as invisible file in the root-directory, which is named in hexadecimal $A0A0A0A0 ! If you start those viruses, they try to copy the invisible file from the root- directory to $7C000 into memory, to install a reset-routine at $7C600, to install routine for increasing at $7E000, to set CoolCapture * on reset-routine and to set OldOpenLibrary () on routine for increasing. Every time one program uses the routine OldOpenLibrary () those viruses will wake up and try to copy the file from $7C000 to the root-directory of the next disk as invisible file, again. After that they overwrite the first four bytes of your startup-sequence with their name. If any program was called up at this place, which name was longer than four bytes, you will get an error-code at the next time you run your startup-sequence, because irregulare signs were left. But the fileviruses has copies theirself into memory before you get this error-code ! But because this error-code those fileviruses will betray theirself ... This three fileviruses will cause no damage and display no message. The following types exists: COMPUPhagozyte III A / 4 = 916 bytes COMPUPhagozyte III B / 4a = 892 bytes COMPUPhagozyte III C / 4b 0 900 bytes There is no differ between type B & C but many differs to type A: Type A can copy itself only onto a disk in drive df0: Type A needs KickStart 1.2 to work ! Type A causes in much cases GURU`s after it has increases ( program errors ) ! Type A contains the ASCII-text not in the head of the file like type B & C. AntiCicloVir have only to clear CoolCapture * and to reset OldOpenLibrary () to kill those fileviruses in memory. AntiCicloVir can kill those fileviruses on disk, too. COMPUPhagozyte IV/4c This 1008 bytes long filevirus stands as invisible name in the root-directory: $A0A0A0A0 It stands at every time at $7C000 in memory and uses CoolCapture *, OldOpenLibrary (), SumKickData (). If one program uses the routine OldOpenLibrary (), the virus comes in action and copies itself from memory onto that new disk as invisible file. Then it writes its name in the startup-sequence. After that it checks the vectors CoolCapture * & SumKickData () for it`s right addresses. If some program uses the routine SumKickData (), COMPUPhagozyte IV checks the vectors CoolCapture * & OldOpenLibrary () for it`s own address. This virus makes no damage. But it is very inconspicuous, so that you can`t recognize it for a long time ... AntiCicloVir have to clear CoolCapture * and to reset OldOpenLibrary () and SumKickData () to kill this virus in memory. COMPUPhagozyte IV will be detect on disk, too. Another viruskiller names it COMPUPhagozyte 4c ! D-Structure This 464 bytes short program is a malignant structure, which can increase like a filevirus. It can stand under every name on disk ! That`s new by fileviruses ... If you start it, it copies itself at $7C000 and sets OldOpenLibrary () to its own address. D-Structure isn`t resident. If any program use OldOpenLibrary () to open a library, D-Structure tries to find out which library shall be opened and if it is the dos.library, it opens this one by herself. Then it get the Dosbase-address and set`s OldOpenLibrary () to it`s ROM address. After that it sets Write () on it`s own address and installs a copy counter. After every five Write Processes, D-Structure tries to copy herself from memory to the new destination. It makes not more, than changing the rigster D2 for the buffer address on it`s own address and the register D3 for the length on it`s own length ... If one other program want to write a file on disk, now instead this file D-Structure will be written on disk ! This means: This structure can be everywhere ... She can stand as executable file on disk, as part of a datafile on disk, as block on disk etc. D-Structure could copy herself per modem or per printer ... That makes no sense, but so D-Structure can disturb some processes ... This is a new form of virus programming, I think. Because D-Structure causes her increasing not active but passive by changing some registers. She doesn`t contain a routine to open any library, to create a file or to write datas from memory to disk ... this one changes only a few registers ! The damages caused by D-Structure can be very multiple ! AntiCicloVir have to set OldOpenLibrary () or Write () to it`s ROM address to kill D-Structure in memory like on disk. DAG Creator This 7000 bytes long program is not a virus, but a virusmaker ! It creates a very simple mutation of the bootblock-virus SCA named DAG on every disk in drive DF1:, if you want that. But if you don`t have drive DF1: it causes a GURU !!! This program is very harmless, but very unuseful too. So that I think it`s right, if AntiCicloVir will wipe out it of your disk ... Darth Vader 1.1 Darth Vader is a relative simple form of filevirus. It has a length from 784 Bytes. It`ll only work, if it stands by the hexadecimal name $A0 in the root-directory. If it was saved up with another name, it will cause GURU`s, because the virus looks for this invisible file on disk and tries to copy it into a random memory position, but it can`t stop malfunctions if there isn`t any invisible file on disk ! This virus will called up from the `startup-sequence` ! It copies its invisible file to a random memory position and installs the virus-code at another random memory position ! You will never find the virus-file and the viruscode at the same position in CHIP-RAM ! Darth Vader uses the CoolCapture*-vector to survive the reset. After a reset it sets, by using the Exec-routine SetFunction (), the OldOpen- Library ()-vector to its own address. I think it`s much more cleverer to set this vector per hand, without using any system-routine ... Every time a program you run uses OldOpenLibrary (), the virus looks for your disks, if it is non-writeprotected and tries to infect it. It writes his invisible name into the `startup-sequence` and copies the virus-file from memory to disk. But from this routine, it jumps back to an KickStart 1.2 ROM address ($FC1430 = OldOpenLibrary () ) ! That means it will cause on every system version higher than 1.2 `GURU`s, after it has increased ! After some time, the Darth Vader virus looks for an actual output chanel and prints the message: `VIRUS (1.1) by DARTH VADER` This filevirus is very harmless and can`t destroy disks or datas ! AntiCicloVir removes this invisible file from disk, if it had found this virus and overwrites the first byte from the `startup-sequence` ! If AntiCicloVir finds this filevirus in memory it restores OldOpenLibrary () and cleares CoolCapture*. This filevirus was send to me by Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. Thanks, Erik ! DISASTER-MASTER V2 This 1740 bytes long filevirus camouflaged itself as clear screen command in the subdirectory :c. Every time if you start it, it`ll clear your screen and set the cursor on the top of the new screen. But that`s not all ... It copies itself into AMIGA`s memory and sets the resident-pointer KickTagPtr * & KickCheckSum * to an own resident-routine. After every reboot it`ll set the vector DoIO () to it`s own address and try to copy itself onto the next disk into the subdirectory :c ! Then it writes it`s name into the startup-sequence with one option: cls * The option causes, that the virus, every time it`ll called from this startup- sequence, doesn`t clear the screen, therefore it can`t betray itself ... After one using of DoIO () DISASTER-MASTER sets this vector on it`s ROM address, again ! This filevirus can close the AmigaDOS window and create a screen like we know it from the workbench or it let disappear the AmigaDOS title or so on ... I don`t think, that it`ll destroy disks, but I`m not sure ... After some time it displays an alert and gives you the choice to kill the virus ... better use a viruskiller for killing it ! Because I think, it could mean with `self-destruction` your own disks ... AntiCicloVir can kill that filevirus in memory and on disk ! Disktroyer V1.0 This 804 bytes long bomb camouflaged herself as clear screen command like DISASTER MASTER V2, but it`s very dangerous ... Whenever you start this program it`ll clear the screen and set the cursor on the top of them. But it sets the AllocMem ()-vector on it`s own address in memory and installs a copy counter ! If the copy counter reached the worth 150 Disktroyer V1.0 destroys all disks in your connected drives and displays an alert ! AntiCicloVir can`t detected this one in memory, but it can detect and kill it on disk ! Disktroyer V1.0 is not resident. DiskVal1234 This 1848 Bytes long file should we call a Disk-Validator-virus, because it is using the routine of a Disk-Validator for its own increasing ! DiskVal1234 is not a complete new virus, but it`s a mutation of the famous SADDAM virus. If you want to know how this kind of viruses work, where they are to find in memory, how they work on disk and which specifical damages they cause, then I suggest you, to read the part about the SADDAM virus from this documentation ! Now, I will only explain you, in which points the DiskVal1234 virus differs from the SADDAM virus ! The DiskVal1234 virus don`t copy itself onto every disk you insert in drive DF0: like the SADDAM virus, but it can infect every disk you insert in drive DF1: ! Because many AMIGA users today, work with two floppy drives, it seems much more efficient to infect disks in drive DF1:, than in drive DF0:. Many people work with their Workbench in drive unit 0 and insert new disks in drive DF1: - I think that was the reason for this changing ! The other part, which differs from the SADDAM virus is the destruction routine ! DiskVal1234 don`t code some OFS or FFS Datablocks, like the SADDAM virus, but it changes Datablocks, which begin with the cipher 8, whilst writing 1234 to Offset $5A and overwriting 66 times the code from Offset $64 with the assembly code $4E71 ( = nop ) ! Now, many program code will be lost at this position in such a Datablock and this is the reason therefore, that every program, which Datablocks was been overwritten by the DiskVal1234 virus, will cause Software Errors and GURU`s every time you run it !!! But you will get NO `read/write errors` on such a disk !!! I think, the DiskVal1234 virus will deceive you, that the program has some bugs, but that`s not true ! You could differ programs with real bugs from programs with DiskVal1234 damages, if you use a disk-monitor and checks these datablocks ... But the damages, caused by DiskVal1234, can`t be repaired by any program !!! AntiCicloVir only can liberate your system from this nasty one ... It will find and kill it on disk and in memory. This virus was send to me by Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. Golden Rider This one represents a new generation of linkviruses. Because it does not copy itself as own hunk into an infected file like old linkviruses did it, but it looks for the first hunk of an executable program and adds itself on it. Golden Rider changes the last command of this hunk ( mostly $4E75 = `rts` ) to $4E71 ( `nop` ), which causes, that the processor thinks, if he run`s this code, that the first hunk of the program doesn`t end at this position. Behind this position can Golden Rider write his virus-code. Now, Golden Rider have to add it`s own length to the two length worths in the hunk-header and the link is complete ! Every time you start an so infected program the linkvirus can install itself in memory. But in not every cases must that work ! If Golden Rider hangs on a routine in the first hunk, which only will be called from the main-program, if an error was caused, then Golden Rider will probably never activated ... Golden Rider stands every time at $7C000 in memory and sets the vectors CoolCapture *, DoIO () & Open () to it`s own address. After you reboot, Golden Rider will waked up by jumping in CoolCapture * ! Now it sets DoIO () to it`s own address and waits so long, if it can open the dos.library and set Open () to it`s own address. If you insert a new disk Golden Rider tries to copy itself from memory into one file of this disk. If any program use Open () Golden Rider tries to infect new files, too. Golden Rider causes no damages and displays no alerts or so ... AntiCicloVir only can detect and kill this linkvirus in memory ! Gotcha Lamer This one is a 372 bytes long bomb, which will be installed by a program named MINIDEMO.EXE, which links Gotcha Lamer into the following commands on dh0: c/dir, c/run, c/cd, c/execute The bomb itself copies it into memory and sets DoIO () to it`s own address. After some time it destroys your disks and displays an alert ( ` HAHAHE ... Gotcha LAMER !!!` ) ! AntiCicloVir can kill this bomb in memory but I`m not sure, if it can kill it on hard-disk ... Therefore it can detect and kill the creater of Gotcha Lamer MINIDEMO.EXE ! Hochofen This is a 3000 Bytes long Linkvirus. Hochofen is not resident in memory and uses no system-vector ! That`s it, because it could work with KickStart V2.04, too. It infects every executable program, whilst writing an own hunk to the first position of this file. Then it calculates all hunk-worths (hunk-number,hunk-length, reloc-worths ...) and adds the rest of this file behind the new hunk. These linkvirus scans the whole directory for executable files and infects one after the other ... Hochofen can install an own task with the name `Greetings to Hochofen`. This task will offer you after some time a Requester with the message: `Fasten seat-belt` and draw the flag of the Federal Republic of Germany and play the hymn. This task can`t destroy anything and can`t spread the virus itself. If I tried to remove it, I will get at every time task held errors ... That`s the reason therefore, that AntiCicloVir can find this task and warn you, but not delete it ! AntiCicloVir can find Hochofen on disk, too, but not remove it from an infected file ! Please use another viruskiller or delete this infected file ! The linkvirus causes no damages, but it has a bug, which will destroy some files, because Hochofen don`t know all types of hunks ... If it didn`t know one hunk type, it could be, that it is then creating an erroneous hunk type ! This linkvirus I got from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. IRQ This famous old linkvirus was the first one on the AMIGA ! It looks in the startup-sequence for an executable file and tries to infect it. If it can`t find the startup-sequence it looks for the command DIR in the subdirectory :c and tries to infect it. IRQ extented a file to 1096 bytes. The linkvirus writes it`s own hunk at the first position into that file. Then it calculates all worths for a new hunk-header and the reloc-worths. If you start an infected program IRQ copies itself into memory and uses the residents by setting KickTagPtr * & KickCheckSum *. Further the virus sets the vector OldOpenLibrary () to it`s own address. Everytime when one program starts the routine OldOpenLibrary () the IRQ virus tries to infect the next disk. It`s harmless, but disturbing, because it prints the following text: `AmigaDOS presents a new virus by the IRQ-Team V41.0` This old linkvirus works only with KickStart V1.2 ! It makes no damges. AntiCicloVir can detect it on disk and in memory and kills it. JEFF Butonic V1.31 This filevirus stands every time as executable file on disk and will be called up from the `Startup-Sequence`. It copies itself into one place in CHIP-RAM and survives the reset via the residents by using KickTagPtr * & KickCheckSum *. Further the virus sets the vectors of DoIO () & $68 (Interrupt). This filevirus contains an illegal command, which never will be reached ! It cleares the vectors ColdCapture * & CoolCapture * and calculates a new ChkSum for ExecBase. After a reset, it can dislplay the following message about an Alert: `Einen wunderschoenen guten Tag I am JEFF - the new virus generation on Amiga * (w) by the genious BUTONIC dHV 1.31 /05.01.88 - Generation Nr. 00011 Greetings to Hackmack*,* Atlantic*, Wolfram, Frank, ... Miguel, Alex, Gerlach, and the whole Physik - LK from MPG !!` About DoIO () this virus can spread itself. It will infect every non-write-protected disk, which contains a `Startup-Sequence` ! It uses twelve different filenamenes to camouflage itself on disk ! The following entries we can find in the `Startup-Sequence`: - `AddBuffers 20` - `Add21K` - `Fault 106` - `break 1 D` - `changetaskpri 5` - `wait` - `Arthus` - `Helmar` - `Aloisius` - $A0A0A020 - $A020 - $2020 The filevirus can`t spread itself by using the filename $2020, because the AmigaDOS won`t start a file from `Startup-Sequence`, which name contains spaces ! If this JEFF virus has finished it`s spreading, it will jump to an absolute KickStart 1.2 ROM address from DoIO () ! That`s it, because it only works with KickStart 1.2 and causes under all higher systems Guru`s ! The virus checks the right address of it`s Kick pointer via using this vector, too. About the interrupt vector $68 it can show your some messages about the CLI title: - `Ich brauch jetzt`n Bier !` - `Stau auf Datenbus 128 bei Speicherkilometer 128 !` - `Mehr Buszyklen fuer den Prozessor !` - `Ein dreifach MITLEID fuer Atari ST !` - `BUTONIC !` - `Schon die Steinzeitmenschen benutzten MS-DOS ... einige sogar heut noch !` - `Schon mal den Sound von PS/2 gehoert ???` - `PC/XT - AT: Spendenkonto 004` - `Unabhaengigkeit & Selbstbestimmung fuer den Tastaturprozessor !` - `Paula meint, Agnus sei zu dick.` - `IBM PC/XT: Ein Fall fuer den Antiquitaetenhaendler ...` - `Sag mir, ob du Assembler kannst und ich sage dir wer du bist ...` Well, it jumps back from this routine to an absolut KS1.2 ROM address, too. It stands every time coded on disk, but it`s harmless, because it will make no damages. AntiCicloVir has to restore DoIO () & $68 and to clear the Kick pointer, to wipe it out from memory ... It can kill it on disk, too. JEFF Butonic V3.00 This 2916 bytes long filevirus stands as insible file with a name, which is called in hexadecimal $A0A0A0, in the root-directory of an infected disk. JEFF Butonic V3.00 writes his name in the startup-sequence. Whenever you run the startup-sequence the filevirus will be startetd and infects the memory of your AMIGA ! It uses the residents to survive the reset by setting KickTagPtr * & KickCheckSum *. The virus sets the vector DoIO () on it`s own address. Every time you boot or insert an non-write protected disk the filevirus copies itself from memory to the root-directory of that disk. JEFF Butonic V3.00 causes no damage, but prints some textes about the screen title ... About DoIO () the virus checks permanent the addresses of the Kick-pointers. A program named *JEFF* VIRUSKILLER creates this filevirus. AntiCicloVir can detect and kill this filevirus on disk and in memory. Lamer LoadWb This 4172 bytes long LoadWB command is a Trojan Horse, because it contains the old bootblock-virus LAMER Exterminator ! If you call this program, it installs the bootblock-virus in memory and then executes the LoadWb command ! The virus-oode of LAMER Exterminator stands uncoded in this Trojan Horse. AntiCicloVir detects Lamer LoadWB on disk and kills it. My linkviruskiller can recognize the bootblock-virus LAMER Exterminator in memory, too. Lamer VirusX This program with a lenght from 13192 bytes is a simulation of Steve Tibbett`s VirusX ! This Trojan Horse camouflages itself with the name VirusX 3.10. But it is not coded like the original VirusX and uses senseless devicename like `DF6:` oder `DF9:` ... This program can detect the following bootblock-viruses: Obelisk, North Star, SCA, Byte Bandit, Byte Warrior, Revenge, Pentagon-Slayer. Further it can detect the linkvirus IRQ. This is the one side ... But the other side is, that this program installs the bootblock-virus LAMER Exterminator X in memory. AntiCicloVir detects this Trojan Horse and kills it. It detect the bootblock-virus LAMER Exterminator X in memory, too. Liberator v1.21/3.0 This one can we not really name a virus, because it can`t spread itself. Liberator v1.21 is a form of filevirus with a length from 10936 Bytes. It works like Liberator v3.0, which has a length from 10712 Bytes ... Both fileviruses are beeing not resident in memory and can`t change any vectors ! That`s it, because they can work with KickStart V2.04, too. The Liberator viruses shall deceive the user by simulating a viruskiller: `Check Vectors rev.5.1 All Rights Reserved more TUPperware @ by Mike Hansell Reset vectors ok, Nothing resident, Trackdisk.device not intercepted, DoIO ok, VBlank ok, dos.library not intercepted. System appears to be free of viruses and trojans !` But in real, the virus copies itself onto the hard disk with the name `cv` and creats there a file named `.fastdir `. This file is a kind of copy-counter. Liberator can changes the `startup-sequence` of every hard disk ! It uses different patches for the four types of hard disks: DH0: execute s:startup-sequence 2 cv >NIL: endcli >NIL: DH2: LoadWb cv >NIL: EndCLI >NIL: DH3: LoadWB -debug cv >NIL: endcli >NIL: NIL: is a kind of device in which you can write everything, but AmigaDOS left all this datas ! The device NIL: could we call a `Data-Trashcan` ! Liberator writes in every `startup-sequence` behind his name `NIL:`, because it doesn`t want betray itself, while running this `startup-sequence` and showing the user that it stands on his hard disk ... Every time you run the `startup-sequence`, Liberator adds #1 to the worth in `.fastdir ` on hard disk. If the worth 100 is reached in `.fastdir `, the Liberator virus shows you the following message: `Congratulations your hard disk has been liberated of virus protection !! Hello from the liberator virus v3.0 - Digital Deviant The anti-anti-virus is here again ! Lets play trash the hard disk and ram the disk heads Only hardcore belgian rove can truely liberate the mind The liberator 15/01/92` Liberator v3.0 can`t cause any damage and can`t spread itself, but I think, it`s not very useful to have it on hard disk ... AntiCicloVir hopefully will it find on hard disk, too and deletes it ! Thanks Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the SHI (Safe Hex International) for being the first one, who send this virus to me ! Liberator v5.01 The new Liberator filevirus has a length from 16924 bytes and infects not longer the hard disks, but your floopy disks ! It is not resident in memory, changes no vector and works therefore with KickStart V2.04, too. It shall deceive the user by printing the following text: `PV (Protect Vectors)v1.02 by Peter Stuer July 22, 1992 FREEWARE Reset vectors ok, Nothing resident, Trackdisk.device not intercepted, DoIO ok, VBlank ok, low interrupts ok, dos.library not intercepted. monitoring vectors ... Fully KickStartv2.xx compatible, stops all viruses, checks disk-validators. Use run to push this programm into background.` But in realetity copies the program itself by the name `:c/PV` to the floppy- drive DF1: and installs there the files `:c/run`, `:c/br` & `:c/sl.info `. `sl.info `is a kind of copy-counter ! While copying itself to drive DF1:, the virus will change the last letter of it`s filename ! That shall camouflage the virus. Liberator v5.01 changes the `startup-sequence`: br c:pe If the copy-counter in `sl.info ` has reached the worth 100, the following message will be displayed: `Congratulations this disk has been liberated of virus protection !! Hello from the Liberator virus v5.01 - Random Disaster The anti-anti virus is here again ! Lets play trash the hard disk and ram the disk heads The piracy curse Liberator V - The future is near. Look out for Liberator VI - The final nightmare ... coming soon from a lame swapper near you ! Respect to the virus masters Lamer Exterminator, Crime & Contrast. And remember - be excellent to each other ! The liberator 27/07/92 Virus Generation:` The Liberator v5.01 filevirus is harmless like the old Liberator viruses. It`ll never destroy disks or datas. But now, it can spread itself with above mentioned mechanism. AntiCicloVir can find and remove it from your disk. Thanks to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. LOOOOM This 1848 bytes long Disk-Validator-virus is only a simple mutation of the SADDAM virus ! If you want to know how this kind of viruses work, where they are to find in memory, what kind of damages they cause, how you could to get rid of it, I suggest you, to read the part about the SADDAM virus in this documentation. There are only two differences to the original SADDAM virus ! This virus now, contains another name : `LOOOOM VIRUS` for `SADDAM VIRUS` ! And it shall copy itself not on every disk, you insert into the internal drive, but on every disk, you insert into the external drive ! I got this one from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark. MENEM`s REVENGE This 3076 Bytes long linkvirus is a new kind of this species like the Golden Rider virus. It copies itself into the CHIP-RAM, if you run an infected program. There will it change the address of the routine LoadSeg () to its own address and waits until you call up a program. If you start a program, MENEM`s REVENGE waits so long until you start another program and then it will infect the first program called up by yourself ! If that is beeing an executable file, it will look for the last assembly instruction $4E75 ( RTS ) and changes it to $4E71 ( NOP ). MENEMs REVENGE will copy its own viruscode behind this assembly instruction and adds the rest of the file behind itself. Then it adds its own length to the both length worths in the hunk-header of an infected file. MENEM`s REVENGE is harmless, because it can`t destroy disks or files ! But it can create an own task with the name ` `,0. This task displays after some time an Alert, which contains the following message: `MENEM`s REVENGE HAS ARRIVED !!! ARGENTINA IS STILL ALIVE` AntiCicloVir can kill this linkvirus in memory, but not find it in infected files ! I`ve got this one from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark (SHI). NANO This program with a length from 1444 bytes is a classical filevirus ... It stands by the name $A0A0A0A0A0A0 invisible in the root-directory of an infected disk and has written it`s name in the startup-sequence. Whenever you run the startup-sequence NANO will run, too. It copies itself to $7C000 into memory and sets the vectors CoolCapture *, OldOpenLibrary () & SumKickData (). After six resets the filevirus draws the flag of the german federal republic. If any program uses OldOpenLibrary () NANO tries to copy itself from memory onto the new disk. After six copies NANO displays the following alert: ... another masterpiece by N A N O !!! GREETINGS TO: Byte Bandit, Byte Warrior, DEF JAM, DiskDoktors, FANTASY, Foundation For The Extermination Of Lamers, I.R.Q. Team, Obelisk Softworks Crew, S.C.A., UNIT A ... Every time a program tries to use SumKickData () NANO can check the vectors CoolCapture * & OldOpenLibrary () to set them again on the virus addresses, if someone had cleared them. NANO is harmless and causes no damages. AntiCicloVir have to reset OldOpenLibrary () & SumKickData () and to clear CoolCapture *. AntiCicloVir can kill NANO on disk, too. PP-BOMB This 71308 bytes long file is the orign version 3.0b of the `powerpacker. library` by Nico Francios. But a group called QUARTEX, I think has added a routine, which could be danger for your hard disk ! Because the PP-BOMB looks in dh0: & dh1: for the file `why`, tries to set it on zero, looks for AmiExpress & tries to patch it and looks for some other files ... PP-BOMB cannot copy itself onto another disk, is not resident in memory and sets no vectors. We needn`t to look in the memory after this bomb ! Check your sub-directory `LIBS` with AntiCicloVir for this bomb !!! QRDL1.1 The QRDL1.1 virus is a 2320 Bytes long linkvirus. I`m sorry, that I can`t analyze it, but it won`t work with KickStart 1.2 in memory. It is hanging around in memory via CoolCapture * and patches the vectors DoIO (), OpenLibrary () & OpenWindow () ! It infects an executable file, whilst installing an own hunk at the first position in this file and calculates the hunk-worths (hunk-number, hunk-length, reloc- worths ...). QRDL1.1 contains the following message: `(C)1992-04-16 QRDL. RELEASE 1.1 Born in Poland, Grt to Jack` This linkvirus is very dangerous, because it could destroy your datas ! It looks for the BitMap-Block of your disk and deallocates all used data- blocks !!! If that was happened, AmigaDOS won`t know longer, which datablocks are used and which datablocks are free !!! Now, if you save up a program on such a disk, it could be happened, that AmigaDOS writes the datas into datablocks, which will be used for another program ... You will get code from one program into another program and final the complete chaos on your disks ! AntiCicloVir only can detect the QRDL1.1-linkvirus on disk, but not remove it from an infected file. AntiCicloVir can`t detect QRDL1.1 in memory. Thanks must go to Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the SHI ( Safe Hex International ) ! Red October 1.7 This linkvirus has a length from 1296 Bytes. It will not use any vector and don`t stand resident in memory ... That`s it, because it`ll work with KickStart V2.04, too ! I think, that this linkvirus was published as PD-software, because there exist the following DOC-File for it: `The Red October Virus 1.7 (901029) This virus program is for demonstration and testing purpose only. The Red October virus is a non-overwriting virus and was developed and tested under AmigaDOS 1.3. The following points influenced the development of the program: 1. The virus should infect other programs only when system clock seconds are evenly divisible by three. 2. All of the infected files should continue to work properly. 3. The manipulation task in the virus causes a system crash when the system clock seconds are 16, 32 or 48 (evenly divisible by sixteen). 4. The virus only infects files which are shorter than 50000 bytes in the current directory. Delete the virus and the infected programs on the computer when you are done. WORK WITH COPIES ONLY.` If you run an infected file, Red October comes in action. The linkvirus is working with the `timer.device` ! If you can divide the seconds through three, then Red October tries to increase. It reads the whole directory of your disk and tries to infect every executable file, it will find ! Red October installs an own hunk into this infected file and calculates the new hunk-table ( hunk-number, hunk-length, reloc-worths ... ) Because the linkvirus has a bug, it could be happened, that some infected files won`t work longer and causes Software Errors & GURU`s ... But you could repair this damages by yourself ( not by AntiCicloVir ), if you want get back this datas ! If you can divide the seconds through sixteen, then Red October 1.7 causes a reset. Well, AntiCicloVir can find Red October in infected files, but not remove them from this files ... I got this linkvirus from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark (SHI). Return of the Lamer Exterminator This one is a complete new form of AMIGA virus. It`s called Disk-Validator virus, because it is using the mechanism of the Disk-Validator routine to increase ! This virus copies itself after every reboot over the original Disk-Validator in the subdirectory :L. Then it sets the BitMap-Pointer from the Root-Block to a senseless address on disk and causes so a Disk Validating Error. The Disk Validating Error will force AmigaDOS permanent to startup the Disk- Validator to create a provisional BitMap in memory, so that AmigaDOS can work with that disk. But that means, that every time you insert an infected disk, the Return of the Lamer Exterminator virus will automatic activate and can install itself in memory ... It`s resident in memory via KickTagPtr * & KickCheckSum * ! It sets many vectors ... BeginIO () from the trackdisk.device & I think, BeginIO () from the keyboard.device, too ! Because that, AntiCicloVir can only recognize that virus in memory, but not kill it ... On disk AntiCicloVir can recognize that virus, but must rename it ! It can`t kill it, because every time you insert an infected disk, Return of the Lamer Exterminator stands in memory. And even then, if this virus stands in memory, it opened the file Disk- Validator or uses a Write Lock on him. That means you can`t delete this file ! But if you rename :L/Disk-Validator to :L/LAMER-Virus - for example - it will not again started from AmigaDOS and can`t infect your memory ! After that your disk have a Disk Validating Error. That was the work of the virus ... To get rid of the Disk-Validating Error, you must boot from a disk, which contains the original Disk-Validator and then insert the disk with the Disk-Validating Error. Now the disk will be validate ... To get a valid BitMap you have to write or delete anything to/from this disk. Now the disk is health ! This virus is very malignant, because it can destroy your disks ! After some time it begins to look for some OFS or FFS data blocks on your disks & fills them with the word `LAMER!`. This destroys some of your files and causes read/write errors. But that`s not all ! The virus can destroy disks in all connected drives, whilst format them root- blocks !!! This disks are completely destroyed !!! Then it displays an alert: Return of the Lamer Exterminator You can health disks with read/write errors by using the command DISKDOCTOR. This virus will only work with KickStart V1.2/1.3. Revenge Of The LAMER Exterminator This filevirus exists in two variants: Revenge Of The LAMER Exterminator I & Revenge Of The LAMER Exterminator II From variant I exitsts two types ! I will mainly explain type 1 of variant I. The variants I+II stands as invisible file with the name $A0A0A0A0A0 in the root- directory. Type 2 of variant I camouflages itself as command DosSpeed ! But back to type 1 of variant I ! This virus writes it`s invisible name in the startup-sequence and will so every time you run the startup-sequence be started. To survive the reset it uses the residents and sets KickTagPtr * & KickCheckSum* But this virus sets a lot of other vectors more ... I don`t know them all and that`s the reason, why AntiCicloVir can`t kill it completely in memory ! AntiCicloVir offers you, that it had recognized this virus and cleared the Kick-pointer. If you really wont get rid of it, you have to make a reset !!! This virus is very malignant like Return of the Lamer Exterminator ! But I think, it have some errors. If it`ll started via startup-sequence, you get some problems with irregulare signs in the AmigaDOS window. It could happen, that you can`t find some subdirectorys on your disk, while working with the workbench and so on ... After eight minutes or four resets, begins the virus to destroy your disks. It formats the complete disk and displays a three page long alert: Revenge Of The LAMER Exterminator RED ALERT: It has come to my attention that the person using this computer is a LAMER (+) we the people , who are responsible for the "Revenge Of The LAMER Exterminator` Virus, believe that only intelligent folk are fit to use the AMIGA Personal Computer. Since you were apparently not smart enough to prevent infection of your computer and software by this virus ( You should have used a condom ), we must assume that you are a LAMER ( a.k.a. LOSER ) and therefore we had no alternative but to erase your floppy disk(s) in order to get your attention. - Press Any Mousebutton - We are eagerly looking forward to the first Amiga magazine that explains the inner workings of this brilliant ( at least we think so ) virus. However, we are not very confident, since the three versions of the original LAMER Exterminator virus have never really been analysed in any Amiga magazine. we have made this virus a little bit more aggressive so that more people will recognize it and hopefully will learn something as to overcome the dreadful disease of LAMERism By the way, the A in LAMER is pronounced like the A in DAY ( LAMER peolpe do not know proper English in our experience ) - Press Any Mousebutton - Signed Foundation for the Extermination of LAMERS. (++) (+) You can recognize a LAMER or LOSER as someone who can only use the Ctrl - Amiga - Amiga keys on his Amiga, and might even know how to load X-Copy ... (++) Due to the primitive and violent nature of some LAMERS, we have decided against revealing our real identies, so as to prevent unnecessary visits to the local hospital on our part ! Coming sonn to a theatre near you: +++ The Lamer Exterminator - A new Beginning +++ Rated PG - Press any Mousebutton to Continue Being a LAMER - AntiCicloVir can`t detect this virus on disk, if it stands in memory, because it manipulates the contens of some registers so, that no viruskiller will find this invisible file in the root-directory ! If you list the startup-sequence or if you list the root-directory, you will nowhere find the invisible $A0A0A0A0A0 because the virus in memory. Make also a reset and check your disks after removing Revenge Of The LAMER Exterminator from memory. RISC This here is only a mutation of the famous SADDAM-Disk-Validator-virus. If you want to know how this kind of viruses work, where they`re to find in memory, which damages they cause and how you could get rid of it, then I suggest you, to read the part about the SADDAM virus in my documentation ! There was no other patch found in this mutation, than the new virusname ... I`ve got this virus from Erik Loevendahl Soerensen, Snaphanevej 10, 4720 Praestoe, Denmark, from the Safe Hex International ( SHI ). SADDAM This one is called a Disk-Validator virus, because it uses the routine of a Disk-Validator for it`s own increase. SADDAM copies itself onto every disk you inserted or boot from and overwrites the original Disk-Validator in subdirectory :L ! If that disk doesn`t contain this SADDAM subdirectory creats it by itself this subdirectory ! It can infect every disk ! After that it sets the BitMap-pointer in the Root-Block to a senseless address, which will cause a Disk Validating Error ! This will force in later times AmigaDOS to startup the new Disk-Validator, which is in real the SADDAM virus ! Only to insert an infected disk reaches to get this virus in memory. It is resident via ColdCapture *. That means, that it`ll work with KickStart 1.3 too, if you make a reset without installing SetPatch r ! Because KickStart 1.3 has a bug in it`s system, will all other viruses wiped out from memory after a reset - not so the SADDAM virus !!! The virus sets the vectors BeginIO () & Close () from the trackdisk. device and comes so every time in action, if you insert a disk in your drive or if you boot from a disk or if you use in any other case the trackdisk.device ! Further the virus sets the vector of the Raster-Beam-interrupt on it`s own address ! Now, it can control permanent the right address of ColdCapture * and sets the vector again, if any other program had cleared it ! The SADDAM virus is very malignant and causes different damages !!! After a time it startes to look for some OFS or FFS data blocks gives them the name IRAK and coded the contents with a worth ! The programs standing in those data blocks won`t longer work and the disk get`s read/write errors ! Another damage has likeness with the virus Return of the Lamer Exterminator ! After a few time the virus startes to format disks in all connected drives ! This disks are completely destroyed !!! And shows you an alert: SADDAM Virus If AntiCicloVir finds the SADDAM virus in memory it sets the vectors Raster- Beam-interrupt, BeginIO () & Close () from the trackdisk.device on it`s ROM addresses and cleares ColdCapture * ! AntiCicloVir can kill the SADDAM virus on disk, but not repair the damages ! At first you have to correct the Disk Validating Error ! Please boot from one disk which contains the original Disk-Validator and insert after that the disk, with the Disk-Validating Error ! The original Disk-Validator creates a provisional BitMap in memory, so that AmigaDOS can work with those disk. To get a valid BitMap you have to write/delete anything to/from this disk ! If you want health a disk with SADDAM damage please use an universal virus- killer, which can check the blocks of a disk, too ! You must uncode the coded data blocks to get rid of the read/write errors ! But you can`t health disks, which the virus has formated ! I got this new virus from Gregory Sapsford, Fohlenkamp 33, W-4600 Dortmund 13, Germany. Smily Cancer I + II The Smily Cancer virus is a 3916 bytes long linkvirus. It infects the first executable program it finds in the startup-sequence ! Smily Cancer works like all old linkviruses ( IRQ, CCCP and so on ... ). It copies itself as first hunk into the infected file and calculates a new hunk-header for the reloc worths for memory position correction and something more ... Every time you run the startup-sequence or an infected program, the linkvirus jumps at an absolut position into memory. Smily Cancer is resident via using KickTagPtr * & KickCheckSum * ! For increasing it sets BeginIO () from the trackdisk.device on it`s own address. Further it set`s SumKickData () on it`s own address, to check the Kick-pointer, if any other program uses this routine and set them again on the virus address, if it had cleared them ! After twenty increasings becams the Mousepointer a yellow head and the following text will be offered to you: Hi There !!! A New Age In Virus Making Has Begun THANK TO US ... THANK TO: --- CENTURIONS --- AND WE HAVE THE PLEASURE TO INFORM YOU THAT SOME OF YOUR DISKS ARE INFECTED BY OUR FIRST MASTERPIECE CALLED: `THE SMILY CANCER` HAVE FUN LOOKING FOR IT ... AND STAY TUNED FOR OUR NEXT PRODUCTIONS. CENTURIONS: THE FUTURE IS NEAR ! The Smily Cancer linkvirus causes no damges. AntiCicloVir can detect & kill this virus in memory, and on disk in this version. But it can`t get them out of an infected file !!! Don`t use this file !!! Smily Cancer II is called a 4676 bytes long Trojan Horse, which camouflages itself as LoadWB command on disk. If you run this program it installs the linkvirus Smily Cancer in memory and executes after that the LoadWB routine ! AntiCicloVir can detect & kill this Trojan Horse ! Terrorists The Terrorists virus has a length from 1612 bytes and works like the BGS9 virus. This filevirus looks for the first executable program in the startup-sequence and copies it from it`s original place on disk to an invisible file in the root-directory, which is called in hexadecimal $A0202020A02020A020A0A0 ! Itself copies itself at the old position of the original program. If you now run the startup-sequence at first the Terrorists virus will be started and copies itself into memory and later the virus executes the invisible file, which is the original program. Terrorists uses the residents to survive the reset via KickMemPtr *, KickTagPtr * & KickCheckSum *. After every reset it sets the vector OpenWindow () to it`s own address in memory and tries to copy itself from memory to disk, if AmigaDOS startes the routine OpenWindow () to create the AmigaDOS window ! After that it sets the vector OpenWindow () to it`s ROM address ! After four resets it offers you the following message: THE NAME HAVE BEEN CHANGED TO PROTECT THE INNONCENT ... THE TERRORISTS HAVE YOU UNDER CONTROL EVERYTHING IS DESTROYED YOUR SYSTEM IS INFECTED THERE IS NO HOPE FOR BETTER TIMES THE FIRST TERRORISTS VIRUS !!! The Terrorists virus is very harmless and destroys nothing ! AntiCicloVir have to clear the Kick-pointer to wipe it out of memory. It can detect it on disk, too. T.F.C. Revenge LoadWb This one is a 2804 bytes long Trojan Horse, which is camouflaged as LoadWB command on every disk, it was installed. If you run it, it`ll install the bootblock-virus T.F.C. Revenge in memory, at two positions: $7F800 & $FF800 The T.F.C. Revenge virus is a mutation of the EXTREME virus ! After that it executes the LoadWB routine ! AntiCicloVir kills this Trojan Horse & the bootblock-virus in memory ! Traveling Jack 1+2 This both little linkvirus differs in some points from the most other linkviruses. If they infect one file they can use two different hunk-length to deceive viruskiller ! But these linkviruses can create an own file on disk too, which have the name: VIRUS.xy The variables x & y stands for hexadecimal ciphers, which will determined via $BFE001. This file hast a length from 198 bytes and contains the following text: The Traveling Jack ... I`m traveling from town to town looking for respect, and all the girls I could lay down make me go erect. - Jack, 21st of Semptember 1990 These linkviruses uses only one vector from the Dosbase-structure and is not resident ! They uses dl_A5 ( Offset $2E ), which contains datas from the addressregister A5 to buffer them. The Traveling Jack linkviruses causes no damage ! The two viruses differs only in a different routine for calculating the new hunk-length and in a different routine for coding the linkvirus on disk. AntiCicloVir can find both linkviruses on disk and in memory. Xeno This linkvirus has a length from 1124 bytes. It infects the first executable program, it finds in the startup-sequence. But it doesn`t infect every program. It looks only for programs, which have the following signs in it`s filename: 0-9, a-z, A-Z It doesn`t infect programs with special signs ! This linkvirus don`t increases the hunk-number ! Xeno isn`t resident and uses only three vectors from the dos.library: Open (), LoadSeg () & Lock () Every time you or a program open a file, you or the AmigaDOS loads a file to run it or you or AmigaDOS sets a Lock for a directory, the Xeno virus becomes lively and tries to infect a file. The Xeno virus can display the following message: Greetings Amiga user from the Xeno virus ! The Xeno virus makes no damage. If AntiCicloVir finds it in memory, it`ll set the vectors Open (), LoadSeg () & Lock () to their ROM addresses. In this version now, AntiCicloVir can find the `Xeno`-Linkvirus on disk, too ! Have a nice day !!! Matthias Gutt Kantstr. 16 W-2120 Lüneburg Germany