home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Software 2000
/
Software 2000 Volume 1 (Disc 1 of 2).iso
/
utilities
/
u140.dms
/
u140.adf
/
VIRUS-X.DOC
/
VIRUS-X.DOC
Wrap
Text File
|
1999-12-26
|
24KB
|
793 lines
VirusX 4.0
by
Steve Tibbett and Dan James
Documentation
by
Steve Tibbett and Jim Meyer
Table of Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
How To Use VirusX . . . . . . . . . . . . . . . . . . . . . . . . . . 2
VirusX Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Command Line Options . . . . . . . . . . . . . . . . . . . . . . 3
Active Window Options . . . . . . . . . . . . . . . . . . . . . . 3
General Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Nut Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Distribution Notice . . . . . . . . . . . . . . . . . . . . . . . 4
A Tale of Two Viruses . . . . . . . . . . . . . . . . . . . . . . . . 5
The Byte Bandit Virus . . . . . . . . . . . . . . . . . . . . . . 5
The IRQ Virus . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Technical and Developmental Notes . . . . . . . . . . . . . . . . . . 8
SCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Byte Bandit . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Revenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Byte Warrior . . . . . . . . . . . . . . . . . . . . . . . . . . 8
North Star . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Obelisk Softworks Crew . . . . . . . . . . . . . . . . . . . . . 8
IRQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Pentagon Circle . . . . . . . . . . . . . . . . . . . . . . . . . 8
SystemZ Virus Protector . . . . . . . . . . . . . . . . . . . . . 8
Lamer Exterminator . . . . . . . . . . . . . . . . . . . . . . . 8
Graffiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Old Northstar . . . . . . . . . . . . . . . . . . . . . . . . . . 9
16 Bit Crew . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
DiskDoktor . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Australian Parasite . . . . . . . . . . . . . . . . . . . . . . . 10
Virus Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1
- Overview -
Viruses are a nasty fact of life for computer users, and Amiga users
are not immune. VirusX was created to give Amiga owners a simple and
effective defense against these creatures.
Viruses fall into two categories: boot-block and other. Boot-block
viruses are so named because they live on the first two sectors of a disk,
the boot-block. When a disk is bootable (like Workbench), these sectors
tell the operating system where to go to load AmigaDOS code. A boot-block
virus, however, points to its own code. It makes sure that the virus is
activated before the AmigaDOS code is loaded. Even if this code is not
malicious, this type of virus can still do damage. Many game programs use
the boot-block for their own code. If a virus happens to over-write this
code, the game will no longer work. Most of the viruses found so far have
been of the boot-block variety.
The "other" viruses are relatively new, and are tricky to find.
These kinds of viruses attach themselves to programs, in some cases
replacing them, and wedge their way into the system.
VirusX is the best defense against these creatures. I encourage you
to give VirusX to anyone who might need it. In particular, dealers and
user groups should use VirusX. These folks, with the amount of disk
copying they do, are particularly vulnerable to viruses.
How To Use VirusX
VirusX should be run as part of the Startup-Sequence. To do this,
simply use a text editor to modify your startup-sequence. Add a line that
simply says "VirusX", and make sure that VirusX is in your c: directory.
VirusX will open a small window to let you know it is there, and will
automatically check any disk inserted into one of the 3.5" drives.
(The startup-sequence is found in the S: directory of any
AmigaDOS-standard boot disk, like Workbench. If you don't know how to edit
this file, refer to your Amiga manual, the AmigaDOS manual, or Rob Peck's
book "The Amiga Companion.")
If VirusX finds something suspicious, it will post a requestor
warning the user of either a specific virus or a non-standard boot-block.
The user will be given the option to Remove or Ignore the potential virus.
WARNING: A NON-STANDARD BOOT-BLOCK MAY NOT BE A VIRUS! This may either be
a virus that VirusX doesn't know about, or it may be a custom boot-block
for a commercial program. Make SURE that you know that the program is not
using the boot-block for its own purposes before you re-write it. VirusX
will ask you if you are sure before it does anything. (Programs which give
you an AmigaDOS window are always safe to repair.)
2
- VirusX Options -
Command Line Options
When you first run VirusX, you have the following command-line
options:
-a Make virusx window active when run
-c Don't check the CoolCapture vectors
-k Enable KickTagPtr checking
-q Check all floppies, then quit immediately
-r Use this if you've 1 meg Chip RAM and using SetPatch -r
-x## Set window X position
-y## Set window Y position
These commands are all given as arguments. For example:
VIRUSX -a -x100 -y100
These commands would run VirusX, make the window active, and put it at
position 100,100 (on the left-and side, halfway down) of the Workbench
screen.
Active Window Options
While VirusX is running, you may click on its titlebar with the left
mouse-button and type the following commands:
I Open the Info Window
C Check all mounted floppies for viruses
ESC Quit VirusX
# Show bootblock in drive # (ie, 0 shows DF0:, 1 DF1: etc)
Example: Click in the VirusX window and type the number "1" - VirusX
will examine the disk in DF1: and will display the contents of the boot-
block. This is not very useful any more, since most viruses do not contain
any unencrypted text. Repeating the command, changing the disk in the
drive just checked, or clicking in the window with the right mouse-button
will cause VirusX to shrink back to "titlebar" size.
You can get VirusX to display information about how many disks it has
checked and what it has found by clicking on the VirusX titlebar with the
right mouse-button. Clicking again will close the window.
3
- General Notes -
Mail
The best way to contact me is through the electronic network
services listed below. I've gotten far more VirusX-related mail than
I thought possible, making it impossible for me to respond to "regular" mail.
Nut Alert
There will be people who are thinking that I am some nut case trying to
spread my own virus hidden under the guise of a virus checker. Well, just
for you, I've included the C source code. Please, if you don't trust me,
don't brand a useful utility as untrustworthy for no reason, CHECK THE
SOURCE! Recompile it if you think I'm trying to slip a fast one by you. I
just want to see viruses out of all our lives.
Distribution Notice
This program is Copyrighted, but is freely redistributable (It's NOT
Shareware). Do what you want with it, but Please don't use it for evil
purposes. That's what I'm trying to prevent.
If you are not sure that this is the most current version of VirusX,
you should check with the following sources: The AmigaZone (American
People/Link Network), BIX, Compuserve, and/or AmigaWorld. The latest
version of VirusX is available for downloading from the aforementioned
networks, or from AmigaWorld for the price of $5.00, for shipping and
handling.
I can be reached on BIX as "s.tibbett" and on People/Link as "SteveX".
I'm also on Compuserve, but with their dumb numbering system, I can never
remember who I am.
4
- A Tale of Two Viruses -
The Byte Bandit Virus
The Byte Bandit virus, once in memory, copies itself to a point just
above the high memory pointer on the first hunk of RAM it can find. This
means that it's not always in the same place. It then wedges itself into
the Interrupt Server chain, into the vectors of Trackdisk.device, and
creates a Resident structure for itself so it can hang around after reboot.
It watches EVERY disk inserted, and will write itself to ANY bootable
disk that is inserted!
Also, if you Install a disk while this virus is active, it will copy
itself back to the disk. This is why it has to be wiped out from memory.
When VirusX finds this virus on a disk, it will also display a "Copy
Count." This represents the number of disks which have been infected by
that "Branch" on the "Tree" that the virus is on. If you infect a disk
with your copy, and your copy is number 300, then that copy will be #301.
If that copy infects somebody, that will be #302, but on YOUR copy, two
infections down the line, there will be another #302. The copy count on MY
Byte Bandit virus was #879.
Note that VirusX will check RAM for this virus as well as the disk.
This was necessary, as you can tell from the description above.
Special thanks must go here to Dave Hewett, who, 2 days after I gave
him a copy of the virus, gave me a printed, commented disassembly of the
virus with meaningful labels and everything I needed to stomp it - Thanks
Dave!
Thanks must also go to Bruce Dawson of CygnusSoft Software, (author of
that great program, CygnusEd), who went to the trouble of being the First
person to send me this Virus.
The IRQ Virus
The IRQ Virus is a recent Amiga Virus. This one stands out from the
crowd: it is NOT found in the boot block.
This Virus attaches itself to executable programs. It's prime target
is the C:DIR command, but it will also look at your startup sequence and
attach itself to the first executable program found in the startup-
sequence.
A sample chain of events:
- You download or otherwise acquire a new program. This program
happens to be infected.
- You execute this program.
- The Virus then attaches itself to memory (by taking over the
OldOpenLibrary() vector) and adds a KickTagPtr (for no apparent
reason).
- Now, you're on DF0: and you run a program that uses the
OldOpenLibrary() vector (hard to predict which ones do...).
5
The Virus will open your startup sequence and pick the first
filename it sees. If this file is executable it will write
itself into that file. IF it's not executable, it will try to
write to the DIR command on that disk.
As you can see, this virus will only effect the first file mentioned
in the startup sequence or the DIR command. The only way this Virus could
possibly spread via modem is through deliberate sabotage, unless the
uploader actually DID have the program as the first thing in his startup
sequence before sending it to you.
WHAT IT DOES
This Virus is mostly a harmless joke. It does not appear to kill
commercial programs or do anything malicious. It's not nice to have
around, but it's certainly better than a malicious virus!
It changes the title bar of the Initial CLI window when you boot, and
it will try to write to any disk inserted - thus bringing up the "Volume
whatever is write protected" requester whenever you insert a write
protected disk.
It will write itself to any disk from which you execute a file,
overwriting either the DIR command or the first thing in the startup
sequence.
When this virus first installs itself (after reboot), it changes the
title bar of the current window (usually the initial CLI window, since it
IS the first thing in your startup sequence) to say something like
"AmigaDOS Presents: The IRQ Virus, V41.0". This is a dead giveaway.
This virus will not work under Kickstart 1.3 - you will get Software
Error requesters whenever you run an infected program. I'm not sure why,
but this is probably good.
HOW TO KNOW IF YOU HAVE THIS VIRUS
You cannot identify a file that has this virus in it just by looking
at it. The virus encrypts the text parts of itself, and encrypts it
differently on each copy, making it impossible to recognize.
You can tell your system is infected if you put in a write protected
workbench disk (or any disk that has a startup sequence), and the system
brings up a "Volume <whatever> is write protected" requester. This
6
indicates that this virus is in RAM attempting to infect your disk.
Running VirusX 4.0 will tell you if this virus is in RAM, and VirusX
will remove it from RAM.
HOW TO GET RID OF THIS VIRUS
To get the virus out of RAM, run VirusX 4.0. It will tell you if it
found it, and that it removed it if it did. VirusX will check disks the
same way that the Virus does - it will look at the startup sequence,
determine if the first file found (or the DIR command) is infected, and
give you the option of repairing the the damage.
You can also get rid of this virus simply by deleting all infected
programs and rebooting. This virus will not hang around after a reboot.
Because this virus can hit a number of files, not all of which VirusX will
find, I have included a small program by Dan James called KV - "KillVirus."
This program will check an entire directory's worth of files for this
specific virus.
VirusX 4.0 will look in the same places as the Virus for infected
programs. If it finds one, it will pop up a window, tell you where it
found it, and ask if it's OK to remove it.
HOW TO MAKE SURE YOU DON'T GET THIS VIRUS
Keep VirusX 4.0 running when you test new programs. VirusX will
alert you as soon as it sees this virus appear in memory. If VirusX finds
this virus, it probably came from the last program you ran.
7
- Technical and Developmental Notes -
SCA - The SCA is the simplest virus to deal with, as it's not actually
DOING anything except hiding in memory until you reboot. We just look at
CoolCapture and fix it to get it out of RAM.
BYTE BANDIT - The Byte Bandit virus takes the DoIO() vector and redirects
it through itself. Thus, any attempt to read or write the boot block (ie,
AmigaDOS trying to figure out what kind of disk it is) results in Byte
Bandit writing itself onto that disk. VirusX couldn't just rewrite the
boot block; it has to get Byte Bandit out of RAM first. This virus also
has an interrupt that crashes the machine every 5 minutes or so after it's
infected a few of your disks. Ow. It stays in memory not via the Capture
vectors, but by a Resident module.
REVENGE - Basically, this is a Byte Bandit clone which brings up an
obscene pointer a few minutes after you reboot. We treat it much like the
byte bandit.
BYTE WARRIOR - Jumps right into 1.2 Kickstart. Won't work under 1.3.
Hangs around via Resident struct, and doesn't do any damage.
NORTH STAR - Like SCA, hangs around via CoolCapture. Killing CoolCapture
kills the North Star.
OBELISK SOFTWORKS CREW - Hangs around via CoolCapture, also watches reads
of DoIO(). It doesn't infect EVERY disk - only the ones you boot from.
IRQ - This is the FIRST Non-Bootblock Virus. It copies itself from place
to place via the first executable program found in your startup-sequence.
It SetFunction's OldOpenLibrary(), has a KickTagPtr, and lives in the first
hunk of an infected program. Thanks go to Gary Duncan and Henrik Clausen
for being the first to send this one to me!
PENTAGON CIRCLE - This one looks at the DoIO vector, and has a CoolCapture
vector. It will write itself over any virus inserted, but not onto
anything else. (Neat idea!). No danger, easy to eliminate. Holding left
button while booting with this one shows different screen colour, but
doesn't get rid of it. Thanks go to Bill Seymour (CMIBILL on Plink) for
sending me this one!
SYSTEMZ VIRUS PROTECTOR - I took this one out. It's not really a 'Virus',
in that it won't overwrite a disk without asking you first. Besides, it
seems a lot of people LIKE the SystemZ Virus Protector (though it isn't
perfect).
LAMER EXTERMINATOR - THIS one was a bugger. Yet another virus
aimed at hurting people. Y'see, a Lamer is apparently the worst kind of
pirate - one who doesn't crack software, doesn't write software, just
collects names and addresses and collects and spreads software. Lamers
don't do anybody any good, and the guy behind this Virus took it upon
himself to make their (and our) lives miserable. This virus loads into RAM
8
at a random location each time. It is encrypted on the disk so you can't
SEE the name of it, and it never actually SHOWS the name, but it's
definitely there. It changes the encryption key used each time it is
written back to disk.
It has a counter and will wait until the machine has been reset 2
times OR until 3 disks have been infected, and will then pick a DATA block
(Only a DATA block - FFS disks are safe, I guess), randomly, and will write
the word 'LAMER!' all through it. This is obviously not good, and will
cause random disk errors. This is the worst kind of havoc to wreak on the
new user - and this virus is EVERYWHERE! I've gotten it from 5 people in
the last week alone (all from different countries! Ack!). Anyway, credit
for being the first with this one goes to Christian Schneider. Thanks,
Christian!
This virus sets up a Resident structure, but never sets the Match Word.
Either this means we don't need the MatchWord or it means his
SumKickData() is doing the recovery job - either way, it's new! 3 points
for originality.
GRAFFITI - The first virus to come with rotating 3-d graphics! It's neat -
you might want to trigger it, though I'm not sure how, before nuking it.
This one just sets CoolCapture(), does something with DoIO() during the
reboot, and sets it back to normal before anybody gets to look at it.
Lots of code is taken by the graphics stuff. I just clear the CoolCapture
vector. [yawn]
OLD NORTHSTAR - Poof.
16 BIT CREW - Well, I didn't actually have to DO anything to get VirusX
to recognize it, because it seems to operate like the Graffiti Virus. If
the 16 bit crew is in RAM, VirusX will say it removed the Graffiti virus.
DISKDOKTOR - I spent more time on this one than on any other. Y'see, this
virus does lots of things. The first one, for some reason, was quite funny
to me. It waits until you have rebooted 5 times. Each time you reboot
after that, the virus eats 10K times the total number of reboots. After
rebooting 10 times, you would be short about 100K. This virus also starts
up another TASK. I'm not exactly sure when it happens, but another task
named 'clipboard.device' will appear at a priority of -120, and will
continually bash the Virus' vectors into the Coldcapture, Coolcapture,
Warmcapture (which it sets to $ff000000 just to annoy), and the DoIO()
vector.
When I was working on this one, I figured I just had to restore the
old values to the DoIO() vector, but as soon as I did so, the Virus
restored them. Since I hadn't disassembled the entire thing, I didn't
realize this until I wasted time looking for other faults. This one also
allocates some memory, copies some code out of Exec into this memory, and
executes it. I never bothered to figure out why - Once it's gone, it's
gone.
9
AUSTRALIAN PARASITE - Hey - I like this one! It says it will not destroy
game bootsectors or corrupt disks, but it's still a Virus. What makes this
one unique is the way it lets itself be known. After so many disk accesses
(something like 600 blocks read off of a floppy), it turns your screen
Upside Down! Nifty. You can still USE the screen upside down - it just
looks a bit weird. It uses the DoIO() vector, the TD Read vector, starts
at SysStkLower, and that's about it. It stays around via CoolCapture.
Thanks to Martyn at 17Bit Software in England for being the first to send
this to me.
Thanks also to Robb Walton for being the first to send one of the other
ones.
10
- Virus Notes -
These are things that you probably should know, but may not, about
what can happen with Viruses.
- If you are trying to format a disk, and you always get a
message that Cylinder #0 of the disk is bad, it's quite
possible you have a virus in RAM (or a bad disk). This is
because when the Formatter writes to block 0, some viruses
will prevent this (trying to save themselves). When the
formatter reads the block back to verify, it's not the same
and it panics.
- Some commercial programs will not work with some viruses
in RAM.
- Not all computer failures are caused by viruses! If you
are having problems, and you have checked your disks with
VirusX (and it reports them as clean), try looking elsewhere
for the problem.
- There is at least one virus that can (more or less
accidentally) hit hard disks. Some of the viruses use the
DoIO() vector to watch for any read (or write) attempts at
block 0. Unfortunately, they do not always make sure that
it is block 0 of the Floppy drive. If someone is writing to
block 0 of the hard disk, and the virus intercepts this, it
can write itself to the hard disk. The virus CANNOT load
from hard disk - the hard disk's boot block is never
executed. However, if your hard disk is an FFS volume, then
writing the virus to it will have the effect of changing it
to an OFS volume, making what's on it unusable. You can fix
this with DiskDoctor (I believe), or using DiskX.
- VirusX may NOT find some viruses if you run it after the
virus is already loaded. In some cases - like the Lamer
Exterminator virus - VirusX is sees what the virus wants it
to see, not what's really there. Run VirusX BEFORE you run
anything else, or BEFORE you load any suspicious disks.
Version Notes have been moved from the documentation file to the source
code file. Please read VirusX.C for the version history of VirusX.
I'd like to thank Lars Wilklund, Jason Allen Smith, Bruce Dawson,
Robb Walton, Pete Foley, and all the others whose names I've forgotten who
have sent me disks (And the many people who have written to me, but
whom I have not been able to answer! I do read your letters!)
Mucho thanks also to Dan James, who's been helping me all along,
and who did a lot of the finding out about the IRQ Virus.
(And to Ian Sewell, for 2 million points worth of MUD treasure which
I never got...)
...Steve
11