home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Collections: Taifun
/
Taifun 143 (1990-08-15)(Ossowski, Stefan)(DE)(PD).zip
/
Taifun 143 (1990-08-15)(Ossowski, Stefan)(DE)(PD).adf
/
SASTools
/
VirusTools
/
JAFVK.doc
< prev
next >
Wrap
Text File
|
1990-05-16
|
7KB
|
159 lines
********** ******* **********
** ** ** ** > Jörg Sixt <
** ** ** ** > Tulpenstr. 2 <
********** ************* ********** > 8424 Saal/Donau <
** ** ** ** > FRG <
** ** ** **
********** ** ** **********
S I C K A M I G A S O F T
OFFICIAL DOCUMENTATION
Name : JAFVK.asm (= Just Another Fucking Virus Killer)
Usage : JAFVK
Version : V3.00
Date : 07.02.1990
Author : Jörg Sixt
Purpose : checks reset vectors,find RLE-Virus and checks its own
length to detect certain link virus
Language : A68K V1.02 , Blink V6.07 (all Fish 110)
Bugs : - searches only the boot disk for RLE
I. DISTRIBUTION AND OTHER JURIDICAL KNICK-KNACKS
================================================
This software may not be used as a part of commercial products without
the permission of the author (hey,that's me!!). This material MUST be
copied (don't forget the documentation) and used by every-one.
This here is freeware: You needn't send me money (but you may If you've
got too much of these neaty papers) but you MUST leave my name in the
programme, except if you produce a better version (but at least mention
me somewhere in the documentation then).
II. INTRODUCTION
================
I know, you'll say: "Not again! Just Another of these Fucking Virus
Killers". My answer: "Hey,you're a clairvoyant. Where do you know the
name of my proggy?". No,no don't quit. Come on,stay a while, perhaps
you need JAFVK, however.
Before I show you the functions of these new attack against virus, let
me start with some theory:
Generally you can differ three types of virus:
1. bootblock virus
2. link virus
3. executable virus
Though they're still bootblock virus on some user's disks, the virus-
family Nr.1 is becoming more and more uninteresting and unimportant:
there are already lots and lots of boot-block-checking programmes like
VirusX around. Anyway it's easy to get rid of them or check up an
infection because bootblock virus are always on the same place i.e.
he? he? Yes! Right! On the bootblock. You're really intelligent,
aren't you!!
An exception is the "Lamer Exterminator". If you boot with a Lamer
infected disk the virus will manipulate the system, so that every boot-
block seems to be a normal one even if there's a virus or a intro on it.
The newest version of the Lamer Exterminator copies the previous boot-
block to block 1 and 2. Every operation with the bootblock will be
bypassed to block 1 and 2.
A more dangerous species are the link virus. Link virus are searching
for suitable other programmes, in which they build in their code, so
if you call an infected programme you also activate the virus. A possible
method to free the Amiga from this plague would be the implemention of
a routine in every programme that checks the code's length and warns the
user if the code is longer than originally programmed. Known link virus
on the AMIGA are e.g. IRQ or BGS.
The third group of virus is totally unknown though it's the easiest way
to construct a virus. Executable virus are simply normal programmes that
are called e.g. via the startup-sequence. The only virus of this type,
I know, is the "Revenge of the Lamer Exterminator"(=RLE)
Most virus are reset-resistent. That means if you use CTRL-A-A or if a
guru appears the virus will not get killed like all other normal
programmes. To reach this effect the virus installs different pointers
within the execbase:
ColdCapture,CoolCapture,WarmCapture,
KickTagPtr,KickMemPtr,KickChecksum (= a checksum for the latter
both vectors).
Mostly if one or more of these vectors aren't zero a virus is in your
system. BUT BE CAREFUL: Also "legal" programmes use this way to make
themselves reset-resistent e.g. vd0:,guardian,...
III. FUNCTION
=============
Some of these reflection were now put into JAFVK:
1. Vectors
----------
JAFVK prints the reset-vectors I've already mentioned. If they are
all zero nothing special will happen. Otherwise JAFVK will asks you
whether you want to delete (press "y") the pointers or not (press
anything else).
2. Revenge of the Lamer Exterminator (=RLE)
-------------------------------------------
The RLE is a executable virus. First it writes 5 times the ascii
code $A0 at the very beginning of the startup-sequence. These 5
$A0 are the name of the actual virus in the root directory of the
disk. JAFVK checks the startup-sequence for this code and if it has
found it it will warn you.
(Information found in the German AMIGA-MAGAZIN. THANKS !!!)
KILL:
- Switch off your machine and reboot with a non-infected disk
- cd <infected disk>
- KillRLE
3. LINK-VIRUS-PROTECTION
------------------------
A very common way for link virus to find suitable "host programmes"
is to take the first command in a startup-sequence (so,an IRQ-in-
fected RLE would be possible) and to infect it then. In my opinion
also future link virus will use this algorithm.
If you put JAFVK at the top of the startup-sequence a possible
in your system existing link virus would infect JAFVK. But JAFVK
has got a routine that checks its own length every time you start
it. So if a link virus infects JAFVK JAFVK will immediately warn
you. Pretty, isn't it?
INSTALL:
If you want to use the third function as a part of your startup-
sequence you have to put the command on the very beginning of it.
In addition to that you have to put a copy of JAFVK in the c:-
directory and put another copy of the code somewhere else if you
have to delete the infected JAFVK-copy in the c-directory
KILL:
Use other programmes like Zero-Virus or VirusX/kv, if the virus is
already known. Otherwise send it to e.g. Steve Tibett or any
other "virus hunter" (don't send it to me!!!).
WARNING:
If virus-programmer find new ways of hiding link-virus this simple
mechanism might not work anymore. JAFVK is NOT the final protection
against link-virus. SO BEWARE !!
IV. THE FAMEST LAST WORDS
=========================
Greetings to Charlie Gibbs,Brian R. Anderson,Software-Distellery,all
people who hate me and of course to Fredl Fisch(=Bavarian
translation of Fred Fish - is only valid if he puts these
programmes into his library),Mike Mehrl,Leo Schwab
If you want to send me something neaty.... I need:
money,more money, last version of a68k and blink,much more money,
records,CDs,disks,lots and lots of money and a sun workstation
Bugs,remarks,payements,bribery,improvements,better version to:
Jörg Sixt
sick amiga software
Tulpenstr.2
8424 Saal/Donau
FRG
PS: Sory for my bed englisch !!