home *** CD-ROM | disk | FTP | other *** search
- This is very detailed (although stopping short of a disassembly of course)
- description of the Thanatos Virus. It is strongly recommended reading, if only
- to give you a better understanding of how the virus operates.
-
- Thanatos Virus technical information
- ------------------------------------
-
- This is an encrypted (simple EOR with &7A, lower-case "z") BASIC program
- (crypted = 11756 (&2DEC) bytes long, TOP-PAGE of BASIC program = 7660 (&1DEC)
- bytes) called "RISCOSext" with a filetype of Absolute (yes, a very poor piece
- of ARM code decrypts and runs it and wastes nearly 4K of space between &8100
- and &9000 !). Associated with it is a Sprite file (actually of filetype Module)
- called "TaskAlloc", which is 344 bytes long containing a rude sprite to replace
- the mouse pointer..
-
- When run, it installs itself as a Wimp task named "Thanatos" and then looks
- for double-clicks to infect application directories (copies the RISCOSext
- and TaskAlloc files into there and then appends the 'usual' string to the !Boot
- file (to run RISCOSext).
-
- The nasty section of the Thanatos Virus REALLY IS nasty, so I urge you to
- study this carefully. Here's a list of things that can happen:
-
- Rough once every 100000 times around the Wimp_Poll loop, Thanatos can:
-
- * 2 out of 13 chances: Shut down icon bar application at random (whilst
- displaying its own icon bar icon during the shutdown).
-
- * 1 out of 13 chances: Cause a Desktop Quit.
-
- * 3 out of 13 chances: Reverse the mouse pointer step (sets it -2).
-
- * 1 out of 13 chances: Crash the machine by poking a duff instr at the start
- of memory.
-
- * 1 out of 13 chances: Randomise the 240 bytes of CMOS.
-
- * 4 out of 13 chances: Randomly display one of 8 very rude messages - one of
- which also changes the mouse pointer shape to a rude graphic and another
- will also shutdown an icon bar application (the same routine as above).
-
- * 1 out of 13 chances: Wipe the contents of <Obey$Dir>.
-
- It also has a "special date" section as follows:
-
- Any Friday 13th: Advertises its own "virus killer" (from Armen Software).
-
- April 1st: 10 Address exception errors, followed by coloured rectangles and
- a 'stuck' mouse pointer for 10 seconds. An "April Fool" message is then
- displayed.
-
- December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed by
- a "Merry Chrimble" message.
-
- October 31st: Formats the floppy in drive 0, followed by a "Spooky" message.
-
- January 1st: As December 25th, but followed by a New Year's Resolution
- message (to keep your disks write-protected :-( ).
-
- Killing the Thanatos Virus (which one ??)
- --------------------------
-
- There appears to be *TWO* versions of the Thanatos Virus - one with debugging
- REM statements (usually with the string "*dbg*" in them) and one without.
- However, both appear to be identical in function, so I've treated them both
- as the same virus. To kill them, simply sending a Message_Quit to the Wimp Task
- isn't good enough (comes back with a rude message if you do). VKiller modifies
- the BASIC program ("in situ") to quit properly - after checking whether it is
- the 'debug' version or not.
-
- My copy of the Thanatos virus has a major fault - it uses the END=<expression>
- syntax to adjust BASIC's memory usage, but gives too low a value - hence it
- never runs properly (immediately crashes with "No room for this DIM" error).
- For purposes of testing, I boosted the END value (on the assumption that the
- virus author would eventually fix this mistake).
-
- Thanatos Virus Innoculation
- ---------------------------
-
- Temporary innoculation can be achieved by setting Sys$Path to any value
- (VKiller's !Boot now does this), because this is checked by the Thanatos
- Virus to see if it is already present in the system. Permanent innoculation
- is not possible.
-
