ARM Club 3

home *** CD-ROM | disk | FTP | other *** search

/ ARM Club 3 / TheARMClub_PDCD3.iso / mag_discs / 2 / programs / !AntiVirus / !Help < prev next >

Wrap

Text File | 1992-05-18 | 6KB | 183 lines

!Help for !AntiVirus (Version 0.14) ----------------------------------- Author : Jason Tribbeck (ARM Designs) Date : 18 May 1992 This module prevents the initial attack of the following viruses : NetManager, Extend and Module It is far better than using a virus remover (although there's nothing wrong in that), because this module checks viruses BEFORE they are even loaded, so if you have this on a boot-up, then these viruses stand (practically) no chance of surviving. They are either destroyed (either by modifying the code back again, or by deletion) if possible before the virus 'links' with the system. Net result - No need to run a checker whenever you get a new piece of software from a friend/PD/Bulletin board, because the checking is done in the background. --------------------------ooOOoo---------------------------- Data on viruses : ----------------- I don't want to go into too much detail, 'cause someone will work out : a) how to write a virus, or worse still ; b) how to write a virus to get 'round this program. --------------------------ooOOoo---------------------------- NetManager : ------------ This virus occurs on the Application's !Boot file. The old !Boot file is overwritten with a new file which is 900 bytes long. This file is still an Obey file which loads in the sprites, but also calls itself as a module (very clever). The module claims the OS_FSControl, and checks to see if a !Boot file is being executed. If it is, it overwrites it with itself. Remedy This module also looks for !Boot files, but if they are 900 bytes long, it deletes it (if possible). If it can't delete it, it doesn't run it. Side-effect Look out for proper !Boot files that ARE 900 bytes long - just insert a space into them to make them 901 bytes long! --------------------------ooOOoo---------------------------- Extend : -------- This is one of the first Archimedes viruses released. It claims RMA space (1k) for every !Boot file run. It attaches itself to RiscOS as a Wimp task with a null name. It spreads by appending several lines to the end of the !Boot file, and a marker to show that it has been infected, and also by saving a module inside the application's directory, which the !Boot file loads up. Remedy This module looks to see if a module is being Loaded (either *Load, RMLoad or RMRun). If its length is 940 bytes long, it checks to see if the title string is "Extend ". If it is, it tries to delete it. If it can't delete it, it is still not executed. --------------------------ooOOoo---------------------------- Module : -------- This is a nasty virus to have - it doesn't do any damage, but it does take up space on your discs. It prints a message when a certain time has been reached, but I havn't found out when. Remedy This module checks ALL module loads (which includes copies), loads them in and then checks the Initialisation, Finalisation and Service vectors. If the code following the initialisation vector is the same as in an infected virus (the first 152 bytes are checked), then the vectors are replaced to their old values, the module saved on top of itself AND an error is produced. If an error is produced, the program has to be reloaded in order to run. If the program loads in several infected modules, it would require several re-loads. If you are saving onto a protected disc, or the original module is locked, an error will be produced, but don't worry - the module hasn't been initialised yet, so the virus hasn't got to you. --------------------------ooOOoo---------------------------- Disclaimer : ------------ I (Jason Tribbeck) cannot be held responsible for any loss or damage resulting from the use of this program. --------------------------ooOOoo---------------------------- However, if you do experience difficulties, or you've just been attacked by a new virus, then you can contact me : Dept. AVT, Attn. Jason Tribbeck, 36 Nettlecombe Ave., Southsea, Hants. PO4 OQW. If you do send me a virus, make sure that it is CLEARLY labelled. --------------------------ooOOoo---------------------------- And remember - prevention is better than cure. --------------------------ooOOoo---------------------------- Updates from previous versions ------------------------------ 0.01 The original version. After I got hit by the NetManager virus, I decided to write a prevention system, rather than a virus remover. 0.02 Errors returned correctly 0.03 Modified to work as a module 0.04 Disclaimer added. 0.05 Main text removed, as it now had a !Help file. 0.06 Modified to check its own initialisation address. 0.07 Modified to check if System:Modules.<A_MODULE> is being saved. 0.08 Start of Extend checker. 0.09 Checks for modules 940 bytes long. 0.10 Checks for modules 940 bytes long, and title is "Extend " - note the space 0.11 Delete Extend working. 0.12 Initializer code checks for actual infestation 0.13 Initializer was found to be actually called 'Module'. Module virus checker fully working (i.e. it told you before being infected). Save to System:Modules.* removed, 'cause saves don't work in that way :-( More text added into top to describe why you should use this module. 0.14 Extend virus properly checked as I had an infection :-( Space removed from "Extend". --------------------------ooOOoo---------------------------- THIS IS NOT A VIRUS KILLER - IT IS A VIRUS PREVENTOR --------------------------ooOOoo---------------------------- © ARM Designs 1991/1992