home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ARM Club 3
/
TheARMClub_PDCD3.iso
/
hensa
/
virus
/
a112_1
/
AVRD182t
< prev
Wrap
Text File
|
1993-12-04
|
139KB
|
3,944 lines
This is the textual version of the AVRD. In order to minimise
editing overhead this version is now derived directly from the
source of the HyperText version. The derivation is performed
by a program, so the formatting may not always be perfect -
but we'd rather spend our time coding !Killer/!Scanner !
Ignore any references to clicking in specific places in the
document - this facility is only available in the HyperText
version.
###########################################################################
The Archimedes Virus Reference Document
---------------------------------------------------------------------------
Version 1.82h (4th Dec 1993)
Copyright © 1991, 1992, 1993 Tor O. Houghton and Alan Glover
This document is copyright. Profit based distribution (whether PD
or Shareware) without prior consent from the authors, is strictly
illegal. If in doubt, contact one of the authors. Note that this
version of !ClearView also has certain conditions upon its distribution.
This is the hypertext form of this document, using the Binary Star
!ClearView package. Click here (on the underlined word) for a brief
guide to using this software and details about obtaining enhanced
versions.
A full list of the contents, and an index of the viruses covered
in this edition of this document can be seen by clicking the 'index'
icon (the rightmost one), or the underlined word in this sentence.
###########################################################################
Abstract
---------------------------------------------------------------------------
As the number of people using the Acorn Archimedes range of computers
has increased over the years, so has the number of viruses.
This document contains the compiled information from various virus
researchers and their killers. In particular, it is (as the title
suggests) a compendium of the knowledge about viruses of Tor Houghton
and Alan Glover.
The purpose of this document is to give as many details as possible
on each virus known, and to assist those who think they might be
infected by a virus.
A dilemma occurred as this document took form. How much information
should be included? If we provided too much information, this document
could well become an effective "cookbook" for people wanting to write
a virus (and also be used by authors of anti-virus programs to claim
coverage of virus they've never seen based on the information here).
This is not our intention. The professionals and programmers who
read this will easily identify the missing or omitted information
because they already have this background knowledge - it is part
of the working tools of our profession.
The document is not intended to provide very detailed technical information
on a virus (although this may happen as a way of explaining it),
but to allow the reader to understand what the virus generally does,
what makes it activate and what it does upon activation. Most important,
however, it should help the user with the removal!
1.0 Introduction
---------------------------------------------------------------------------
A virus is nothing magical. Anyone with a bit of programming skills
and some knowledge about the machine's operating system is capable
of creating a virus. Usually these programmers think it is fun, they've
read too many cyberpunk books, or they are generally pitiful creatures
who like to inflict damage.
Final note: In spite of many journalist's secret wishes, a computer
virus cannot spread from one type of computer to another. For example,
a virus written on a PC running MS-DOS or Windows cannot infect the
Archimedes - in native mode. If you are using the PC emulator, a
virus functions perfectly under this environment too (probably with
a few exceptions due to the fact that there are about 1000 viruses
running under this particular operating system). The only area in
which some crossover is possible is hardware - if you have a DOS
virus which thrashes the floppy disc out of alignment, it will obviously
affect it when it is used normally!
1.1 Some Definitions
---------------------------------------------------------------------------
Connectivity: The level of ability a computer has to connect to other
computers. Nowadays it is very easy to, for example, phone a BBS
and download new software. The higher the level of connectivity,
the higher the level of possible exposure to computer viruses. The
same may also be considered true of other sources of software, such
as PD libraries.
Trojan Horse: This is a generic term (taken from Greek mythology)
for a penetration method that includes hidden code. An example of
this is the Link virus which, while being helpful in the ways of
converting backspace to delete, also launches a virus into your computer.
Virus: A computer virus can be defined as a malicious program capable
of replicating itself. See "A Computer Security Glossary for the
Advanced Practitioner" in the Computer Security Journal IV, No. 1,
1987 for a similar description. Please note that most computer viruses
on the Archimedes do nothing but replicate, although there are a
few exceptions. My own definition is 'a program which attempts to
replicate without the user's knowledge or consent and may perform
unauthorised actions'.
Worm: A computer program which moves through your computer system,
altering data as it copies itself and deleting the old copy. If a
worm reproduces it could also be called a virus. There are no reports
of worms on the Archimedes, mainly because it is such a closed system,
and would be detected much too easily to become a hazard. Networks
are more exposed to such nasties.
1.2 Entry Explanations
---------------------------------------------------------------------------
Name: The most common name of the virus. Often chosen because of
some text found in the virus, or like CeBIT, connected to some event
(the biggest computer show in Europe).
Aliases: Names which other anti-viral agent documents (usually brief
notes which are included with the program) use for the same virus.
This includes names that are commonly used by BBS users etc. Always
try to use the name used here for a given virus rather than any of
thealternative names.
Origin: The country where the virus seems to have originated from
(or at least, where it was isolated).
Isolation Date: The date (as detailed as possible) when the virus
was first found.
Effective Length: The length the virus occupies on the disc. The
actual length in memory may well be different.
Virus Type: Task refers to viruses written as a multitasking program
(i.e. appears on the Task Manager, with or without a task name).
Resident refers to viruses which, by reserving some memory, insert
themselves as a machine code program invisible to the task manager.
By monitoring certain interrupts the virus is able to spread. Also,
if the virus attaches itself to files, this is noted along with what
type of files it infects.
Symptoms: Odd behaviour which might occur if the virus is loaded.
This could be spurious crashes or files suddenly appearing (or disappearing!).
Take note that this has nothing to do with what the virus actually
does when it activates, as this will be detailed as extensively as
possible under the 'general comments' section.
Detection: Refers to anti-virus agents (complete with earliest version
number) which to our knowledge detects the virus. Please be so kind
as to update me on this, as I know there are several anti-virus programs
wandering around which I don't have! With the exception of Killer/VProtect
and Scanner/Interferon these comments are based solely on the documentation
provided with the programs - beware of claims to detect 'all known
viruses' when only a subset of those here are listed!
Removal: Refers either to programs which remove the virus from the
infected file (complete with earliest version number), or if possible,
which files to delete without destroying the program. Where it says
'Remove named file(s)', take note that if there is a !Boot file present,
be sure to check this too (i.e. with !Edit). In particular, never
assume that a Module may be RMKilled, or that an application task
may be Quit. It might disappear, but it may also set up a time bomb
with serious effects on the system.
As a rule, it is unwise to attempt to remove a virus from memory
yourself. However some anti-virus programs contain specific code
to detect and remove viruses which are present in memory. Where an
anti-virus program is known to be able to do this the program and
version is given. The criteria for this is that the anti-virus program
either neutralises or removes the virus from memory, leaving the
machine in a safe enough state for the anti-virus program to remove
the infection from your media. Even with this protection, you should
still do a CTRL-Reset as soon as possible after you have been infected.
General Comments: As detailed information about the virus as possible.
Also, if there are any mutated versions of the virus, these are detailed
here too, along with any relevant information. Please note that the
number after the virus name states how many bytes it occupies on
the disc.
Source: The person who provided the information about the virus concerned.
Where a name does not appear, it will probably have been written
by Tor Houghton or Alan Glover. In some cases, an acknowledgment
will be included to someone who has helped in the isolation or analysis
of the virus.
Sometimes square brackets ("[]") with a comment might appear. These
are our comments, and offer additional useful information which we
thought the original author left out.
###########################################################################
Virus index
---------------------------------------------------------------------------
Click on the virus name to find out more about it
Alien
Aprilfool
Archie FF8
Arcuebus
AxisHack
BBCEconet
Bigfoot
BooHoo
Breakfast
CeBIT
Code Sicarius
Diehard
Ebenezer
EMod
Ex_port
Extend
ExtendV2
FCodex
Funky
Garfield_I
Garfield_W
Handler
Icon * Icon-A, Filer, Poison, NewVirus, Wraith
Image
Image2
Increment
Irqfix
Link
Mode87
Module ModVir, Illegal
MonitorDat
MyMod Silicon Herpes
NetManager
NetStatus Boot
NewDesk
Parasite *
Penicillin *
Poltergeist
Runopt
Shy
Sprite *
SpriteUtils
T2 *
TaskManager
Terminator *
Thanatos * RISCOSExt
Traphandler
Valid
VanDamme
Vigay DataDQM, Shakes
Whoops
Wimpman
Viruses marked with an asterisk (*) carry malicious code (in the
case of Icon in the 2158 byte strain only). Any detection of one
of these viruses should be treated thus:
1) Perform a CTRL-RESET as soon as possible.To be safe, press F12
and type FX 200,3 beforehand. This should get the virus out of memory,
just leaving the storage media to be cleaned. Remember that infection
can be as easy as opening a filer viewer!
2) Load a virus killer, and check that the virus is not active. Some
virus killers (e.g. Pineapple's !Killer) are capable of removing
any resident virus, and withstanding infection attempts whilst doing
this. Bear in mind that not all anti-virus programs are intended
to start up in an environment where a virus is active.
3) Run the virus killer through the system, opening the minimum possible
number of filer windows. Obviously, if you keep your copy of the
virus killer on a write-protected floppy this is quite easy! Remember
to check removable discs too!
Please note that spurious resets and/or errors which occur are usually
the results of poor programming, and is therefore not considered
malicious (it merely depicts the programmer's skills - he should
have stuck to LOGO).
Although not usually marked as malicious, some viruses will cause
the !Boot of an application to be overwritten. This can cause things
which usually happen automatically (eg: locating !System) to fail.
###########################################################################
Alien
===========================================================================
Last Updated: 21st November 1993
Aliases:
Origin: United Kingdom
Isolation Date: November 1993
Effective Length: 7831 bytes
Virus Type: Resident application infector
Symptoms: Error messages from 'Alien'
---------------------------------------------------------------------------
Detection Media: Killer 1.511+ Memory: Killer 1.511+
VProtect 1.51+
Removal Media: Killer 1.511+ Memory: Killer 1.511+
---------------------------------------------------------------------------
General Comments:
Whilst this is quite definitely an Icon variant, it does have a number
of changes which make it rather different.
For starters, it has a choice of 22 names and 21 filetypes between
it chooses at random.
The filenames are: ProgInfo, Image, DiscInfo, Data, Options, Temp,
Data, data, Mod, Shit, Wanker, Boot, Mode, System, Dump, Remote,
Symbol, Script, Desk, Screen, Monitor and Resiter.
The filetypes are: FFD, FFA, FF8, FF4, FF2, FED, FEC, FEC, FEA, FE4,
FE3, FE2, FE9, FF5, FE1, FF3, AFF, AE9, FF0, FF6, FF7.
Practically all the textual commands within the program are expressed
as sequences of CHR$(nnn). Inevitably choosing such a long-winded
method has led to a number of typos and syntax errors in the expressions.
Given the variety of possible filenames, VProtect detects it only
as a Generic Icon virus.
As it stands, it is almost harmless - there are so many errors in
the text that few of its actions will actually work. However, its
replication works fine....
###########################################################################
Aprilfool
===========================================================================
Last Updated: 18th December 1992
Aliases:
Origin: United Kingdom
Isolation Date: December 1992
Effective Length: 1618 bytes
Virus Type: Resident application infector
Symptoms: RAM disc contains directory called 'Scrapheap'
---------------------------------------------------------------------------
Detection Media: Killer 1.383+ Memory: Killer 1.383+
Removal Media: Killer 1.383+ Memory: Killer 1.383+
---------------------------------------------------------------------------
General Comments:
This virus initialises as a desktop task called 'AprilFool'. It spreads
by saving a copy of the virus into the application being infected.
The file saved is BASIC., and called 'Virus'. It also renames the
current !Boot to BootBackup and saves a new !Boot file.
This may well cause great confusion, since any environmental variables
set up by the !Boot file normally won't be!
It holds copies of the virus and prototype !Boot file in the RAM
disc - so the virus will not even work if you have no RAM disc configured!
Aside from trying to infect applications, it will also delete !lemmings.LemBoot
whenever it is encountered.
On the 1st April it will bring up an error box from ADFS Filer saying
'April Fool'.
###########################################################################
Archie
===========================================================================
Last Updated: 24th November 1993
Aliases: FF8
Origin: United Kingdom
Isolation Date: 1988
Effective Length: 920 bytes
Virus Type: Resident Absolute (FF8) file infector.
Symptoms: May cause "Address exception" or "Undefined
instruction" errors. Absolute files will grow
in length.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.02+ Killer 1.17+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
---------------------------------------------------------------------------
General Comments:
This is a piece of ARM code that is appended to executables with
the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has
a tell-tale 4-character string at the end of its code, "1210", which
is used as an "already-infected" flag. The first instruction of the
original executable is saved near the end of the virus code space
and is replaced by a branch to the first instruction of the Archie
virus code.
What Archievirus does when first run:
1.Attempts to infect executables (Absolute filetype) with the filespecs
"@.*" and "%.*". In other words, all executables in the current and
library directory are attacked.
2.Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA.
If a call to OS_File 36 returns with an error, then it hasn't infected
the RMA yet, so it proceeds to claim 920 bytes of RMA, copy itself
into there and points a claim of the OS_File vector to its new RMA
location.
3.The time is checked to see if it is the 13th of the month. If so,
the code loops indefinitely, displaying the 45-character message
(in the virus, this message is EORed with &64, and is therefore
not easy to spot.):
Hehe...ArchieVirus strikes again...
4.Assuming it wasn't the 13th of the month (and NO, it doesn't check
for a Friday!), then the original first instruction of the executable
is replaced and the original normal code continues from &8000 onwards.
The OS_File vector claim is quite important, because this serves
two purposes:
a.It allows OS_File 36 to return without an error, signalling that
the RMA is already infected.
b.It checks for OS_Files 0 and 10 (Save memory to file), 11 (create
empty file) and 12,14,16 and 255 (Load file). If any of these are
encountered then an infection attack is activated (see step 1 above).
Update: Nov '93. A case was reported of Archie instead an untyped
file. It looks like it infected the file before its type was changed.
From version 1.512 Killer will check for this. The other difference
is that the routine responsible for displaying the message has been
replaced by calls to move the disc head back and forth until the
computer is reset.
(Source: Richard K. Lloyd)
###########################################################################
Arcuebus
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 9619 bytes
Virus Type: Resident application infector
Symptoms: Extra module files appear in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
This virus spreads as a module within applications. The module has
eight possible names: ProgUtil, Resource, InfoFile, SystemRS, ModularR,
PureMath, SoundMdl and GraphMdl. When loaded (from a !Boot file)
it installs itself as a NetStatus 3.07 (15 Sep 1988).
A quick check for this virus is to press <F12> and type 'Help Virus'.
The following text will be displayed:
Congratulations. Your system has the Arcuebus virus.
The following data may interest you:-
Virus generation number: Dnnn
This copy was born: <date/time>
At the same time a sound sample (loaded as a voice called Percussion-Bass)
is played. This says 'I am a servant of the <???>'. If anyone who
hears this has a good idea what the last word is - do tell us!
(Source: Paul Frohock)
###########################################################################
Axishack
===========================================================================
Last Updated: 13th September 1993
Aliases:
Origin: UK
Isolation Date: September 1993
Effective Length: 2189 bytes
Virus Type: Resident application infector
Symptoms: File called 'hack' appears in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.501+ Memory: Killer 1.501+
VProtect 1.43+
Removal Media: Killer 1.501+ Memory: Killer 1.501+
---------------------------------------------------------------------------
General Comments:
This is a variant of Vigay which runs as a desktop task called Axis_Hack,
and triggers on Saturdays rather than Thursday. See the entry for
Vigay for more information.
###########################################################################
BBCEconet
===========================================================================
Last Updated: 29th June 1992
Aliases:
Origin: United Kingdom
Isolation Date: April 1992
Effective Length: 5280 bytes
Virus Type: Resident Absolute (FF8) file infector.
Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx)
(see also Mode87!).
---------------------------------------------------------------------------
Detection Media: Killer 1.33+ Memory: Killer 1.33+
Scanner 1.33+ Interferon 2.12+
Scanner 1.34+
VProtect 1.15+
Removal Media: Killer 1.33+ Memory: Killer 1.33+
Scanner 1.34+
---------------------------------------------------------------------------
General Comments:
The action of this virus bears a marked similarity to Link, i.e.
it appends code to absolutes and uses a module to perform the infection
(in this case BBCEconet, which it installs).
As with Link, it attempts to infect %.Squeeze. However, both viruses
use the same check to see whether a file is infected so it is not
possible to have an absolute simultaneously infected by Link and
BBCEconet.
The majority of this virus is kept encrypted when it is not executing,
and it also encrypts a segment at the beginning of the absolute file.
The encryption key changes with each infection. In short, you need
dedicated software to remove it.
The datestamp will not change, and as with Link, it temporarily patches
Interferon to allow itself to infect without any alarms being given.
There are various date fired routines, outlined below.
Friday 13th:
It's Friday! Why are you working?
I first infected a commercial program with good help from
Dr. Blob.
Now you're infected too - and probably most of your penpals.
I've got more in store!
And... I've created XXXX copies of myself.
Good luck!
December 25th:
Merry Christmas!
April 1st:
E.T. phones home!
(It sends ATD 0749 679794 to the serial port, so if you have a Hayes
compatible modem connected, it will dial this number - a well-known
bulletin board service in Somerset.)
June 25th:
Ph'nglui mglw'nafh Chtulhu R'lyeh fthagn.
And... I've created XXXX copies of myself.
[The non-english part of this message was introduced by H.P. Lovecraft
in his short story The Call of Cthulhu, where it translates to "In
his house at R'lyeh, dead Cthulhu waits dreaming." Probably used
by the virus writer as proof that he has read this book.]
All of these messages will appear in an error box titled "Ouch! You've
been bitten!" It may also clear the screen and print the word "LOVE"
in mode 12.
(Source: Alan Glover)
###########################################################################
Bigfoot
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: August 1992
Effective Length: 5535 or 5580 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Additional files with random names in capital
letters appear in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
Scanner 1.47+ (5580 byte strain only?)
Removal Media: Killer 1.381+ Memory: Killer 1.381+
delete named file, remove line from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a fairly simple BASIC program, which installs as a desktop
task called Bigfoot.
It has messages for certain dates, namely:
25 Dec:
Happy Christmas from BigFoot ... The VIRUS
05 Nov:
"Wizz Bang! Its Guyfalks night BigFoot Strikes again!
04 Jul:
"Hay there its the 4th of July ,American Independence! Best wishes
from BigFoot
15 Mar:
This is a HOLD UP! Give me all the PD software you can get,,, Or
you SYSTEM gets it!!! By the way its the end of the fishing season.
It infects by creating or modifying the !Boot file, using a random
name of 1-10 upper case characters. The virus is saved as a BASIC
file of the same name. However the BASIC itself always has REM>Bigfoot
on the first line.
Apart from spreading, it has no malicious code.
The 5535 byte version can not be Quitted from the Task Manager.
(Source: Alan Glover, with thanks to Paul Frohock and David Cox for
initial analysis)
###########################################################################
BooHoo
===========================================================================
Last Updated: 6th December 1992
Aliases:
Origin: UK
Isolation Date: December 1992
Effective Length: 1104 bytes
Virus Type: Resident module infector
Symptoms: Modules grown by 1104 bytes and are datestamped
---------------------------------------------------------------------------
Detection Media: Killer 1.382+ Memory: Killer 1.382+
VProtect 1.25+
Removal Media: Killer 1.382+ Memory: Killer 1.382+
---------------------------------------------------------------------------
General Comments:
Like Module, this virus operates by merging with relocatable modules.
However its infection method is somewhat more efficient than Module
with the result that it will probably spread faster when left unchecked.
Infected modules can be identified quickly by looking for the text
'VIRU' at the end of an infected module (this is the marker it uses
to avoid reinfection).
RMkilling an infected module will result in the message 'Wah, boo
hoo!", but the module (and the virus) will close down.
On the 23rd October initialising the virus will result in the message
'Happy Birthday!' being displayed.
The module also returns to SWI &98000, returning R0 pointing to 'I'm
alive and well, thank you!'.
(Source: Alan Glover, with thanks to Craig Murphy)
###########################################################################
Breakfast
===========================================================================
Last Updated: 21st January 1993
Aliases:
Origin: Belgium
Isolation Date: January 1993
Effective Length: 6688 bytes
Virus Type: Resident Absolute (FF8) file infector.
Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx)
(see also BBCEconet & Mode87!).
---------------------------------------------------------------------------
Detection Media: Killer 1.391+ Memory: Killer 1.391+
VProtect 1.29+
Removal Media: Killer 1.391+ Memory: Killer 1.391+
---------------------------------------------------------------------------
General Comments:
The action of this virus bears a marked similarity to Link & BBCEconet,
i.e. it appends code to absolutes and uses a module to perform the
infection (in this case BBCEconet, which it installs).
As with Link, it attempts to infect %.Squeeze. However, both viruses
use the same check to see whether a file is infected so it is not
possible to have an absolute simultaneously infected by this virus
and Link/BBCEconet.
The majority of this virus is kept encrypted when it is not executing,
and it also encrypts a segment at the beginning of the absolute file.
The encryption key changes with each infection. In short, you need
dedicated software to remove it.
The datestamp will not change, and as with Link/BBCEconet, it temporarily
patches Interferon to allow itself to infect without any alarms being
given.
There are various date fired routines, outlined below.
Friday 13th:
Have a nice day. You have been infected by copy #
July 21st
Cheer up, the worst is yet to come. I think. You have been infected
by copy #
November 5th:
...Remember, Remember, the 5th of November - Gunpowder, Treason and
Plot... You have been infected by copy #
January 1st:
A contest of skill and cyberprank... Who can be the unspoken Maestro?
I know Dr. Blob is quite good, but can he dig this one? You have
been infected by copy #
April 1st:
<More details will be added when this routine has been analysed>
(Source: Alan Glover)
###########################################################################
CeBIT
===========================================================================
Last Updated: 21st April 1992
Aliases: Lord of Darkness, TlodMod
Origin: Germany
Isolation Date: March 1991
Effective Length: 1240 bytes
Virus Type: Resident !Boot file infector, stores code as
separate file.
Symptoms: File "TlodMod" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.23+ Killer 1.17+
VProtect 1.06+ Scanner 1.20+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a module called "TlodMod" with the following title string:
TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS
It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then
activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod.
If this already exists, then no further action is taken. If it doesn't,
however, it then attempts to append the following line to <Obey$Dir>.!Boot:
rme. TlodMod 0 rml. <Obey$Dir>.TlodMod
If it succeeds at this, a counter is incremented and the module is
replicated as <Obey$Dir>.TlodMod. Every 16th successful infection
will trip the virus into issuing a "*Wipe $.path.file*" (which will
inevitably fail!) and then displaying a message accompanied by a
simple graphic.
The message displayed is thus:
This is a warning to all Users,
I am back on the Archimedes ...
Your Archie is infected now and
with him most of your programms.
Don't worry, nothing is damaged,
but keep in mind the protection!
And always think about the other
side of THE LORD OF DARKNESS ...
Virus generation is <counter>
(Source: Richard K. Lloyd)
###########################################################################
Code
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: UK
Isolation Date: June 1992
Effective Length: 2251 bytes
Virus Type: Resident !Boot file infector, stores code as
separate file.
Symptoms: File "Code" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+ VProtect 1.17+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+
---------------------------------------------------------------------------
General Comments:
This virus installs itself as a desktop task called "Window Manager".
The 'Code' file is filetyped as &FF8, but is actually plain BASIC.
The virus can either extend a !Boot or create one - if one is created
it will be 44 bytes long.
The only effects from this virus will be the the loss of sprites
for some applications, since the !Boot file it creates does not contain
an IconSprites statement to load the sprites.
(Source: Alan Glover)
###########################################################################
Diehard
===========================================================================
Last Updated: 21st November 1993
Aliases: Icon (2173 byte)
Origin: UK
Isolation Date: October 1993
Effective Length: 2173 bytes
Virus Type: Resident !Boot file infector, stores code as
separate file.
Symptoms: File "Setup" in application directories
---------------------------------------------------------------------------
Detection Media: Killer 1.504+ Memory: Killer 1.504+
VProtect 1.49+
Removal Media: Killer 1.504+ Memory: Killer 1.504+
Scanner 1.42+
---------------------------------------------------------------------------
General Comments:
Strictly speaking, this is an Icon variant. Please see the entry
for it under the Icon section.
###########################################################################
Ebenezer
===========================================================================
Last Updated: 19th February 1993
Aliases:
Origin: United Kingdom
Isolation Date: February 1993
Effective Length: 2400 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File Run2 in application directory.
---------------------------------------------------------------------------
Detection Media: Killer 1.393+ Memory: Killer 1.393+
VProtect 1.31+
Removal Media: Killer 1.393+ Memory: Killer 1.393+
---------------------------------------------------------------------------
General Comments:
This is basically the Vigay virus, with amendments to the original
program to make it slightly different.
The changes are:
Triggers on Friday rather than Thursday
The virus is in a file called Run2
The desktop task is called "Filer" (which will show up as an application
task, not a module task like the real Filer).
###########################################################################
EMod
===========================================================================
Last Updated: 31st March 1993
Aliases:
Origin: United Kingdom
Isolation Date: March 1993
Effective Length: 1686 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: Spurious files inside application directories
---------------------------------------------------------------------------
Detection Media: Killer 1.400+ Memory: Killer 1.400+
VProtect 1.33+
Removal Media: Killer 1.400+ Memory: Killer 1.400+
---------------------------------------------------------------------------
General Comments:
This virus is written in BASIC and uses an insertion in a !Boot file
to load itself, whereupon it initialises as an application task called
" ", which cannot be quitted from the Task Manager.
The virus has no malicious code, however its coding is such that
it may well generate errors whilst trying to infect something.
The virus code is stored in one of the following names, chosen at
random. If a file already exists with that name in the application
it will choose again.
!ReadMe (text),!Help (text),menus (text),Script (text),MemAlloc (module),!Run2
(obey),!RunImage (basic),messages (text),FPE (module),!Sprites23
(sprite),Windows (template),Templates (template),Scrap (data),KeyUtil
(utility),Chars (bbcfont),Font (font),Subscripts (absolute),Palette
(palette),Protect (module), WimpMan2 (module),Settings (data),Configure
(utility),init (utility),!RunImage2 (basic),Choices (data)
###########################################################################
Ex_port
===========================================================================
Last Updated: 6th December 1992
Aliases:
Origin: UK
Isolation Date: November 1992
Effective Length: 1282 bytes
Virus Type: Resident application infector
Symptoms: Modules grown by 1104 bytes and are datestamped
---------------------------------------------------------------------------
Detection Media: Killer 1.382+ Memory: Killer 1.382+
VProtect 1.25+
Removal Media: Killer 1.382+ Memory: Killer 1.382+
---------------------------------------------------------------------------
General Comments:
This is written in BASIC, and always has the filename Ex_port, though
the filetype maybe Sprite, Template, Text, Command, Data, Absolute,
Module, Font or BBCFont.
It installs itself as a nameless desktop task, so earlier versions
of !Killer may detect it as the Extend virus.
There are no messages or overtly malicious code, however its infection
technique can cause problems.
(Source: Alan Glover, with thanks to Toby Smith)
###########################################################################
Extend
===========================================================================
Last Updated: 21st November 1993
Aliases:
Origin: United Kingdom
Isolation Date: October 1990
Effective Length: 940 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "MonitorRM", "CheckMod", "ExtendRM", "OSextend",
"ColourRM", "Fastmod", "CodeRM" or "MemRM" in
application directory. Each time the code is
executed it grabs 1k of RMA - this will eventually
lead to a system crash.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
VProtect 1.06+ Killer 1.17+
Hunter 1.00+ Scanner 1.20+
Scanner 1.36+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove extra lines from !Boot.
---------------------------------------------------------------------------
General Comments:
It's a module which can go under 8 different filenames (the name
is picked at random using the current time as a seed):
MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM
or MemRM.
However, the module itself has the following title string:
Extend 1.56 (08 Jul 1989)
It is 940 (&3AC) bytes long and initialises itself as a nameless
Wimp task which then looks for Wimp Message 5 (double-click). It
attempts to either create an !Boot in the application directory or
append to an already existing one with the following lines:
IconSprites <Obey$Dir>.!Sprites [0D]
RMEnsure Extend 0 RMRun <Obey$Dir>.ModName [0D]
||[FF]
The "IconSprites" line is omitted if it is appended to an existing
!Boot. "ModName" is one of the 8 possible filenames. The Extend Virus
uses the &FF (i.e. decimal 255) byte at the end as a self-check to
see if has infected the !Boot file already. Of course, it copies
itself to the new name inside the application directory as you would
expect. Note the incorrect use of &0D (decimal 13) to terminate the
lines, rather than the more correct &0A (decimal 10).
A shift-double-click does NOT cause an infection, but it DOES claim
yet another 1K of never-to-be-released RMA.
There is no damage apart from the claiming of RMA (which will eventually
lead to a system crash).
Two variants have appeared during October/November 1993. Both are
malformed, so that the filenames have an additional character at
the beginning. Killer/VProtect are aware of both of these from version
1.511. One has the module name as HLCC12, the other as Ohshit.
(Source: Richard K. Lloyd)
###########################################################################
ExtendV2
===========================================================================
Last Updated: 16th January 1993
Aliases:
Origin: UK
Isolation Date: December 1992
Effective Length: 1878 bytes
Virus Type: Resident application infector
Symptoms: Module file called 'ExtendV2'
---------------------------------------------------------------------------
Detection Media: Killer 1.391+ Memory: Killer 1.391+
VProtect 1.27+
Removal Media: Killer 1.391+ Memory: Killer 1.391+
---------------------------------------------------------------------------
General Comments:
This is an Icon variant, but has its own entry because it inserts
a line in !Boot files saying 'Yes Extend Strikes Again !!!!'. It
is filetyped as a module, using the filename 'ExtendV2'.
###########################################################################
FCodex
===========================================================================
Last Updated: 16th May 1993
Aliases:
Origin: UK
Isolation Date: May 1993
Effective Length: 1994 bytes
Virus Type: Non-resident application infector
Symptoms: Absolute file called FCodex
---------------------------------------------------------------------------
Detection Media: Killer 1.405+ Memory: Killer 1.405+
VProtect 1.27+
Removal Media: Killer 1.405+ Memory: Killer 1.405+
---------------------------------------------------------------------------
General Comments:
This is a non-resident BASIC program which infects applications via
their !Run file (which should help to limit its spread somewhat).
This virus is capable of wiping the contents of a disc, so handle
with extreme care!
The message below is displayed when it completes wiping a disc:
HI! You have been virus
infected! Aren't you happy?
No! Well I've got more good
news, if you have a hard
disc then that is blank and
your floppy disc is blank
aswell, if it is not then
you had the disc read tab
on, LUCKY!! Bye for now....
###########################################################################
Funky
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1308 bytes
Virus Type: Resident application infector
Symptoms: Sprite file called 'Funky!', application task
called 'Window Dude'
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
In common with the Icon family, this is a BASIC program hidden under
a Sprite filetype. It initialises as a desktop task called 'Window
Dude' and infects by saving copies of itself and amending !Boot files.
(Source: Paul Frohock)
###########################################################################
Garfield_I
===========================================================================
Last updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June 1992
Effective Length: 1640, not including the files "!Boot", "!Run"
and "!Sprites".
Virus Type: Resident application infector.
Symptoms: Directory "!Pic" with files "!Boot", "!Run",
"!Mod" (module) and "!Sprites". Recursive infections
possible.
---------------------------------------------------------------------------
Detection Media: Killer 1.362+ Memory: Killer 1.362+
Scanner 1.42+ VProtect 1.20+
Scanner 1.47+
Removal Media: Killer 1.362+ Memory: Killer 1.362+
Scanner 1.42+ Scanner 1.47+
---------------------------------------------------------------------------
General Comments:
Garfield_I is a resident virus, lodging itself in the RMA as a module
"IconManager". When active, it creates a directory inside an application
called "!Pic" with the files "!Boot", "!Run", "!Mod" and "!Sprites".
The virus code is contained in "!Mod". It then proceeds to add the
following lines to the infected application's "!Boot" file:
RMEnsure IconManager 1.27 <obey$dir>.!pic
Garfield_I uses the default Acorn sprite file sprite, so a casual
glimpse in an application folder will not reveal it unless you a)
use a different sprite for sprite files or you b) open the folder
with "full info".
It does not check for multiple infections. Infected applications
will, more often than not, contain "!Pic" directories inside "!Pic"
directories.
Garfield_I activates on the first Monday of any month, displaying
"The Garfield Virus is here to stay"
then repeatedly
"Don't you just hate Mondays?"
until the machine is reset or switched off.
(Source: Alan Glover)
###########################################################################
Garfield_W
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June 1992
Effective Length: 1480, not including the files "!Boot", "!Run"
and "!Sprites".
Virus Type: Resident application infector.
Symptoms: Directory "!Obey" with files "!Boot", "!Run",
"!Mod" (module) and "!Sprites". Recursive infections
possible.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+ Scanner 1.41+
VProtect 1.17+ Interferon 2.00+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+
---------------------------------------------------------------------------
General Comments:
Garfield_W is a resident virus, lodging itself in the RMA as a module
"WimpAIDS". When active, it creates a directory inside an application
called "!Obey" with the files "!Boot", "!Run", "!Mod" and "!Sprites".
The virus code is contained in "!Mod". It then proceeds to add the
following lines to the infected application's "!Boot" file:
<Obey$Dir>.!Obey
|Above line is inoculation for the wimp virus
Garfield_W uses the default Acorn Obey file sprite, so a casual glimpse
in an application folder will not reveal it unless you a) use a different
sprite for obey files or you b) open the folder with "full info".
Garfield_W does not check for multiple infections. Infected applications
will, more often than not, contain "!Obey" directories inside "!Obey"
directories.
Garfield_W activates on the first Monday of any month, displaying
"The Garfield Virus is here to stay"
then repeatedly
"Don't you just hate Mondays?"
until the machine is reset or switched off.
[ Note: Although both Garfield_I and Garfield_W call themselves Garfield,
and give the same message, we have given them separate entries since
certain items differ between them - notably application and module
names. ]
(Source: Alan Glover)
###########################################################################
Handler
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1532 bytes
Virus Type: Resident application infector
Symptoms: Desktop Task called 'Task Handler'.
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
This virus is loaded by a !run file, so is likely to spread slower
than most. It renames the original !Run file to Obey. The virus itself
is in an absolute called Handler.
It may display a message:
You have been infected with the Handler VIRUS
The Virus is just to see how good a program can infect
Sorry if it has up set you in any way, Thats about all i can
say!
Generation :
Press any key to change the channel.
(Source: Paul Frohock)
###########################################################################
Icon
===========================================================================
Last Updated: 4th December 1993
Aliases: Icon-A, Filer, Poison, NewVirus
Origin: United Kingdom
Isolation Date: 1990?
Effective Length: 5498 bytes in base version
Virus Type: Task. Stores code as separate file.
Symptoms: Nameless wimp task on the Task Manager (sometimes).
Silly error messages may appear without reason
(sometimes). See below for likely additional
files appearing inside applications
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.32+ Scanner 1.32+
IVSearch 2.05+ (note 1)
VProtect 1.06+
Hunter 1.00+ (note 1)
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
The Icon virus family is a type of very contagious viruses. They
are harmless to that extent that they do not destroy files. However,
they are very annoying (although I must admit some of the messages
were quite amusing!). Common for all the viruses in the Icon family
is that the virus is an unnamed wimp task written in BASIC. It spreads
by adding a few lines to the !Boot file of an application (without
checking for multiple infections), and then saving the code as a
file as with filetype sprite.
<set the wimpslot>
BASIC -quit <obey$dir>.<virusfile>
The original virus displayed a stupid error message on start-up,
and then every so often after that. Commonly also called the Filer
virus as the error message header claims that it's from the Filer.
Here are a few examples of what type of error messages which might
appear:
".desreveR maertS tuptuO"
"This error should not occur."
"Previous error did not occur."
"Could not reach top of stack."
Known variant(s) of the Icon virus are:
Icon-1668
Filenames: !Runimage2, memaloc, mouserm, screen, prntdata, sys_pal,
new_arc, drawfile, oldboot, oldrun, template, bbc_data and hd_cat.
Squeezed BASIC version using various filenames/filetypes. No silly
messages.
(this strain added: 16th January 1993)
Icon-1687
Filename: Icon
No other effects.
Icon-1988
Filename: YUKOHNO!, no filetype.
Icon-1992
Filename: Wraith
Icon-2096
Filename: Poison
Random error code replaced with a *I am stuck - which might log the
user on to a network if they're very unfortunate!
Icon-2120
Filename: OldCMOS
Icon-2158
Filename: Spr
This one is nasty! Aside from usual Icon tricks it *replaces* the
!Run file of an application with a command to format drive 0, so
running the application will format the disc (... that it is on,
in the worst case).
Icon-2173
Filename: Setup (filetype Data)
Versions of VProtect before 1.46 will not detect this virus, allowing
it to remove VProtect and delete <Killer$dir>. Aside from this anti-social
behaviour it is unremarkable.
Icon-2285
Filename: !Spritey (untyped)
Unremarkable.
Icon-2616
Filename: Icon
No silly messages from this version - also has the name of the person
who modified it (yes, the UK Computer Crimes Unit have acted on
this!).
Icon-2622
Filename: Wright
Icon-2631
Filename: Splodge
Identical to 2616, except the change of name.
Icon-2651
Filename:Options, desktop task called Options. No malicious code.
Icon-2696
Filename:wallace, filetype module. Otherwise as 2616.
Icon-2963
Can use one of the following names. Produces messages on Fri 13th
& 5th November: AnimMod, FCoreFix, Modes, Overscan, Monitor, 3dIcons,
ScrapMod, SysMod, Patch, Padfile, Compact, UtilMod, FreeMem, Graphics,
Music, Support, WimpIcons, Taxan, Cambridge, VigayMod, SmiggyMod,
ASCIIConv, StripLine, Redirect.
Icon-3077
Filenames and filetype chosen at random from:
Filenames:
Anim,FCoreFix,Modes,OverDo,Monitor,3dIcons,Scrap,Sys,Patch,Padfile,Compact,Util,FreeMem,GraTask,Music,Support,WimpIcons,TaxMontr,
Script,Preview,Reloc,Runtime,StripLine,ErrorGen,CLib,ABCLib,FPEmulator,Colours
Icon-4508
Filename: Code 32, filetype Data. May cause unexpected colour changes
in the desktop.
Icon-5498
Filename: Icon, though the in-core name is 'Extra'.
Does have silly messages.
Icon-5574
Filename: Icon
As 5498 with missing Hourglass_On call added. Silly message less
likely to appear when it is loaded.
Icon-5737
Filename: NewVirus
As 5574, but with a three-key sequence to exit the program. High
likelihood of a silly error at startup. Insignificant changes to
!Boot save routine.
Icon-5742
Filename: Icon
Bugfix of 5737. Less likely to give silly errors when loaded.
(Source: Alan Glover)
###########################################################################
Image
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: Northern Ireland ?
Isolation Date: Jan. 1992 by Svlad Cjelli
Effective Length: 512 bytes
Virus Type: Resident, although not in RMA
Symptoms: Files "Image" and "!Spr" in application directories.
The file "image" has no filetype, but !Spr has
the type Obey.
---------------------------------------------------------------------------
Detection Media: Killer 1.26+ Memory: Killer 1.26+
Scanner 1.13+
VProtect 1.07+
Removal Media: Killer 1.26+ Memory: Killer 1.26+
Scanner 1.15+
delete "Image". If there is a "!Spr" file, delete
!Run and rename !Spr as !Run, otherwise delete
!Boot.
---------------------------------------------------------------------------
General Comments:
This virus carries no payload, but spreads VERY fast, to the extent
that you can delete the file, only to see it instantly re-appear
again if it is in memory!
It loads its code into the OS workspace, at &5500, it is therefore
liable to crash the machine should the OS use that area of workspace.
The !Run or !Boot file looks like this:
LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d]
Its action on infection is to save <Obey$Dir>.Image, and then either
to create a !Boot file if one does not exist, or if it does, rename
the !Run file to !Spr and then create a new !Run file.
(Sources: Alan Glover, Svlad Cjelli)
###########################################################################
Image2
===========================================================================
Last Updated: 29th October 1993
Aliases:
Origin:
Isolation Date: October 1993
Effective Length: 320
Virus Type: Resident in RMA
Symptoms: Files "Image" and "!BootFAT" in application
directories. The file "image" has filetype &FFC,
but !Spr has the type Obey.
---------------------------------------------------------------------------
Detection Media: Killer 1.509+ Memory: Killer 1.509+
VProtect 1.50+
Removal Media: Killer 1.509+ Memory: Killer 1.509+
---------------------------------------------------------------------------
General Comments:
This virus carries no payload, but spreads VERY fast, to the extent
that you can delete the file, only to see it instantly re-appear
again if it is in memory!
It loads its code into the RMA, but will not appear as a module of
any sort.
Its action on infection is to save <Obey$Dir>.Image, and then either
to create a !Boot file if one does not exist, or if it does, rename
the !Run file to !BootFat.
###########################################################################
Increment
===========================================================================
Last Updated: 18th September 1992
Aliases:
Origin: UK, Cornwall ?
Isolation Date: September 1992
Effective Length: 464 bytes
Virus Type: Resident
Symptoms: CMOS configuration settings seem to change randomly
---------------------------------------------------------------------------
Detection Media: Killer 1.375+ Memory: Killer 1.375+
Scanner 1.49+ Scanner 1.49+
VProtect 1.23+
Removal Media: Killer 1.375+ Memory: Killer 1.375+
---------------------------------------------------------------------------
General Comments:
The virus appends itself to existing !boot files. The virus may not
be immediately obvious when an infected !boot file is viewed in !Edit
because it inserts 28 or more line feeds between the legitimate file
and the viral appendage. However CTRL-Down Arrow will move down to
the bottom of the file and expose the telltale signs of a machine
code appendage on the end of the file.
On each infection the virus will increment a CMOS RAM location -
the location is incremented too on each infection with the effect
of seemingly random problems appearing (including ROM modules becoming
unplugged for example).
(Source: Alan Glover, with thanks to Lee Davies)
###########################################################################
Irqfix
===========================================================================
Last Updated: 14th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: September 1992
Effective Length: 940 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "RiscExtRM", "WimpPoll", "OSSystem", "MiscUtil",
"FastRom", "IRQFix" or "AppRM" in application
directory. Each time the code is executed it
grabs 1k of RMA - this will eventually lead to
a system crash.
---------------------------------------------------------------------------
Detection Media: Killer 1.374+ Memory: Killer 1.374+
Scanner 1.48+ Scanner 1.48+
VProtect 1.22+
Removal Media: Killer 1.374+ Memory: Killer 1.374+
Scanner 1.48+
delete named file, remove extra lines from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a variant of Extend which uses IRQFix as the module name,
and different filenames. In all other respects the code is identical
to Extend.
(Source: Alan Glover, with thanks to Alex Belton)
###########################################################################
Link
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: United Kingdom
Isolation Date: January 10th, 1992
Effective Length: 1416 bytes
Virus Type: Resident Absolute file infector. Also a Trojan
Horse.
Symptoms: Module 'BSToDel' in module list. Files are re-stamped.
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Interferon 2.10+
Scanner 1.03+ Killer 1.27+
Hunter 1.16+ Hunter 1.16+
Scanner 1.20+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
Hunter 1.16+ Inteferon 2.10+
Scanner 1.20+ Hunter 1.16+
Scanner 1.20+
---------------------------------------------------------------------------
General Comments:
The reason why I found the Link virus was because of the module 'BSToDel'
appearing in the module list. Also, suddenly Killer 1.17 didn't work
(It gave an "Integrity check failed" and refused to load)! As I already
have made my own 'backspace to delete' utility as a module, I wondered
where that module came from! (It certainly wasn't as a separate module
on the disc.)
Before installing itself as a module, it infects %.Squeeze (if there
is a library directory, and if Squeeze is indeed in it) - just in
case there wasn't enough room in the RMA. Then it hooks onto the
FSControlV and InsV vectors. The latter so that it can do what the
module title expects it to do: convert backspace (&08) to delete
(&7F) (the reason why I also typed it as a Trojan Horse).
The FSControl vector is used so that it can look for certain actions
- namely *Run and *Copy. When it detects one of these, it does the
following.
Replaces the first three instructions in the file with its own, making
an absolute branch to the end of the file. The rest of the module
is then stored here, with the original three instructions too. To
make
detection a bit more difficult, it encrypts itself with an EOR variant
(different key each time).
On any Friday the 13th, it will display the message
Message from LINK: Active since 30-Nov-91
every time it infects a program. [As Alan pointed out, this date
is fixed, so meaning that it bears no relationship to the time which
a system became infected.]
The virus does no damage apart from attaching itself to files. Files
infected by the Link virus are re-stamped to the date they were infected.
Also, at the end of the module (and effectively each infected file
- although encrypted) the word 'LINK' appears. I first thought this
was used as an 'already infected' flag, but this is not so. What
it does is check the second instruction in the file, and if this
is 'MOV PC,R0' (probably reckons that few programs have this as their
second instruction) it recognizes it as infected. If not, the file
is infected. This method of checking the file might add to the difficulty
of making an inoculator.
Why didn't Interferon detect this virus?
At first, I thought that there might be a bug in Interferon, but
as I found out, the Link virus checks to see if Interferon is in
memory by using OS_Module 18 (look-up module name). By doing this,
it also finds where the module code is. Then, it changes a CMP instruction
within the code so that Interferon never detects OS_GBPB. After the
infection is finished, the Link virus changes the code back to what
it was. [I'm working on a CRC routine for a future version of Interferon
at the moment, so Interferon should be 100% operational 'real soon
now'.]
###########################################################################
Mode87
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: Unknown. UK?
Isolation Date: Unknown - possibly autumn 1991
Effective Length: 848 bytes
Virus Type: Resident !Boot file infector.
Symptoms: Module 'Mode87' in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+ Interferon 1.10+
VProtect 1.17+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+
---------------------------------------------------------------------------
General Comments:
Mode87 installs itself in the RMA as "BBCEconet". The way to tell
the difference from this and the original Acorn network module, is
that the address of where the module lies is at &01xxxxxx instead
of a ROM address (&03xxxxxx) by typing *Modules. If Acorn's original
module is not *Unplugged, it will install itself on top of this,
and not easily seen in the module list.
Mode87 is not malevolent. Although it destroys the original !Boot
file of an application, it is not treated as a virus with serious
damage potential. Mode87 simply overwrites any !Boot file already
there (and if there isn't one, it creates a new one) with:
| Boot file
IconSprites <Obey$Dir>.!Sprites
RMLoad <Obey$Dir>.Mode87
Then it proceeds to save itself as a module with the filename "Mode87".
If it has reached an infection count of 256, an expanding circle
(black, if you are using the standard desktop palette) will "eat"
your screen. Control will then return to normal.
Mode87 releases its vector claim on OS_FSControl, so it is quite
safe to *RMKill it.
(Source: Tor Houghton)
###########################################################################
Module
===========================================================================
Last Updated: 11th September 1992
Aliases: Illegal, ModVir
Origin: Unknown
Isolation Date: October 1991
Effective Length: 956 bytes
Virus Type: Resident module infector.
Symptoms: Modules grow by approx. 1k, and are re-datestamped.
May cause system crashes when accessing files
(load, save, etc.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Hunter 1.00+ Killer 1.17+
Scanner 1.14+ Hunter 1.00+
VProtect 1.10+
Removal Media: Killer 1.26+ Memory: Killer 1.26+
Hunter 1.00+ Hunter 1.00+
Scanner 1.46+
---------------------------------------------------------------------------
General Comments:
This is a very nicely written virus which appends itself to modules,
redirecting three module entry points to pass through itself before
being handed on to the module's original entry point. It spreads
by infecting a module as it is loaded, and then the newly loaded
module infects the next one loaded, and so on...
This virus is likely to be very widespread, since it was distributed
on the Archimedes World February 1992 cover disc in the MicroDrive
demo (in it, several modules were infected). It does nothing until
6th September 1992, when it will display the message:
Your computer has been virus infected. This is intended to be a friendly
virus, and hasn't done any damage to your disc as is possible now,
but it isn't active anymore from now on. Be more careful with illegal
software next time!
[Along with a generation counter. Another interesting observation
is that it does not infect locked modules. Infects whenever it notices
a RUN or LOAD action on a module. As a result, THIS VIRUS IS EXTREMELY
CONTAGIOUS.]
The message that it isn't active anymore is not true! It ALWAYS (even
after 06-Sep-1992) attaches itself to the OS_File (FileV) vector.
The virus first calls the previous owner of the OS_File vector (FileSwitch?).
This means that the module will be loaded and initialised. If the
length of the module minus the initialise word of the module is equal
to 956 (i.e. the length of the virus), then the module is already
infected and the virus deactivates itself (the newly loaded module
has already attached itself to the OS_File vector). If the module
isn't infected, the virus attaches itself at the end of the module,
overwriting the init/final/service words in the module header, preserving
the original 3 words.
(Source: Alan Glover, Michel Fasen)
###########################################################################
MonitorDat
===========================================================================
Last Updated: 24th November 1993
Aliases:
Origin: United Kingdom
Isolation Date: November 1993
Effective Length: 2355 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File MonitorDat in application directory.
---------------------------------------------------------------------------
Detection Media: Killer 1.512+ Memory: Killer 1.512+
VProtect 1.52+
Removal Media: Killer 1.512+ Memory: Killer 1.512+
---------------------------------------------------------------------------
General Comments:
This is basically the Vigay virus, with amendments to the original
program to make it slightly different.
The changes are:
Triggers on Monday rather than Thursday
The virus is in a file called MonitorDat
###########################################################################
MyMod
===========================================================================
Last Updated: 21st April 1992
Aliases: Silicon Herpes
Origin: United Kingdom
Isolation Date: June-August 1991
Effective Length: 2948 bytes
Virus Type: Resident
Symptoms: Additional files "SSLM" (filetype Module) and
"SSLF" in application directories. Message on
every Friday the 13th. Module "MyMod" in module
list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.15+ Killer 1.17+
VProtect 1.10+ Scanner 1.20+
Hunter 1.16+ Hunter 1.16+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.16+ Hunter 1.16+
Interferon 2.10+
Scanner 1.20+
delete "SSLM", rename "SSLF" to !Boot.
---------------------------------------------------------------------------
General Comments:
This works by redirecting the Alias$@RunType for Obey files, so spreads
very fast.
Once on each Friday 13th you'll get this message:
Hi there. It's me, with my latest addition to the ARCHIMEDIES range
of computer programs. This one's called silicon herpes. It's annoying
but DOES NO REAL DAMAGE!!!
Anyway, it's Friday the 13th, and what can you expect. Acorn state
that RISC OS has high protection against programs of this nature.
I can't call it a virus, as a virus does damage
With Acorn making these bold statements about RISC OS I decided to
write a demonstration to disprove their theories. I must admit
though, it was quite difficult.
Anyway, I don't want to keep you so I'd like to say, have a very
happy Christmas, Easter, Summer or what ever, and hang kickin
There's a likelihood of various spurious errors from one of the variants
(both are the same length) since it addresses application memory
directly!
(Source: Alan Glover)
###########################################################################
NetManager
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June-August 1991
Effective Length: 900 bytes
Virus Type: Resident !Boot file infector
Symptoms: Module 'NetManager' in module list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
VProtect 1.10+ Killer 1.17+
Scanner 1.40+ Scanner 1.20+
Removal Media: Killer 1.17+ Memory: Killer 1.17
Scanner 1.40+ Scanner 1.20+
Interferon 2.10+
delete !Boot. RMKill NetManager
---------------------------------------------------------------------------
General Comments:
I believe this to be the prototype for, or maybe the inspiration
for, the TrapHandler virus. Although the coding is quite different
in places, there's quite a similarity in the design.
There are a number of coding errors in the virus, most notably around
the time bomb area, making it harmless in this form. The intention
of the code is to check for Friday 13th, and display a message, however
it will never detonate (... unless there's a fixed version in circulation
... though that's what I believe TrapHandler is). It's fortunate
that it never displays the message, because there's another coding
error and the message isn't actually there!
(Source: Alan Glover)
###########################################################################
NetStatus
===========================================================================
Last Updated: 21st April 1992
Aliases: Boot
Origin: Norway or Belgium
Isolation Date: October 1991
Effective Length: 2048 or 2072 bytes
Virus Type: Resident !Boot file infector
Symptoms: !Boot filelength increase.
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Interferon 1.10+
Scanner 1.02+ Killer 1.27+
VProtect 1.10+ Scanner 1.20+
Hunter 1.16+ Hunter 1.16+
VirusKill 1.00+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.17+ Hunter 1.16+
Hunter 1.16+ Interferon 1.10+
Scanner 1.20+
RMKill NetStatus
---------------------------------------------------------------------------
General Comments:
NetStatus is written as a module, and in many ways it functions exactly
the same way as the TrapHandler virus, as it saves all of its code
in an application's !Boot file. It differs strongly from from this
one, however, as NetStatus does not overwrite the !Boot file. The
original !Boot instructions are executed after the virus has been
loaded, making it more difficult to spot than TrapHandler.
Some times a message will appear (after a mode change):
Hello, there.
Just a little message.
The infection count is: <infection count>
This program is harmless
10 Jun 1991
[This message is encrypted, and will neither show up in memory nor
in the infected !Boot file.]
One might think that NetStatus should be placed as a 'variant' of
TrapHandler, as the way the two viruses work are so similar (both
viruses work by loading the !Boot file into memory below &8000 and
then jumping to the code). However, seeing that the code itself was
so different, I chose to let it have its own entry. Also, NetStatus
infects the !Boot file instead of overwriting it! If you think you
might have been infected by this virus, do *Help NetStatus to see
if it is version 2.00, and if it is, do a *Modules to check where
it resides. If the address is 018xxxxx then you are infected, if
not, the address should be 038xxxxx. [This virus has the potential
to cause chaos on Econet networks, where it will replace the real
NetStatus module - causing anything that relies on it to fail.]
Known variant(s) of the NetStatus virus are:
NetStatus-2048
This appears to be an earlier version of NetStatus. Some code is
missing in this version, but they appear identical in operation.
Please note that not many virus killers are aware of both versions.
If it understands only one strain, the !Boot file will become corrupt.
###########################################################################
NewDesk
===========================================================================
Last Updated: 3rd March 1993
Aliases:
Origin: UK
Isolation Date: March 1993
Effective Length: 2439 bytes
Virus Type: Resident !Boot file infector
Symptoms: !Boot filelength increase.
---------------------------------------------------------------------------
Detection Media: Killer 1.375+ Memory: Killer 1.375+
VProtect 1.32+
Removal Media: Killer 1.375+ Memory: Killer 1.375+
---------------------------------------------------------------------------
General Comments:
This is a BASIC program filetyped as a Sprite. It is loaded by !Boot
and runs as a desktop task choosing one of the following names at
random:
"HandyHint", "Desktop X-tras", "Help", "Clock", "VProtect", "adfs
2", "RamFiler", "FormEd" or "Editor"
(note: VProtect as used by this virus will show up as an application
task. The real VProtect from Pineapple Software shows up as a module
task)
On April 1st or any Friday 13th it will *unplug Desktop, ADFS, BASIC
and TaskManager.
###########################################################################
Parasite
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: UK, Cheshire?
Isolation Date: January 1992 by S. Haeck
Effective Length: 6K & 7K
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: Additional modules appearing within applications
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.23+ Scanner 1.20+
VProtect 1.12+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
---------------------------------------------------------------------------
General Comments:
This is a **very** nasty virus. Handle any infections with care!
The parasite virus was first discovered by S. Haeck in January 1992.
The two strains are identical, except that the first always uses
the same name for its module, and the second has a random choice
of 20 (twenty) filenames. It will only activate on machines whose
network station number is <80 - which will include non-networked
machines, which typically have 0 or 1 in the CMOS. Do NOT try to
RMKill the module - a delayed action machine crash will result. It
will *wipe any of the following file/directory names - !vkiller,
vir, shield, prot and !guardian - this points at a UK origin since
it is not aware of Scanner.
It has a whole repertoire of dirty tricks, which are time triggered:
- Corruption of the net printer name (it uses this as workspace)
- Midnight, and xx:13: crash the computer
- Before 07:00: crash the computer 300-900 seconds later
- 00:00 to 00:59 on 1st Jan: crash the computer
- 1st of any month: claim 16K of RMA (not used)
- 21st June: set MouseStep to 1
- 21st December: set MouseStep to 127 (fast!)
- 29th February: Set MouseStep to -5 (fast, and reversed)
- If there is a 0 in the time, and the virus loaded from SCSI:*unplug
the Podule Manager (disabling the SCSI disc) - At 0x and x0 seconds,
if the module came from IDEFS: alias the IconSprites command so that
no further sprites are cached
Furthermore, there are some which can be fired at any time:
1 in 50: Change sound settings
1 in 25: Redefine character set to all spaces after 60-240 seconds
1 in 60: Corrupt the disc in drive 0
Lastly, there are a group of serious actions (which are limited so
only a certain number occur within a given period):
- Before 08:00 (14:00 Sundays): configure number of hard and floppy
drives to zero.
- Mondays: Configure Fontsize 0K, SpriteSize 512K, which will cripple
a 1Mb machine!
- 25th December: Configure MonitorType 3, Sync 0
- A 7 in the time: Configure Country to Greece
- 1 in 4: Configure ADFS, Harddiscs 2, Drive 5 (very tricky if you
don't happen to have two ST506 drives)
The module names which it can use are:
FontLibrary, CodeLibrary, ScreenObjct, PromptsPick, HPIBIntMngr,
PRomModules, BasicCryptr, ChrSelecter, WimpModMake, PaletteUtl2,
ModeUtility, FontUtility, TempManager, ColourConvt, IndexReader,
ArthurImage, SyncUtility, VIDCManager, FontPalette, HugoFiennes.
The first (6435 byte) strain always uses the name FontLibrary.
Note that Hugo Fiennes, whose name appears at several points in the
code, as well as being one of the module filenames, has much better
things to do than write viruses, and has no known connection with
this virus!
(Source: Alan Glover, with thanks to Geoff Riley for much of the
decoding)
###########################################################################
Penicillin
===========================================================================
Last Updated: 6th December 1992
Aliases:
Origin: UK
Isolation Date: December 1992
Effective Length: 7306 bytes
Virus Type: Resident application infector
Symptoms: Data file called Penicillin in application directories
---------------------------------------------------------------------------
Detection Media: Killer 1.382+ Memory: Killer 1.382+
VProtect 1.25+
Removal Media: Killer 1.382+ Memory: Killer 1.382+
---------------------------------------------------------------------------
General Comments:
This is basically speaking an Icon variant, and therefore bears common
features with the base Icon strain. However, it is one of the more
malicious variants, with tricks including:
- Configuring FontSize to 128K
- Altering the mouse step settings, and causing pseudo random movement
- Configure TV 0,0 which will turn interlace on (screen shakes)
- Makes a noise
- Reads &12000 bytes from ADFS::0 to address 0 - this will almost
certainly crash the machine
- Configure the machine for no floppy drives
- Change the mouse rectangle settings
On the 13th of any month there is a random chance that it will:
- Create a random mouse rectangle and enter an endless loop
- Mark three sectors of the disc in ADFS drive 0 as defective
(Source: Alan Glover, with thanks to Rick Sterry)
###########################################################################
Poltergeist
===========================================================================
Last Updated: 3rd March 1993
Aliases:
Origin: UK
Isolation Date: March 1993
Effective Length: 2573 bytes
Virus Type: Resident application infector
Symptoms: Two files apparently with no name in application
directories
---------------------------------------------------------------------------
Detection Media: Killer 1.395+ Memory: Killer 1.395+
VProtect 1.32+
Removal Media: Killer 1.395+ Memory: Killer 1.395+
---------------------------------------------------------------------------
General Comments:
This file consists of two files of the same filetype. One is a BASIC
program, the other is a sprite for the filetype. Once loaded the
virus redefines the character used to name the files to a blank so
there is a chance that the files would sit unnoticed inside an application.
However 'Select All' will soon show their presence!
Although it runs as a desktop task it will not show up on the Task
Manager display.
It has various actions which are fired at random (some with a degree
of weighting to make them relatively infrequent):
* Set the screen border to a random colour.
* Change the screen border colour several times
* Redefine the character set as spaces
* Redfine a randomly chosen lower case character as a space
* Set the mouse pointer to a random colour
* Move the mouse pointer to a random position
* Redefine the character set randomly
* Draw a line on the screen
* Redefine a colour at random
* Draw a triangle on the screen
* Change the text direction/orientation setting
* Unlink the mouse from the pointer
* Select Country Greece
###########################################################################
Runopt
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1684 bytes
Virus Type: Resident application infector
Symptoms: Desktop APPLICATION Task called 'Task Manager'.
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
In a similar manner to Icon, this virus uses a !Boot file to load
a BASIC program. The program is called RunOpt!, and is filetyped
as data.
Note that the real 'Task Manager' shows up as a module task NOT an
application task.
(Source: Paul Frohock)
###########################################################################
Shy
===========================================================================
Last Updated: 20th October 1993
Aliases:
Origin: UK
Isolation Date: October 1993
Effective Length: 324 bytes
Virus Type: Resident application infector
Symptoms: A missing number in a *modules listing
---------------------------------------------------------------------------
Detection Media: Killer 1.508+ Memory: Killer 1.508+
VProtect 1.49+
Removal Media: Killer 1.508+ Memory: Killer 1.508+
---------------------------------------------------------------------------
General Comments:
This is a harmless virus which infects files of type &FF8 and resides
in memory as a module. The title of the module is made up of a number
of delete characters, with the effect that in a *modules display
the line for the virus' module will not appear - which will cause
the count of modules to seem to skip one.
###########################################################################
Sprite
===========================================================================
Last Updated: 21st April 1992
Aliases: 'Really Annoying Sprite Virus'
Origin: Germany ? Ireland ?
Isolation Date: February 1992 by Svlad Cjelli
Effective Length: 720 bytes
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: File "Sprite" and maybe !Str in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.23+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
delete Sprite, delete !Boot OR delete !Run and
rename !Str to !Run (depending whether !Str is
present or not).
---------------------------------------------------------------------------
General Comments:
This has got some similarities with Image, but until I've (Alan)
had a chance to do a code comparison, I'm not going to class them
as members of the same virus family.
In months which begin with an F it will change the pointer settings.
As far as I can tell, the parameter block is junk, and it's hard
to tell whether the call will return! If it does, a delayed routine
is programmed, which when entered will do FX200,3, zero all the CMOS
RAM, and display a message.
The message is:
Piracy IS theft - Your SYSTEM is DOOMED - Deutschland Uber Alles!
For people like me who don't know any German, a liberal translation
is 'Germany is best'. This is encrypted, so is not usually visible.
Important note: Initial reports about this virus suggested that it
could cause disc corruption. Aside from possible errors during attempted
infections, it does not have any maliciously targetted code for filing
systems.
Infection is by saving the virus code as 'Sprite' (filetyped as such),
and either creating a !Boot, or renaming !Run to !Str and saving
a new !Run which runs !Str.
(Source: Alan Glover, with thanks to Svlad Cjelli)
###########################################################################
SpriteUtils
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: UK
Isolation Date: June 1992
Effective Length: 3028 bytes
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: File "Sprutils" appears in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
VProtect 1.17+
Scanner 1.42+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+
---------------------------------------------------------------------------
General Comments:
This virus spreads by inserting a line in !run files, loading a trojan
SpriteUtils module.
It is my opinion that this virus is designed as an enabling tool
for further unpleasant activities triggered remotely over a network.
My reason for concluding this is that in addition to normal spreading
and replication it goes to great pains to alter the Econet Protection
setting to enable User Remote Procedure Calls.
It intercepts the SWI vectors to process Econet_SetProtection and
Econet_ReadProtection to return, and allow modification of, the value
which was present when the virus started.
It then supports two RPCs, one to turn off all protection, and the
other to restore the setting with just RPCs enabled.
It also attempts to disable VProtect, and will succeed with earlier
versions. However, a new version of VProtect will have no problem
in preventing the virus from being loaded in to a clean machine.
It has no timed or other malicious contents, however as usual there
are some consequences of the way it is written.
In particular, it will claim 2K of RMA workspace, and never release
it, nor does it restore the Econet protection setting it first found.
(Source: Alan Glover)
###########################################################################
TaskManager
===========================================================================
Last Updated: 8th February 1993
Aliases:
Origin: UK
Isolation Date: Jan 1993
Effective Length: around 11200-11700 bytes
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: File " Log" appears in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.392+ Memory: Killer 1.392+
VProtect 1.30+
Removal Media: Killer 1.392+ Memory: Killer 1.392+
---------------------------------------------------------------------------
This virus spreads by appending loading instructions to !Boot files,
and saving a file called ' Log' (filetype &ff8 - absolue) inside
an application (the leading space is character code 160 - the 'hard'
space).
When active it runs as a desktop task called 'Task Manager' - note
that like Vigay this will appear as an application task unlike the
real Task Manager which is a module task.
Aside from spreading it has no malicious code.
(Source: Alan Glover)
###########################################################################
T2
===========================================================================
Last Updated: 22nd May 1993
Aliases:
Origin: United Kingdom
Isolation Date: July 1992
Effective Length: 4304 bytes
Virus Type: Merges with absolute !RunImage files.
Symptoms: Messages from "T2" and spurious errors.
---------------------------------------------------------------------------
Detection Media: Killer 1.370+ Memory: Killer 1.370+
VProtect 1.20+ Scanner 1.43+
Scanner 1.43+
Removal Media: Killer 1.370+ Memory: Killer 1.370+
---------------------------------------------------------------------------
General Comments:
This is a very dangerous virus, which can cause severe data loss
if not treated rapidly.
On 1st Jan, 14th Feb, 1st May, 4th July, 31st October, 25th December
and Friday 13th a message from T2 will be displayed and it will write
invalid data to the first 32K of ADFS drives 0-7. On D or E format
floppies this will destroy the FS Map and Root Directory, on D format
hard discs it will destroy the boot block, FS Map and Root Directory.
On E format hard discs, it will destroy the boot block only, since
the Free Space map and Root directory are elsewhere on the disc surface.
It will also attempt to do the same to Nexus drives 4-7.
Additional information, 22nd May 1993: A variant has shown up using
&DECAFF instead of &COFFEE, otherwise it is identical.
The messages are:
December 25th
Yuletide Jollities from T2
A special christmas present: New blank disks all round.
1st January
New Year's Resolution from T2
New Year's Resolution: I will keep my disks write protected.
14th February
St. Valentine's Day
Roses are red, Violets are blue, I've wiped your hard disk, Because
I hate you.
1st May
Mayday from T2
Mayday, mayday, mayday: your data's sinking.
31st October
Spookiness from T2
You've got a vicious virus AND blanked disks - spooky huh?
July 4th
Independence Day celebrations from T2
You are now fully independent of your saved data.
Friday 13th
Comiserations from T2
Bad luck, me ol' China. Your disks have kinda left you in the lurch,
as it were. Unfortunate, huh?
And the random choice ones:
Greetings from T2
I hate you. F*ck off and die. Painfully.
Comment from T2
You stink of sh*t.
Observation from T2
You're a f*cking c*nt.
Hi there, from your friendly virus
Hi there. You may (or may not) know me. I'm a virus. User meet
T2. T2 meet user. Good ... See ya around.
It also has a random chance routine, based on a 0.1 second timer,
which has various possible effects, including:
- A rude message (see above)
- Scrambled CMOS memory
- Crashing the machine
- Destroying disc data (as above)
There is not an easy quick check for this virus, since it will not
show up as a module or desktop task. The easiest way I can come up
with is to do the following two commands from BASIC (ensure that
VProtect 1.20 or above is NOT loaded to avoid a false alarm).
SYS "XOS_ServiceCall",,&C0FFEE TO ,A%:PRINT A%
SYS "XOS_ServiceCall",,&DECAFF TO ,A%:PRINT A%
If either number printed is zero, and VProtect 1.20+ is not loaded
(or any other anti-virus program aware of this virus) then it is
loaded and active.
(Source: Alan Glover)
###########################################################################
Terminator
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: July 1992
Effective Length: 3648 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Additional files appear in applications (see
below)
---------------------------------------------------------------------------
Detection Media: Killer 1.372+ Memory: Killer 1.372+
Scanner 1.47+
Removal Media: Killer 1.372+ Memory: Killer 1.372+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
Strictly speaking - this is an Icon variant. However it has been
changed sufficiently that it merits its own entry.
It can choose one of eight task names, and one of eight different
filenames/filetypes to save itself.
In other respects it acts and spreads like Icon, though there is
1 in 10 chance of drive zero being wiped on each infection.
The task names are : ADFS Filer, RMA Manager, Filer Extension, File
Compactor, ADFS Filer (again), MemAlloc, " " and "F*ck off!" (except
with no asterisk - you know what I mean...).
The filenames and filetypes are: Icon (Sprite), MemAlloc (Module),
RunCode (Absolute), ABCLib (Module), CLib (Module), Colours (Modules),
FPEmulator (Module) and !DeskBoot (Utility).
!Killer patches the virus before removing it to ensure that ADFSFiler
is not rmkilled by the virus.
(Source: Alan Glover)
###########################################################################
Thanatos
===========================================================================
Last Updated: 21st April 1992
Aliases: RISCOSext, RISCOS Extensions
Origin: United Kingdom
Isolation Date: May 1991
Effective Length: 11756 or 11764 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Files "RISCOSext" and "TaskAlloc" in application
directories. Wimp task "Thanatos" visible in
the Task Manager.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.23+
VProtect 1.10+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named files
---------------------------------------------------------------------------
General Comments:
This is an encrypted (simple EOR with &7A, lower-case "z") BASIC
program (crypted = 11756 bytes long, TOP-PAGE of BASIC program =
7660 bytes) called "RISCOSext" with a filetype of Absolute (yes,
a very poor piece of ARM code decrypts and runs it and wastes nearly
4K of space between &8100 and &9000 !). Associated with it is a Sprite
file (actually of filetype Module) called "TaskAlloc", which is 344
bytes long containing a rude sprite to replace the mouse pointer.
When run, it installs itself as a Wimp task named "Thanatos" and
then looks for double-clicks to infect application directories (copies
the RISCOSext and TaskAlloc files into there and then appends the
'usual' string to the !Boot file (to run RISCOSext).
The nasty section of the Thanatos Virus REALLY IS nasty, so I urge
you to study this carefully.
Roughly once every 100000 times around the Wimp_Poll loop, Thanatos
can:
* 2 out of 13 chances Shut down icon bar application at random (whilst
displaying its own icon bar icon during the shutdown).
* 1 out of 13 chances Cause a Desktop Quit.
* 3 out of 13 chances Reverse the mouse pointer step (sets it -2).
* 1 out of 13 chances Crash the machine by poking a duff instruction
at the start of memory.
* 1 out of 13 chances Randomise the 240 bytes of CMOS. [If this happens,
you may have to either short or remove the battery from your machine,
as it might refuse to boot.]
* 4 out of 13 chances Randomly display one of 8 very rude messages
- one of which also changes the mouse pointer shape to a rude graphic
and another will also shutdown an icon bar application (the same
routine as above).
* 1 out of 13 chances Wipe the contents of <Obey$Dir>.
It also has a "special date" section as follows:
Any Friday 13th: Advertises its own "virus killer" (from Armen Software).
April 1st 10 Address exception errors, followed by coloured rectangles
and a 'stuck' mouse pointer for 10 seconds. An "April Fool" message
is then displayed.
December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed
by a "Merry Crimble" message.
October 31st:Formats the floppy in drive 0, followed by a "Spooky"
message.
January 1st: As December 25th, but followed by a New Year's Resolution
message (to keep your disks write-protected...).
[ The 11764 byte variant is functionally identical, but a slightly
earlier version ]
(Source: Richard K. Lloyd)
[Attempting to kill Thanatos by clicking 'Quit' in the Task Manager
will not work. However, Killer and VKiller will patch the missing
closedown code into the virus before removing it from memory.]
###########################################################################
TrapHandler
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: United Kingdom
Isolation Date: September 1991
Effective Length: 924 bytes
Virus Type: Resident !Boot file infector. Overwrites original
!Boot file completely (or creates a new one if
it doesn't find one) and stores own code here.
Symptoms: Applications which depend on a !Boot file fail
to run (i.e. if the !System !Boot file was overwritten,
!Edit would fail to run due to the fact that
the !System folder hasn't been seen. The same
applies if the !Boot file in the Fonts directory
is overwritten. The module 'TrapHandler'is present
in the module list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.03+ Killer 1.17+
VProtect 1.10+ Scanner 1.23+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.03+ Interferon 2.10+
delete !boot file Scanner 1.20+
RMKill TrapHandler
---------------------------------------------------------------------------
General Comments:
The TrapHandler virus is written as a module which infects application
directories by overwriting the !Boot file with its own code. By hooking
onto the FSControl vector, it looks for a *Run action, and on finding
one (eg. the user opens a directory with applications, and if any
of these contain a !Boot file (which RISC OS automatically executes)),
TrapHandler overwrites the application's !Boot file with its own
code.
This code is loaded into memory by using a simple
*LOAD <Obey$Dir>.!Boot <address>
and then executing the code at <address>.
On any Friday after the 20th of any month it will open a regular
message box (i.e. using Wimp_ReportError) with the number of infections
in the header, and an 'Ignorance will be your undoing.' This message
is rather misleading, as the only destructive thing it does is overwrite
your !Boot files (although it could - as all viruses can - be modified
to do much nastier things). I might sound a bit trivial here - if
your $.!Boot on the harddisc was overwritten, you might get a bit
more than annoyed(!). However, as this !Boot file only gets run when
you reset your machine, it is not very likely to get infected by
this virus (unless you accidentally double-click on it or run it).
###########################################################################
Valid
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: Unknown
Isolation Date: March 4, 1992 by Atle M. Bårdholt
Effective Length: 1389 bytes
Virus Type: Non-resident application infector, stores code
as separate file.
Symptoms: Files "Valid" and "Source" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.30+ Memory: n/a
Scanner 1.23+
VProtect 1.13+
Removal Media: Killer 1.30+ Memory: n/a
Scanner 1.23+
delete !Run and "Source". Rename "Valid" to
!Run.
---------------------------------------------------------------------------
General Comments:
Valid is a non-resident virus written in BASIC which works by renaming
the !Run file of the application to "Valid", then saving itself as
a file called "Source" and creating a new !Run file which points
to the virus code. Both have correct filetypes (e.g. Obey and BASIC).
In its current form it can hardly spread far. It surprises me that
it was even released at all. Due to a major flaw in the code, Valid
creates faulty !Run files every time it infects - effectively rendering
the application non-executable - making it easy to detect that something
is wrong. It is assumed, however, that this is fixed in other or
newer versions (the incore filename of the BASIC file is "Source2"),
as it is a very simple thing to do something about it. (This version
keeps the first 21 chars of the orginal !Run file instead of making
a new one.)
On floppy based systems this virus causes a noticeable slowdown when
it infects an application, as it uses the OSCLI command EnumDir to
create a list of applications to infect. This list is saved as a
file (as a result of EnumDir), and then loaded into some reserved
memory. When the processing of this data is finished, the file is
deleted.
Valid never infects an application twice, as it checks to see if
there's an "our" in the first line (part of RUN <Obey$Dir>.Source)
of the !Run file. Also, it is not certain it will infect a given
application - there's Ŵonly a 30% chance (determined by RND(10)>7)
of this happening. Valid does little besides replicate (if it had
worked properly), but does create a 0 byte file called "Infected!"Ŵ
in the application directory after any 22nd in any month.
###########################################################################
VanDamme
===========================================================================
Last Updated: 8th June 1993
Aliases:
Origin: Unknown
Isolation Date: May 1993
Effective Length: 1517 bytes
Virus Type: Non-resident application infector, stores code
as separate file.
Symptoms: Files with nonsensical names in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.410+ Memory: 1.410+
Removal Media: Killer 1.410+ Memory: 1.410+
---------------------------------------------------------------------------
General Comments:
VanDamme is clearly an Icon derivative. However its major differences
are that it has been run through a BASIC squasher, resulting in the
small size. It chooses a name composed of random lower case letters
for each infection, and a pseudo random filetype choice.
It has a (very unlikely) random chance of formatting a disc.
###########################################################################
Vigay
===========================================================================
Last Updated: 21st April 1992
Aliases: DataDQM, Shakes
Origin: United Kingdom
Isolation Date: Probably April 1991
Effective Length: 2311 or 2432 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: File "DataDQM" in application directories. The
Task "TaskManager" in the Task Manager window.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.23+
VProtect 1.10+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete !Boot and file.
---------------------------------------------------------------------------
General Comments:
This is a BASIC program called "datadqm" with an associated 97-byte
!Boot file. The REMs at the start of the program are as follows:
REM (C)1989 PAUL VIGAY
REM
REM A nasty little Archie Virus !!
REM ... or is something up with your monitor ???
REM
REM version 1.1a (24th October 1989)
Hence you now know why it's called the "Vigay Virus" - the author's
name appears as a comment at the start! When first run, it initialises
as a Wimp task called "TaskManager" and then waits for either:
1) a chance of (500 * hours left of a Thursday) to 1 to crop up to
spark off a silly "wobble" demo (wobbles the screen and mouse pointer).
Yes, this demo only appears on a Thursday and more frequently as
the day wears on.
or,
2) a file/directory double-click, in which case it attempts to replicate
itself to the first application directory at that level that doesn't
already have either an "!Boot" or a DataDQM" file.
(Source: Richard K. Lloyd)
[Apparently there are several versions existing (but apparently not
circlulating), some activating on Fridays, others on Friday the 13th.
It is not known whether these Friday versions broke loose, and later
variants were also compiled using the Archimedes BASIC Compiler by
DABS Press. We are still speculating if any of these are available
to the general public. Also, it is worth clarifying that the 'TaskManager'
will appear as an application task, unlike the real Task Manager
which is a module task.]
###########################################################################
Whoops
===========================================================================
Last Updated: 1st June 1993
Aliases:
Origin: United Kingdom
Isolation Date: May 1993
Effective Length: 8091 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "!memalloc" in application directory.
---------------------------------------------------------------------------
Detection Media: Killer 1.408+ Memory: Killer 1.408+
VProtect 1.39+
Removal Media: Killer 1.408+ Memory: Killer 1.408+
---------------------------------------------------------------------------
General Comments:
The virus is a BASIC program called !Memalloc and filetyped as a
module. It loads as a desktop task called 'Paint'. However when told
to quit it will re-initialise as a nameless desktop task.
The virus is written to continue spreading until May 1995, after
which it will start removing itself.
It has a number of possible tricks, chosen by a random number:
i) Give a spurious error and reboot the computer
ii) Move the mouse pointer around
iii) Give a spurious error
iv) Close a window
v) Stop the desktop for a random time (it turns on the hourglass)
###########################################################################
Wimpman
===========================================================================
Last Updated: 19th February 1993
Aliases:
Origin: United Kingdom
Isolation Date: February 1993
Effective Length: 1555 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "Wimpman" in application directory.
---------------------------------------------------------------------------
Detection Media: Killer 1.393+ Memory: Killer 1.393+
VProtect 1.31+
Removal Media: Killer 1.393+ Memory: Killer 1.393+
---------------------------------------------------------------------------
General Comments:
This bears quite a similarity to the Icon family of viruses.
The virus is a BASIC program, but is filetyped as a module.
Aside from spreading (and hiding from the Task Manager display it
has no other notable features).
###########################################################################
Virus Detection Utilities
---------------------------------------------------------------------------
Interferon: © Tor O. Houghton. Latest known version is 2.12 (13-Mar-1992).
Resident program which looks for transfer of data to
disc from areas below &8000, and from the RMA (e.g. most
viruses which are written as modules, for example). Public
Domain.
Killer: © Pineapple Software Ltd. Written by Alan Glover of Acorn
Computers Ltd. Latest version known is 1.600 (4-Dec-1993).
Multi-tasking scanner/disinfectant. Currently, this application
is the one which detects and removes all known viruses
on the Archimedes. Very user friendly interface, lots
of useful options,includes a nice window with look-up
virus information. Commercial product.
Scanner: © Tor O. Houghton. Latest version known is 1.56 (Oct-1992).
A non-WIMP application which detects and removes the most
common viruses. Commercial software, available direct
from the author. Further updates are unlikely in the short
term.
VProtect: © Pineapple Software Ltd. Written by Alan Glover of Acorn
Computers Ltd. Latest version known is 1.53 (4-Dec-93).
Resident program which, amongst other things, checks !Run
and !Boot and module files for infection before running
them. Supplied with !Killer.
This document exists in three parallel forms. Versions suffixed 'p'
are the Impression version (primarily maintained by Tor Houghton),
and those suffixed 'h' use the Binary Star !Clearview PD reader application
to present a hypertext document. Updates to the document may be sent
to either author, and both versions will get updated. The text version
(suffixed 't') is derived from the Cleariew version. There is also
an experimental vb version. The Impression version is currently substantially
out of date - for recent information always refer to the h or t versions.
Also, could you please include a note on what the program/virus does?
Some help files we have seen have been very vague. All this information
is based on our own reactions, and may well be incorrect in some
parts. If you don't like it, send us some information (not too verbose).
###########################################################################
Acknowledgements & Credits
---------------------------------------------------------------------------
This list contains some of the many people who have helped in the
preparation and updating of this document. Despite their best efforts,
there are undoubtably some errors - which are wholly our own work
:-).
Simon Burrows: Additional virus documentation.
Svlad Cjelli: Additional virus documentation.
Michel Fasen: Additional virus documentation.
Eivind Hagen: For letting me borrow Impression of him!
Bjørn Hotvedt: For keeping up with the never-ending postings to and
from Alan (and other people!).
Richard K. Lloyd: For documentation on the older viruses.
Terje Slettebø: For help with the disassembly of the NetStatus virus.
Paul Frohock: For help and information long before !Killer saw light
of day (and still going strong :-) )!
The following pieces of software are amongst those I (Alan) use for
virus analysis - my thanks to those in the list below who have added
changes etc at my request or helped in other ways (you know who you
are...).
QDBug - Vertical Twist (Debugging tool)
!QZap - Kevin Quinn (PD Desktop Disassembler)
!Dissi - John Tytgat (Registered version - Desktop Disassembler/Source
generator)
!DeskEdit - RISC Developments (!Edit, with many useful additions)
!Snoop - DT Software (Desktop examination tool)
Thanks also to Mark Smith and David Pilling for help with ARCFS and
SparkFS.
###########################################################################
Contacting the authors
---------------------------------------------------------------------------
POST:
Tor Houghton Alan Glover
17K Park Village PO Box 459
University of Sussex Cambridge
Falmer CB1 4QB
Brighton UK
BN1 9RD
UK
EMAIL:
Tor O. Houghton: torh@cogs.susx.ac.uk
Alan Glover: aglover@acorn.co.uk, or
alan@pinesoft.demon.co.uk
FAX:
Alan Glover (+44) (0)223 415222
Acorn Computers Ltd. (+44) (0)223 254264
Pineapple Software (+44) (0)81 598 2343
TELEPHONE:
Pineapple Software (+44) (0)81 599 1476
Acorn Computers Ltd. (+44) (0)223 254254
###########################################################################
Checklist
---------------------------------------------------------------------------
(last change 30th October 1993)
Click on the name of the virus to read more about it.
Media Memory
Virus Utility D R D R
Alien Killer Y Y Y Y
Aprilfool Killer Y Y Y Y
Archie Guardian Y N ? ?
Killer Y Y Y Y
Scanner Y N N N
Arcuebus Killer Y Y Y Y
Axishack Killer Y Y Y Y
BBCEconet Killer Y Y Y Y
Scanner Y N Y Y
Interferon N N Y N
Bigfoot Killer Y Y Y Y
Scanner Y N N N
Boohoo Killer Y Y Y Y
Breakfast Killer Y Y Y Y
CeBIT Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y N Y N
Code Killer Y Y Y Y
Scanner Y Y N N
Diehard Killer Y Y Y Y
Ebenezer Killer Y Y Y Y
Ex_port Killer Y Y Y Y
Extend Guardian Y ? Y ?
Hunter Y Y N N
Interferon N N Y N
Killer Y Y Y Y
Scanner Y N Y N
ExtendV2 Killer Y Y Y Y
FCodex Killer Y Y Y Y
Funky Killer Y Y Y Y
Garfield_I Killer Y Y Y Y
Scanner Y Y Y Y
Interferon N N Y N
Garfield_W Killer Y Y Y Y
Scanner Y Y Y Y
Interferon N N Y N
Handler Killer Y Y Y Y
Icon Hunter ! ! N N
IVSearch ! ! ? ?
Killer Y Y Y Y
Scanner Y Y N N
Image Killer Y Y Y Y
Scanner Y N Y Y
Image2 Killer Y Y Y Y
Increment Killer Y Y Y Y
Scanner Y N Y N
IRQFix Killer Y Y Y Y
Scanner Y Y N N
Link Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
Mode87 Killer Y Y Y Y
Scanner Y Y N N
Interferon N N Y N
Module Guardian Y Y ? ?
Hunter Y Y Y Y
Interferon N N Y N
Killer Y Y Y Y
Scanner Y Y N N
MonitorDat Killer Y Y Y Y
MyMod Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
NetManager Guardian ? ? ? ?
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
NetStatus Hunter ! ! Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
VirusKill Y Y ? ?
NewDesk Killer Y Y Y Y
Parasite* Killer Y Y Y Y
Scanner Y N Y N
Penicillin* Killer Y Y Y Y
Poltergeist Killer Y Y Y Y
Runopt Killer Y Y Y Y
Shy Killer Y Y Y Y
Sprite* Killer Y Y Y Y
Scanner Y N N N
SpriteUtils Killer Y Y Y Y
Scanner Y Y N N
Taskmanager Killer Y Y Y Y
T2 Killer Y Y Y Y
Scanner Y N N Y
Terminator* Killer Y Y Y Y
Scanner Y N N N
Thanatos* Hunter Y Y N N
Killer Y Y Y Y
Scanner Y N N N
Traphandler Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
Valid Killer Y Y na na
Scanner Y Y na na
VanDamme Killer Y Y Y Y
Vigay Guardian Y Y ? ?
Killer Y Y Y Y
Scanner Y N N N
Whoops Killer Y Y Y Y
Wimpman Killer Y Y Y Y
? Refers to cases where the documentation fails to explain exactly
what it does with the virus.
! Special cases (e.g. some killers might not detect all variants
of a
virus), refer to the separate virus entries in this document for
details.
na Not applicable, typically a virus which does not reside in memory.
###########################################################################
Quick Checks
---------------------------------------------------------------------------
(last change 24th November 1993)
Click on the virus name to read more about it.
Alien - Icon variant - wide choice of specific names and filetypes.
Aprilfool - Creates directory called ScrapHeap on RAM disc. Desktop
task called 'aprilfool'.
Archie - Attacks absolute (filetype &FF8) files.
Arcuebus - Installs a false NetStatus module (3.07).
Axishack - Desktop task called Axis_Hack.
BBCEconet - Attacks absolute files, encrypting part of them. Loads
trojan BBCEconet module.
Bigfoot - Desktop task called 'bigfoot', file with randomly chosen
name in capitals (BASIC file).
Boohoo - Attacks modules. Infected modules are re-stamped. Killing
an infected module gives 'Yah, boo hoo', hence the name!
Breakfast - Attacks absolute files, encrypting part of them. Loads
trojan BBCEconet module.
CeBIT - Attacks applications. File "TlodMod" in app. directory. Module
"TlodMod" in module list.
Code - Desktop task called 'Window Manager'. Applications may 'lose'
their sprites.
Diehard - Icon-2173: data file called Setup.
Ebenezer - Desktop application task called "Filer". Screen judder
on Fridays.
EMod - Nameless wimp task which never quits.
Ex_port - File called ex_port (various filetypes) inside applications.
Extend - Attacks applications. Files "MonitorRM", "CheckMod", "ExtendRM",
"OSextend", ColourRM", "Fastmod", "CodeRM" or "MemRM" in app.
directory . Module "Extend" in module list.
ExtendV2 - Icon variant which describes itself as Extend
FCodex - File called 'FCodex' inside applications.
Funky - Desktop task called 'Window Dude'.
Garfield_I - Creates application called !Pic, loads a module called
IconManager.
Garfield_W - Creates application called !Obey, loads a module called
WimpAIDS.
Handler - Creates an application task called 'Task Handler'.
Icon - Attacks applications. Files of various names in app. directories.
Nameless WIMP task in the Task Manager, or missing memory in the
Task Manager.
Image - Attacks applications. Files "Image" and "!Spr" in app. directory.
Image2 - Attacks applications. Files "Image" and "!BootFAT" in app.
directory.
Increment - Attacks applications. Appends to !Boot - look for 'load
<obey$dir>.!boot 8000' towards the end of the !Boot.
Irqfix - Attacks applications. Files "RiscExtRM", "WimpPoll", "OSSsystem",
"MiscUtil", "FastRom", "IRQFix" or "AppRM in app. directory. Module
"Irqfix" in module list.
Link - Attacks absolute (filetype &FF8) files. Module "BSToDel" in
module list. Infected files are re-stamped.
Mode87 - Loads a module called BBCEconet (replacing the real one).
Overwrites !Boot files.
Module - Attacks modules. Infected modules are re-stamped.
MonitorDat - Chance of screen wobble on Mondays. File called MonitorDat
inside applications.
MyMod - Attacks applications. Files "SSLM" and "SSLF" in app. directories.
Module "MyMod" in module list.
NetManager - Attacks !Boot files. Module "NetManager" in module list.
NetStatus - Attacks !Boot files. Module "NetStatus" in module list
(at offset &018xxxxx). Ensure the program you use understands both
strains of this virus! Killer and Scanner do. See also Arcuebus.
NewDesk - Sprite file called NewDesk, various task names.
Parasite - Attacks applications. Random of 20 filename choices for
the code carrier.
Penicillin - Malicious Icon variant - always a Data file called Penicillin.
Poltergeist - Creates files with an 'invisible' name and a grey sprite.
RunOpt - Starts an APPLICATION task called 'Task Manager'
Shy - *Modules will show a module number missing (providing another
module has been loaded since).
Sprite - Attacks applications. Files "Sprite" and "!Str" in app.
directories.
SpriteUtils - Attacks applications. File SprUtils saved in applications.
Loads from !run.
Taskmanager - Attack applications. File ' Log' inside applications.
Produces a desktop application task called 'Task Manager'.
T2 - Attacks !RunImage files of type &FF8. Files grow by about 4K.
See entry for details.
Terminator - An Icon variant which uses varied file/task names. Extra
files appear in directories.
Thanatos - Attacks applications. Files "RISCOSext" and "TaskAlloc"
in app. directory. "Thanatos" visible in the Task Manager.
TrapHandler - Attacks !Boot files. Module "TrapHandler" in module
list.
Valid - Attacks applications. Files "Valid" and "Source" in app.
directory.
VanDamme - Attack applications. Files with randomly chosen lower
case names of a variety of filetypes.
Vigay - Attacks applications. File "DataDQM" in app. directories.
WIMP task named "TaskManager" in the Task Manager.
Whoops - Attacks applications. File !Memalloc added to application.
Wimpman - File called 'WimpMan' in application directories. Filetyped
as a module, but is BASIC.
###########################################################################
Calendar
---------------------------------------------------------------------------
A number of viruses have messages which are programmed to be displayed
on a given day or dates. Some are specific dates (eg 4th July) others
are less specific such as the first monday of the month, or Friday
13th.
This section is subdivided into months, for the viruses with specific
dates and messages which could occur in any suitable month.
To read more about a particular virus mentioned in this section click
on the virus name (which will be underlined).
January
February
March
April
May
June
July
August
September
October
November
December
Any
###########################################################################
January
---------------------------------------------------------------------------
Date Virus Message/Action
1st Parasite Crashes computer before 01:00
1st T2 New Year's Resolution from T2...
1st Thanatos Suggested new-year's resolution...
1st Breakfast A contest of skill and cyberprank...
###########################################################################
February
---------------------------------------------------------------------------
Date Virus Message/Action
14th T2 St. Valentine's Day Roses are red, Violets
are blue...
29th Parasite Set Mouse step rate to -5 (fast & reversed)
###########################################################################
March
---------------------------------------------------------------------------
Date Virus Message/Action
15th Bigfoot This is a HOLD UP! Give me all the PD software...
###########################################################################
April
---------------------------------------------------------------------------
Date Virus Message/Action
1st BBCEconet E.T. phones home!
1st Thanatos Address Exception at &0863FB3C
1st Aprilfool April fool
1st Breakfast <details to be added>
1st NewDesk Ha!, Ha!, Ha!. I had you fooled there
###########################################################################
May
---------------------------------------------------------------------------
Date Virus Message/Action
1st T2 Mayday from T2...
###########################################################################
June
---------------------------------------------------------------------------
Date Virus Message/Action
21st Parasite Set Mouse step rate to 1 (slow)
25th BBCEconet Ph'nglui mglw'nafh Chtulhu...
###########################################################################
July
---------------------------------------------------------------------------
Date Virus Message/Action
4th T2 Independence Day celebrations from T2...
4th Bigfoot Hay there its the 4th of July...
21st Breakfast Cheer up, the worst is yet to come. I think.
###########################################################################
August
---------------------------------------------------------------------------
Date Virus Message/Action
No viruses are known which display messages specifically during this
month.
###########################################################################
September
---------------------------------------------------------------------------
Date Virus Message/Action
6th (1992) Module Your computer has been virus infected...
###########################################################################
October
---------------------------------------------------------------------------
Date Virus Message/Action
23rd BooHoo Happy Birthday!
31st T2 Spookiness from T2...
31st Thanatos Your disk's been formatted without you asking...
###########################################################################
November
---------------------------------------------------------------------------
Date Virus Message/Action
5th Bigfoot Wizz Bang! Its Guyfalks night...
5th Breakfast Remember, Remember, the 5th of November
- Gunpowder, Treason and Plot...
5th Icon It's Bonfire Night
###########################################################################
December
---------------------------------------------------------------------------
Date Virus Message/Action
21st Parasite Set Mouse step rate to 127 (very fast)
21st Parasite Change MonitorType and Sync settings
25th BBCEconet Merry Christmas!
25th Bigfoot Happy Christmas from BigFoot ... The VIRUS
25th T2 Yuletide Jollities from T2...
25th Thanatos Merry Chrimble! Hope you liked your pressy...
###########################################################################
Any Month
---------------------------------------------------------------------------
Date Virus Message/Action
13th Archie Hehe ArchieVirus strikes again
13th Penicillin Creates random mouse rectangle and endlessly
loops
13th Penicillin Marks three sectors on ADFS::0 as defective
13th Icon Random graphics
Friday 13th Link Message from LINK: Active since 30-Nov-91
Friday 13th BBCEconet It's Friday! Why are you working....
Friday 13th MyMod Hi there. It's me, with my latest addition...
Friday 13th T2 Comiserations from T2...
Friday 13th Breakfast Have a nice day.
Friday 13th NewDesk Ha!, Ha!, Ha!. Unlucky for some
Friday >20thTraphandler Ignorance will be your undoing
First MondayGarfield_I The Garfield Virus is here to stay
First MondayGarfield_I Don't you just hate Mondays?
First MondayGarfield_W The Garfield Virus is here to stay
First MondayGarfield_W Don't you just hate Mondays?
Any Monday MonitorDat Screen wobbles up/down
Any ThursdayVigay Screen wobbles up/down
Any Friday Ebenezer Screen wobbles up/down
Any SaturdayAxishack Screen wobbles up/down
###########################################################################
Index
---------------------------------------------------------------------------
Introduction Introduction
Abstract
Virus Index Index to known viruses
Virus Detection Utilities
Acknowledgements & Credits
Contacting the authors
Checklist
Quick Checks
Calendar
Index of virus names and aliases:
Alien
Aprilfool
Archie
Arcuebus
Axishack
BBCEconet
Bigfoot
Boohoo
Boot
CeBIT
Code
DataDQM
Diehard
Ebenezer
EMod
Ex_port
Extend
FCodex
Filer
FF8
Funky
Garfield_I
Garfield_W
Handler
HLCC12
Icon
Icon-A
Illegal
Image
Image2
Increment
IRQFix
Link
Mode87
Module
ModVir
MonitorDat
MyMod
NetManager
NetStatus
NewDesk
Newvirus
Ohsh*t
Parasite
Penicillin
Poison
Poltergeist
RISCOSExt
Runopt
Shakes
Shy
Sicarius
Silicon Herpes
Sprite
SpriteUtils
Taskmanager
T2
Terminator
Thanatos
Traphandler
Valid
VanDamme
Vigay
Whoops
Wimpman
Wraith
Wright
