home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Turnbull China Bikeride
/
Turnbull China Bikeride - Disc 2.iso
/
STUTTGART
/
ANTIVIRUS
/
SCANNER
/
AVRD158t
< prev
Wrap
Text File
|
1992-10-27
|
104KB
|
2,863 lines
This is the textual version of the AVRD. In order to minimise
editing overhead this version is now derived directly from the
source of the HyperText version. The derivation is performed
by a program, so the formatting may not always be perfect -
but we'd rather spend our time coding !Killer/!Scanner !
Ignore any references to clicking in specific places in the
document - this facility is only available in the HyperText
version.
###########################################################################
The Archimedes Virus Reference Document
---------------------------------------------------------------------------
Version 1.58h (October 25, 1992)
Copyright © 1991, 1992 Tor O. Houghton and Alan Glover
This document is copyright. Profit based distribution (whether PD
or Shareware) without prior consent from the authors, is strictly
illegal. If in doubt, contact one of the authors. Note that this
version of !ClearView also has certain conditions upon it's distribution.
This is the hypertext form of this document, using the Binary Star
!ClearView package. Click here (on the underlined word) for a brief
guide to using this software and details about obtaining enhanced
versions.
A full list of the contents, and an index of the viruses covered
in this edition of this document can be seen by clicking the 'index'
icon (the rightmost one), or the underlined word in this sentence.
###########################################################################
Abstract
---------------------------------------------------------------------------
As the number of people using the Archimedes range of computers has
increased over the years, so has the number of viruses.
This document should be of interest to all users of an Acorn computer
running a version of RISC OS, and contains the compiled information
from various virus researchers and their killers. In particular,
it is (as the title suggests) a compendium of the knowledge about
viruses of Tor Houghton and Alan Glover.
The purpose of this document is to give as many details as possible
on each virus known, and to assist those who think they might be
infected by a virus.
A dilemma occurred as this document took form. How much information
should be included? If we provided too much information, this document
could well become an effective "cookbook" for people wanting to write
a virus. This is not our intention. The professionals and programmers
who read this will easily identify the missing or omitted information
because they already have this background knowledge - it is part
of the working tools of our profession.
The document is not intended to provide very detailed technical information
on a virus (although this may happen as a way of explaining it),
but to allow the reader to understand what the virus generally does,
what makes it activate and what it does upon activation. Most important,
however, it should help the user with the removal!
1.0 Introduction
---------------------------------------------------------------------------
A virus is nothing magical. Anyone with a bit of programming skills
and some knowledge about the machine's operating system is capable
of creating a virus. Usually these programmers think it is fun, they've
read too many cyberpunk books, or they are generally pitiful creatures
who like to inflict damage.
Final note: In spite of many journalist's secret wishes, a computer
virus cannot spread from one type of computer to another. For example,
a virus written on a PC running MS-DOS or Windows cannot infect the
Archimedes - in native mode. If you are using the PC emulator, a
virus functions perfectly under this environment too (probably with
a few exceptions due to the fact that there are about 1000 viruses
running under this particular operating system). The only area in
which some crossover is possible is hardware - if you have a DOS
virus which thrashes the floppy disc out of alignment, it will obviously
affect it when it is used normally!
1.1 Some Definitions
---------------------------------------------------------------------------
Connectivity: The level of ability a computer has to connect to other
computers. Nowadays it is very easy to, for example, phone a BBS
and download new software. The higher level of connectivity, the
higher the level of possible exposure to computer viruses. The same
may also be considered true of other sources of software, such as
PD libraries.
Trojan Horse: This is a generic name (taken from Greek mythology)
for a penetration method that includes hidden code. An example of
this is the Link virus which, while being helpful in the ways of
converting backspace to delete, also launches a virus into your computer.
Virus: A computer virus can be defined as a malicious program capable
of replicating itself. See "A Computer Security Glossary for the
Advanced Practitioner" in the Computer Security Journal IV, No. 1,
1987 for a similar description. Please note that most computer viruses
on the Archimedes do nothing but replicate, although there are a
few exceptions.
Worm: A computer program which moves through your computer system,
altering data as it copies itself and deleting the old copy. If a
worm reproduces it could also be called a virus. There are no reports
of worms on the Archimedes, mainly because it is such a closed system,
and would be detected much too easily to become a hazard. Networks
are more exposed to such nasties.
1.2 Entry Explanations
---------------------------------------------------------------------------
Name: The most common name of the virus. Often chosen because of
some text found in the virus, or like CeBIT, connected to some event
(the biggest computer show in Europe).
Aliases: Names which other anti-viral agent documents (usually brief
notes which are included with the program) use for the same virus.
This includes names that are commonly used by BBS users etc.
Origin: The country where the virus seems to have originated from.
Isolation Date: The date (as detailed as possible) when the virus
was first found.
Effective Length: The length the virus occupies on the disc. The
actual length in memory may well be shorter.
Virus Type: Task refers to viruses written as a multitasking program
(i.e. appears on the Task Manager, with or without a task name).
Resident refers to viruses which, by reserving some memory, insert
themselves as a machine code program invisible to the task manager.
By monitoring certain interrupts the virus is able to spread. Also,
if the virus attaches itself to files, this is noted along with what
type of files it infects.
Symptoms: Odd behaviour which might occur if the virus is loaded.
This could be spurious crashes or files suddenly appearing (or disappearing!).
Take note that this has nothing to do with what the virus actually
does when it activates, as this will be detailed as extensive as
possible under the 'general comments' section.
Detection: Refers to anti-virus agents (complete with earliest version
number) which to our knowledge detects the virus. Please be so kind
as to update me on this, as I know there are several anti-virus programs
wandering around which I don't have!
Removal: Refers either to programs which remove the virus from the
infected file (complete with earliest version number), or if possible,
which files to delete without destroying the program. Where it says
'Remove named file(s)', take note that if there is a !Boot file present,
be sure to check this too (i.e. with !Edit). In particular, never
assume that a Module may be RMKilled, or that an application task
may be Quit. It might disappear, but it may also set up a time bomb
with serious effects on the system.
As a rule, it is unwise to attempt to remove a virus from memory
yourself. However some anti-virus programs contain specific code
to detect and remove viruses which are present in memory. Where an
anti-virus program is known to be able to do this the program and
version is given. The criteria for this is that the anti-virus program
either neutralises or removes the virus from memory, leaving the
machine in a safe enough state for the anti-virus program to remove
the infection from your media. Even with this protection, you should
still do a CTRL-Reset as soon as possible after you have been infected.
General Comments: As detailed information about the virus as possible.
Also, if there are any mutated versions of the virus, these are stated
here too, along with any relevant information. Please note that the
number after the virus name states how many bytes it occupies on
the disc.
Source: The person who provided the information about the virus concerned.
Where a name does not appear, it will probably have been written
by Tor Houghton or Alan Glover. In some cases, an acknowledgment
will be included to someone who has helped in the isolation or analysis
of the virus.
Sometimes square brackets ("[]") with a comment might appear. These
are our comments, and offer additional useful information which we
thought the original author left out.
###########################################################################
Virus index
---------------------------------------------------------------------------
Click on the virus name to find out more about it
Archie FF8
Arcuebus
BBCEconet
Bigfoot
CeBIT
Code Sicarius
Extend
Funky
Garfield_I
Garfield_W
Handler
Icon Icon-A, Filer, Poison, NewVirus
Image
Increment
Irqfix
Link
Mode87
Module ModVir, Illegal
MyMod Silicon Herpes
NetManager
NetStatus Boot
Parasite *
Runopt
Sprite *
SpriteUtils
T2 *
Terminator *
Thanatos * RISCOSExt
Traphandler
Valid
Vigay DataDQM, Shakes
Viruses marked with an asterisk (*) indicate that they carry malicious
code. Any detection of one of these viruses should be treated thus:
1) Perform a CTRL-RESET as soon as possible.To be safe, press F12
and type FX 200,3 beforehand. This should get the virus out of memory,
just leaving the storage media to be cleaned. Remember that infection
can be as easy as opening a filer viewer!
2) Load a virus killer, and check that the virus is not active. Some
virus killers (e.g. Pineapple's !Killer) are capable of removing
any resident virus, and withstanding infection attempts whilst doing
this. Bear in mind that not all anti-virus programs are intended
to start up in an environment where a virus is active.
3) Run the virus killer through the system, opening the minimum possible
number of filer windows. Obviously, if you keep your copy of the
virus killer on a write-protected floppy this is quite easy! Remember
to check removable discs too!
Please note that spurious resets and/or errors which occur are usually
the results of poor programming, and is therefore not considered
malicious (it merely depicts the programmer's skills - he should
have stuck to LOGO).
Although not usually marked as malicious, some viruses will cause
the !Boot of an application to be overwritten. This can cause things
which usually happen automatically (eg: locating !System) to fail.
###########################################################################
Archie
===========================================================================
Last Updated: 21st April 1992
Aliases: FF8
Origin: United Kingdom
Isolation Date: 1988
Effective Length: 920 bytes
Virus Type: Resident Absolute (FF8) file infector.
Symptoms: May cause "Address exception" or "Undefined
instruction" errors. Absolute files will grow
in length.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.02+ Killer 1.17+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
---------------------------------------------------------------------------
General Comments:
This is a piece of ARM code that is appended to executables with
the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has
a tell-tale 4-character string at the end of its code, "1210", which
is used as an "already-infected" flag. The first instruction of the
original executable is saved near the end of the virus code space
and is replaced by a branch to the first instruction of the Archie
virus code.
What Archievirus does when first run:
1.Attempts to infect executables (Absolute filetype) with the filespecs
"@.*" and "%.*". In other words, all executables in the current and
library directory are attacked.
2.Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA.
If a call to OS_File 36 returns with an error, then it hasn't infected
the RMA yet, so it proceeds to claim 920 bytes of RMA, copy itself
into there and points a claim of the OS_File vector to its new RMA
location.
3.The time is checked to see if it is the 13th of the month. If so,
the code loops indefinitely, displaying the 45-character message
(in the virus, this message is EORed with &64, and is therefore
not easy to spot.):
Hehe...ArchieVirus strikes again...
4.Assuming it wasn't the 13th of the month (and NO, it doesn't check
for a Friday!), then the original first instruction of the executable
is replaced and the original normal code continues from &8000 onwards.
The OS_File vector claim is quite important, because this serves
two purposes:
a.It allows OS_File 36 to return without an error, signalling that
the RMA is already infected.
b.It checks for OS_Files 0 and 10 (Save memory to file), 11 (create
empty file) and 12,14,16 and 255 (Load file). If any of these are
encountered then an infection attack is activated (see step 1 above).
(Source: Richard K. Lloyd)
###########################################################################
Arcuebus
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 9619 bytes
Virus Type: Resident application infector
Symptoms: Extra module files appear in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
This virus spreads as a module within applications. The module has
eight possible names: ProgUtil, Resource, InfoFile, SystemRS, ModularR,
PureMath, SoundMdl and GraphMdl. When loaded (from a !Boot file)
it installs itself as a NetStatus 3.07 (15 Sep 1988).
A quick check for this virus is to press <F12> and type 'Help Virus'.
The following text will be displayed:
Congratulations. Your system has the Arcuebus virus.
The following data may interest you:-
Virus generation number: Dnnn
This copy was born: <date/time>
At the same time a sound sample (loaded as a voice called Percussion-Bass)
is played. This says 'I am a servant of the <???>'. If anyone who
hears this has a good idea what the last word is - do tell us!
(Source: Paul Frohock)
###########################################################################
BBCEconet
===========================================================================
Last Updated: 29th June 1992
Aliases:
Origin: United Kingdom
Isolation Date: April 1992
Effective Length: 5280 bytes
Virus Type: Resident Absolute (FF8) file infector.
Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx)
(see also Mode87!).
---------------------------------------------------------------------------
Detection Media: Killer 1.33+ Memory: Killer 1.33+
Scanner 1.33+ Interferon 2.12+
Scanner 1.34+
VProtect 1.15+
Removal Media: Killer 1.33+ Memory: Killer 1.33+
Scanner 1.34+
---------------------------------------------------------------------------
General Comments:
The action of this virus bears a marked similarity to Link, i.e.
it appends code to absolutes and uses a module to perform the infection
(in this case BBCEconet, which it installs).
As with Link, it attempts to infect %.Squeeze. However, both viruses
use the same check to see whether a file is infected so it is not
possible to have an absolute simultaneously infected by Link and
BBCEconet.
The majority of this virus is kept encrypted when it is not executing,
and it also encrypts a segment at the beginning of the absolute file.
The encryption key changes with each infection. In short, you need
dedicated software to remove it.
The datestamp will not change, and as with Link, it temporarily patches
Interferon to allow itself to infect without any alarms being given.
There are various date fired routines, outlined below.
Friday 13th:
It's Friday! Why are you working?
I first infected a commercial program with good help from
Dr. Blob.
Now you're infected too - and probably most of your penpals.
I've got more in store!
And... I've created XXXX copies of myself.
Good luck!
December 25th:
Merry Christmas!
April 1st:
E.T. phones home!
(It sends ATD 0749 679794 to the serial port, so if you have a Hayes
compatible modem connected, it will dial this number - a well-known
bulletin board service in Somerset.)
June 25th:
Ph'nglui mglw'nafh Chtulhu R'lyeh fthagn.
And... I've created XXXX copies of myself.
[The non-english part of this message was introduced by H.P. Lovecraft
in his short story The Call of Cthulhu, where it translates to "In
his house at R'lyeh, dead Cthulhu waits dreaming." Probably used
by the virus writer as proof that he has read this book.]
All of these messages will appear in an error box titled "Ouch! You've
been bitten!" It may also clear the screen and print the word "LOVE"
in mode 12.
(Source: Alan Glover)
###########################################################################
Bigfoot
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: August 1992
Effective Length: 5535 or 5580 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Additional files with random names in capital
letters appear in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
Scanner 1.47+ (5580 byte strain only?)
Removal Media: Killer 1.381+ Memory: Killer 1.381+
delete named file, remove line from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a fairly simple BASIC program, which installs as a desktop
task called Bigfoot.
It has messages for certain dates, namely:
25 Dec:
Happy Christmas from BigFoot ... The VIRUS
05 Nov:
"Wizz Bang! Its Guyfalks night BigFoot Strikes again!
04 Jul:
"Hay there its the 4th of July ,American Independence! Best wishes
from BigFoot
15 Mar:
This is a HOLD UP! Give me all the PD software you can get,,, Or
you SYSTEM gets it!!! By the way its the end of the fishing season.
It infects by creating or modifying the !Boot file, using a random
name of 1-10 upper case characters. The virus is saved as a BASIC
file of the same name. However the BASIC itself always has REM>Bigfoot
on the first line.
Apart from spreading, it has no malicious code.
The 5535 byte version can not be Quitted from the Task Manager.
(Source: Alan Glover, with thanks to Paul Frohock and David Cox for
initial analysis)
###########################################################################
CeBIT
===========================================================================
Last Updated: 21st April 1992
Aliases: Lord of Darkness, TlodMod
Origin: Germany
Isolation Date: March 1991
Effective Length: 1240 bytes
Virus Type: Resident !Boot file infector, stores code as
separate file.
Symptoms: File "TlodMod" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.23+ Killer 1.17+
VProtect 1.06+ Scanner 1.20+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a module called "TlodMod" with the following title string:
TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS
It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then
activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod.
If this already exists, then no further action is taken. If it doesn't,
however, it then attempts to append the following line to <Obey$Dir>.!Boot:
rme. TlodMod 0 rml. <Obey$Dir>.TlodMod
If it succeeds at this, a counter is incremented and the module is
replicated as <Obey$Dir>.TlodMod. Every 16th successful infection
will trip the virus into issuing a "*Wipe $.path.file*" (which will
inevitably fail!) and then displaying a message accompanied by a
simple graphic.
The message displayed is thus:
This is a warning to all Users,
I am back on the Archimedes ...
Your Archie is infected now and
with him most of your programms.
Don't worry, nothing is damaged,
but keep in mind the protection!
And always think about the other
side of THE LORD OF DARKNESS ...
Virus generation is <counter>
(Source: Richard K. Lloyd)
###########################################################################
Code
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: UK
Isolation Date: June 1992
Effective Length: 2251 bytes
Virus Type: Resident !Boot file infector, stores code as
separate file.
Symptoms: File "Code" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+ VProtect 1.17+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+
---------------------------------------------------------------------------
General Comments:
This virus installs itself as a desktop task called "Window Manager".
The 'Code' file is filetyped as &FF8, but is actually plain BASIC.
The virus can either extend a !Boot or create one - if one is created
it will be 44 bytes long.
The only effects from this virus will be the the loss of sprites
for some applications, since the !Boot file it creates does not contain
an IconSprites statement to load the sprites.
(Source: Alan Glover)
###########################################################################
Extend
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: United Kingdom
Isolation Date: October 1990
Effective Length: 940 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "MonitorRM", "CheckMod", "ExtendRM", "OSextend",
"ColourRM", "Fastmod", "CodeRM" or "MemRM" in
application directory. Each time the code is
executed it grabs 1k of RMA - this will eventually
lead to a system crash.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
VProtect 1.06+ Killer 1.17+
Hunter 1.00+ Scanner 1.20+
Scanner 1.36+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove extra lines from !Boot.
---------------------------------------------------------------------------
General Comments:
It's a module which can go under 8 different filenames (the name
is picked at random using the current time as a seed):
MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM
or MemRM.
However, the module itself has the following title string:
Extend 1.56 (08 Jul 1989)
It is 940 (&3AC) bytes long and initialises itself as a nameless
Wimp task which then looks for Wimp Message 5 (double-click). It
attempts to either create an !Boot in the application directory or
append to an already existing one with the following lines:
IconSprites <Obey$Dir>.!Sprites [0D]
RMEnsure Extend 0 RMRun <Obey$Dir>.ModName [0D]
||[FF]
The "IconSprites" line is omitted if it is appended to an existing
!Boot. "ModName" is one of the 8 possible filenames. The Extend Virus
uses the &FF (i.e. decimal 255) byte at the end as a self-check to
see if has infected the !Boot file already. Of course, it copies
itself to the new name inside the application directory as you would
expect. Note the incorrect use of &0D (decimal 13) to terminate the
lines, rather than the more correct &0A (decimal 10).
A shift-double-click does NOT cause an infection, but it DOES claim
yet another 1K of never-to-be-released RMA.
There is no damage apart from the claiming of RMA (which will eventually
lead to a system crash).
(Source: Richard K. Lloyd)
###########################################################################
Funky
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1308 bytes
Virus Type: Resident application infector
Symptoms: Sprite file called 'Funky!', application task
called 'Window Dude'
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
In common with the Icon family, this is a BASIC program hidden under
a Sprite filetype. It initialises as a desktop task called 'Window
Dude' and infects by saving copies of itself and amending !Boot files.
(Source: Paul Frohock)
###########################################################################
Garfield_I
===========================================================================
Last updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June 1992
Effective Length: 1640, not including the files "!Boot", "!Run"
and "!Sprites".
Virus Type: Resident application infector.
Symptoms: Directory "!Pic" with files "!Boot", "!Run",
"!Mod" (module) and "!Sprites". Recursive infections
possible.
---------------------------------------------------------------------------
Detection Media: Killer 1.362+ Memory: Killer 1.362+
Scanner 1.42+ VProtect 1.20+
Scanner 1.47+
Removal Media: Killer 1.362+ Memory: Killer 1.362+
Scanner 1.42+ Scanner 1.47+
---------------------------------------------------------------------------
General Comments:
Garfield_I is a resident virus, lodging itself in the RMA as a module
"IconManager". When active, it creates a directory inside an application
called "!Pic" with the files "!Boot", "!Run", "!Mod" and "!Sprites".
The virus code is contained in "!Mod". It then proceeds to add the
following lines to the infected application's "!Boot" file:
RMEnsure IconManager 1.27 <obey$dir>.!pic
Garfield_I uses the default Acorn sprite file sprite, so a casual
glimpse in an application folder will not reveal it unless you a)
use a different sprite for sprite files or you b) open the folder
with "full info".
It does not check for multiple infections. Infected applications
will, more often than not, contain "!Pic" directories inside "!Pic"
directories.
Garfield_I activates on the first Monday of any month, displaying
"The Garfield Virus is here to stay"
then repeatedly
"Don't you just hate Mondays?"
until the machine is reset or switched off.
(Source: Alan Glover)
###########################################################################
Garfield_W
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June 1992
Effective Length: 1480, not including the files "!Boot", "!Run"
and "!Sprites".
Virus Type: Resident application infector.
Symptoms: Directory "!Obey" with files "!Boot", "!Run",
"!Mod" (module) and "!Sprites". Recursive infections
possible.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+ Scanner 1.41+
VProtect 1.17+ Interferon 2.00+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+
---------------------------------------------------------------------------
General Comments:
Garfield_W is a resident virus, lodging itself in the RMA as a module
"WimpAIDS". When active, it creates a directory inside an application
called "!Obey" with the files "!Boot", "!Run", "!Mod" and "!Sprites".
The virus code is contained in "!Mod". It then proceeds to add the
following lines to the infected application's "!Boot" file:
<Obey$Dir>.!Obey
|Above line is inoculation for the wimp virus
Garfield_W uses the default Acorn Obey file sprite, so a casual glimpse
in an application folder will not reveal it unless you a) use a different
sprite for obey files or you b) open the folder with "full info".
Garfield_W does not check for multiple infections. Infected applications
will, more often than not, contain "!Obey" directories inside "!Obey"
directories.
Garfield_W activates on the first Monday of any month, displaying
"The Garfield Virus is here to stay"
then repeatedly
"Don't you just hate Mondays?"
until the machine is reset or switched off.
[ Note: Although both Garfield_I and Garfield_W call themselves Garfield,
and give the same message, we have given them separate entries since
certain items differ between them - notably application and module
names. ]
(Source: Alan Glover)
###########################################################################
Handler
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1532 bytes
Virus Type: Resident application infector
Symptoms: Desktop Task called 'Task Handler'.
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
This virus is loaded by a !run file, so is likely to spread slower
than most. It renames the original !Run file to Obey. The virus itself
is in an absolute called Handler.
It may display a message:
You have been infected with the Handler VIRUS
The Virus is just to see how good a program can infect
Sorry if it has up set you in any way, Thats about all i can
say!
Generation :
Press any key to change the channel.
(Source: Paul Frohock)
###########################################################################
Icon
===========================================================================
Last Updated: 7th July 1992
Aliases: Icon-A, Filer, Poison, NewVirus
Origin: United Kingdom
Isolation Date: 1990?
Effective Length: 5498 bytes in base version
Virus Type: Task. Stores code as separate file.
Symptoms: Nameless wimp task on the Task Manager. Silly
error messages may appear without reason. The
files "Icon", "Poison", "Splodge" or "NewVirus"
in application directories
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.32+ Scanner 1.32+
IVSearch 2.05+ (note 1)
VProtect 1.06+
Hunter 1.00+ (note 1)
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
The Icon virus family is a type of very contagious viruses. They
are harmless to that extent that they do not destroy files. However,
they are very annoying (although I must admit some of the messages
were quite amusing!). Common for all the viruses in the Icon family
is that the virus is an unnamed wimp task written in BASIC. It spreads
by adding a few lines to the !Boot file of an application (without
checking for multiple infections), and then saving the code as a
file as with filetype sprite.
<set the wimpslot>
BASIC -quit <obey$dir>.<virusfile>
The original virus displayed a stupid error message on start-up,
and then every so often after that. Commonly also called the Filer
virus as the error message header claims that it's from the Filer.
Here are a few examples of what type of error messages which might
appear:
".desreveR maertS tuptuO"
"This error should not occur."
"Previous error did not occur."
"Could not reach top of stack."
Known variant(s) of the Icon virus are:
Icon-2096
Filename: Poison
Random error code replaced with a *I am stuck - which might log the
user on to a network if they're very unfortunate!
Icon-2616
Filename: Icon
No silly messages from this version - also has the name of the person
who modified it (yes, the UK Computer Crimes Unit have acted on
this!).
Icon-2631
Filename: Splodge
Identical to 2616, except the change of name.
Icon-5498
Filename: Icon, though the in-core name is 'Extra'.
Does have silly messages.
Icon-5574
Filename: Icon
As 5498 with missing Hourglass_On call added. Silly message less
likely to appear when it is loaded.
Icon-5737
Filename: NewVirus
As 5574, but with a three-key sequence to exit the program. High
likelihood of a silly error at startup. Insignificant changes to
!Boot save routine.
Icon-5742
Filename: Icon
Bugfix of 5737. Less likely to give silly errors when loaded.
(Source: Alan Glover)
###########################################################################
Image
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: Northern Ireland ?
Isolation Date: Jan. 1992 by Svlad Cjelli
Effective Length: 512 bytes
Virus Type: Resident, although not in RMA
Symptoms: Files "Image" and "!Spr" in application directories.
The file "image" has no filetype, but !Spr has
the type Obey.
---------------------------------------------------------------------------
Detection Media: Killer 1.26+ Memory: Killer 1.26+
Scanner 1.13+
VProtect 1.07+
Removal Media: Killer 1.26+ Memory: Killer 1.26+
Scanner 1.15+
delete "Image". If there is a "!Spr" file, delete
!Run and rename !Spr as !Run, otherwise delete
!Boot.
---------------------------------------------------------------------------
General Comments:
This virus carries no payload, but spreads VERY fast, to the extent
that you can delete the file, only to see it instantly re-appear
again if it is in memory!
It loads its code into the OS workspace, at &5500, it is therefore
liable to crash the machine should the OS use that area of workspace.
The !Run or !Boot file looks like this:
LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d]
It's action on infection is to save <Obey$Dir>.Image, and then either
to create a !Boot file if one does not exist, or if it does, rename
the !Run file to !Spr and then create a new !Run file.
(Sources: Alan Glover, Svlad Cjelli)
###########################################################################
Increment
===========================================================================
Last Updated: 18th September 1992
Aliases:
Origin: UK, Cornwall ?
Isolation Date: September 1992
Effective Length: 464 bytes
Virus Type: Resident
Symptoms: CMOS configuration settings seem to change randomly
---------------------------------------------------------------------------
Detection Media: Killer 1.375+ Memory: Killer 1.375+
Scanner 1.49+ Scanner 1.49+
VProtect 1.23+
Removal Media: Killer 1.375+ Memory: Killer 1.375+
---------------------------------------------------------------------------
General Comments:
The virus appends itself to existing !boot files. The virus may not
be immediately obvious when an infected !boot file is viewed in !Edit
because it inserts 28 or more line feeds between the legitimate file
and the viral appendage. However CTRL-Down Arrow will move down to
the bottom of the file and expose the telltale signs of a machine
code appendage on the end of the file.
On each infection the virus will increment a CMOS RAM location -
the location is incremented too on each infection with the effect
of seemingly random problems appearing (including ROM modules becoming
unplugged for example).
(Source: Alan Glover, with thanks to Lee Davies)
###########################################################################
Irqfix
===========================================================================
Last Updated: 14th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: September 1992
Effective Length: 940 bytes
Virus Type: Resident task. Stores code as separate file.
Symptoms: File "RiscExtRM", "WimpPoll", "OSSystem", "MiscUtil",
"FastRom", "IRQFix" or "AppRM" in application
directory. Each time the code is executed it
grabs 1k of RMA - this will eventually lead to
a system crash.
---------------------------------------------------------------------------
Detection Media: Killer 1.374+ Memory: Killer 1.374+
Scanner 1.48+ Scanner 1.48+
VProtect 1.22+
Removal Media: Killer 1.374+ Memory: Killer 1.374+
Scanner 1.48+
delete named file, remove extra lines from !Boot.
---------------------------------------------------------------------------
General Comments:
This is a variant of Extend which uses IRQFix as the module name,
and different filenames. In all other respects the code is identical
to Extend.
(Source: Alan Glover, with thanks to Alex Belton)
###########################################################################
Link
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: United Kingdom
Isolation Date: January 10th, 1992
Effective Length: 1416 bytes
Virus Type: Resident Absolute file infector. Also a Trojan
Horse.
Symptoms: Module 'BSToDel' in module list. Files are re-stamped.
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Interferon 2.10+
Scanner 1.03+ Killer 1.27+
Hunter 1.16+ Hunter 1.16+
Scanner 1.20+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
Hunter 1.16+ Inteferon 2.10+
Scanner 1.20+ Hunter 1.16+
Scanner 1.20+
---------------------------------------------------------------------------
General Comments:
The reason why I found the Link virus was because of the module 'BSToDel'
appearing in the module list. Also, suddenly Killer 1.17 didn't work
(It gave an "Integrity check failed" and refused to load)! As I already
have made my own 'backspace to delete' utility as a module, I wondered
where that module came from! (It certainly wasn't as a separate module
on the disc.)
Before installing itself as a module, it infects %.Squeeze (if there
is a library directory, and if Squeeze is indeed in it) - just in
case there wasn't enough room in the RMA. Then it hooks onto the
FSControlV and InsV vectors. The latter so that it can do what the
module title expects it to do: convert backspace (&08) to delete
(&7F) (the reason why I also typed it as a Trojan Horse).
The FSControl vector is used so that it can look for certain actions
- namely *Run and *Copy. When it detects one of these, it does the
following.
Replaces the first three instructions in the file with its own, making
an absolute branch to the end of the file. The rest of the module
is then stored here, with the original three instructions too. To
make
detection a bit more difficult, it encrypts itself with an EOR variant
(different key each time).
On any Friday the 13th, it will display the message
Message from LINK: Active since 30-Nov-91
every time it infects a program. [As Alan pointed out, this date
is fixed, so meaning that it bears no relationship to the time which
a system became infected.]
The virus does no damage apart from attaching itself to files. Files
infected by the Link virus are re-stamped to the date they were infected.
Also, at the end of the module (and effectively each infected file
- although encrypted) the word 'LINK' appears. I first thought this
was used as an 'already infected' flag, but this is not so. What
it does is check the second instruction in the file, and if this
is 'MOV PC,R0' (probably reckons that few programs have this as their
second instruction) it recognizes it as infected. If not, the file
is infected. This method of checking the file might add to the difficulty
of making an inoculator.
Why didn't Interferon detect this virus?
At first, I thought that there might be a bug in Interferon, but
as I found out, the Link virus checks to see if Interferon is in
memory by using OS_Module 18 (look-up module name). By doing this,
it also finds where the module code is. Then, it changes a CMP instruction
within the code so that Interferon never detects OS_GBPB. After the
infection is finished, the Link virus changes the code back to what
it was. [I'm working on a CRC routine for a future version of Interferon
at the moment, so Interferon should be 100% operational 'real soon
now'.]
###########################################################################
Mode87
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: Unknown. UK?
Isolation Date: Unknown - possibly autumn 1991
Effective Length: 848 bytes
Virus Type: Resident !Boot file infector.
Symptoms: Module 'Mode87' in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+ Interferon 1.10+
VProtect 1.17+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.41+
---------------------------------------------------------------------------
General Comments:
Mode87 installs itself in the RMA as "BBCEconet". The way to tell
the difference from this and the original Acorn network module, is
that the address of where the module lies is at &01xxxxxx instead
of a ROM address (&03xxxxxx) by typing *Modules. If Acorn's original
module is not *Unplugged, it will install itself on top of this,
and not easily seen in the module list.
Mode87 is not malevolent. Although it destroys the original !Boot
file of an application, it is not treated as a virus with serious
damage potential. Mode87 simply overwrites any !Boot file already
there (and if there isn't one, it creates a new one) with:
| Boot file
IconSprites <Obey$Dir>.!Sprites
RMLoad <Obey$Dir>.Mode87
[00][00][00]
Then it proceeds to save itself as a module with the filename "Mode87".
If it has reached an infection count of 256, an expanding circle
(black, if you are using the standard desktop palette) will "eat"
your screen. Control will then return to normal.
Mode87 releases its vector claim on OS_FSControl, so it is quite
safe to *RMKill it.
(Source: Tor Houghton)
###########################################################################
Module
===========================================================================
Last Updated: 11th September 1992
Aliases: Illegal, ModVir
Origin: Unknown
Isolation Date: October 1991
Effective Length: 956 bytes
Virus Type: Resident module infector.
Symptoms: Modules grow by approx. 1k, and are re-datestamped.
May cause system crashes when accessing files
(load, save, etc.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Hunter 1.00+ Killer 1.17+
Scanner 1.14+ Hunter 1.00+
VProtect 1.10+
Removal Media: Killer 1.26+ Memory: Killer 1.26+
Hunter 1.00+ Hunter 1.00+
Scanner 1.46+
---------------------------------------------------------------------------
General Comments:
This is a very nicely written virus which appends itself to modules,
redirecting three module entry points to pass through itself before
being handed on to the module's original entry point. It spreads
by infecting a module as it is loaded, and then the newly loaded
module infects the next one loaded, and so on...
This virus is likely to be very widespread, since it was distributed
on the Archimedes World February 1992 cover disc in the MicroDrive
demo (in it, several modules were infected). It does nothing until
6th September 1992, when it will display the message:
Your computer has been virus infected. This is intended to be a friendly
virus, and hasn't done any damage to your disc as is possible now,
but it isn't active anymore from now on. Be more careful with illegal
software next time!
[Along with a generation counter. Another interesting observation
is that it does not infect locked modules. Infects whenever it notices
a RUN or LOAD action on a module. As a result, THIS VIRUS IS EXTREMELY
CONTAGIOUS.]
The message that it isn't active anymore is not true! It ALWAYS (even
after 06-Sep-1992) attaches itself to the OS_File (FileV) vector.
The virus first calls the previous owner of the OS_File vector (FileSwitch?).
This means that the module will be loaded and initialised. If the
length of the module minus the initialise word of the module is equal
to 956 (i.e. the length of the virus), then the module is already
infected and the virus deactivates itself (the newly loaded module
has already attached itself to the OS_File vector). If the module
isn't infected, the virus attaches itself at the end of the module,
overwriting the init/final/service words in the module header, preserving
the original 3 words.
(Source: Alan Glover, Michel Fasen)
###########################################################################
MyMod
===========================================================================
Last Updated: 21st April 1992
Aliases: Silicon Herpes
Origin: United Kingdom
Isolation Date: June-August 1991
Effective Length: 2948 bytes
Virus Type: Resident
Symptoms: Additional files "SSLM" (filetype Module) and
"SSLF" in application directories. Message on
every Friday the 13th. Module "MyMod" in module
list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.15+ Killer 1.17+
VProtect 1.10+ Scanner 1.20+
Hunter 1.16+ Hunter 1.16+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.16+ Hunter 1.16+
Interferon 2.10+
Scanner 1.20+
delete "SSLM", rename "SSLF" to !Boot.
---------------------------------------------------------------------------
General Comments:
This works by redirecting the Alias$@RunType for Obey files, so spreads
very fast.
Once on each Friday 13th you'll get this message:
Hi there. It's me, with my latest addition to the ARCHIMEDIES range
of computer programs. This one's called silicon herpes. It's annoying
but DOES NO REAL DAMAGE!!!
Anyway, it's Friday the 13th, and what can you expect. Acorn state
that RISC OS has high protection against programs of this nature.
I can't call it a virus, as a virus does damage
With Acorn making these bold statements about RISC OS I decided to
write a demonstration to disprove their theories. I must admit
though, it was quite difficult.
Anyway, I don't want to keep you so I'd like to say, have a very
happy Christmas, Easter, Summer or what ever, and hang kickin
There's a likelihood of various spurious errors from one of the variants
(both are the same length) since it addresses application memory
directly!
(Source: Alan Glover)
###########################################################################
NetManager
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: June-August 1991
Effective Length: 900 bytes
Virus Type: Resident !Boot file infector
Symptoms: Module 'NetManager' in module list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
VProtect 1.10+ Killer 1.17+
Scanner 1.40+ Scanner 1.20+
Removal Media: Killer 1.17+ Memory: Killer 1.17
Scanner 1.40+ Scanner 1.20+
Interferon 2.10+
delete !Boot. RMKill NetManager
---------------------------------------------------------------------------
General Comments:
I believe this to be the prototype for, or maybe the inspiration
for, the TrapHandler virus. Although the coding is quite different
in places, there's quite a similarity in the design.
There are a number of coding errors in the virus, most notably around
the time bomb area, making it harmless in this form. The intention
of the code is to check for Friday 13th, and display a message, however
it will never detonate (... unless there's a fixed version in circulation
... though that's what I believe TrapHandler is). It's fortunate
that it never displays the message, because there's another coding
error and the message isn't actually there!
(Source: Alan Glover)
###########################################################################
NetStatus
===========================================================================
Last Updated: 21st April 1992
Aliases: Boot
Origin: Norway or Belgium
Isolation Date: October 1991
Effective Length: 2048 or 2072 bytes
Virus Type: Resident !Boot file infector
Symptoms: !Boot filelength increase.
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Interferon 1.10+
Scanner 1.02+ Killer 1.27+
VProtect 1.10+ Scanner 1.20+
Hunter 1.16+ Hunter 1.16+
VirusKill 1.00+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.17+ Hunter 1.16+
Hunter 1.16+ Interferon 1.10+
Scanner 1.20+
RMKill NetStatus
---------------------------------------------------------------------------
General Comments:
NetStatus is written as a module, and in many ways it functions exactly
the same way as the TrapHandler virus, as it saves all of its code
in an application's !Boot file. It differs strongly from from this
one, however, as NetStatus does not overwrite the !Boot file. The
original !Boot instructions are executed after the virus has been
loaded, making it more difficult to spot than TrapHandler.
Some times a message will appear (after a mode change):
Hello, there.
Just a little message.
The infection count is: <infection count>
This program is harmless
10 Jun 1991
[This message is encrypted, and will neither show up in memory nor
in the infected !Boot file.]
One might think that NetStatus should be placed as a 'variant' of
TrapHandler, as the way the two viruses work are so similar (both
viruses work by loading the !Boot file into memory below &8000 and
then jumping to the code). However, seeing that the code itself was
so different, I chose to let it have it's own entry. Also, NetStatus
infects the !Boot file instead of overwriting it! If you think you
might have been infected by this virus, do *Help NetStatus to see
if it is version 2.00, and if it is, do a *Modules to check where
it resides. If the address is 018xxxxx then you are infected, if
not, the address should be 038xxxxx. [This virus has the potential
to cause chaos on Econet networks, where it will replace the real
NetStatus module - causing anything that relies on it to fail.]
Known variant(s) of the NetStatus virus are:
NetStatus-2048
This appears to be an earlier version of NetStatus. Some code is
missing in this version, but they appear identical in operation.
Please note that not many virus killers are aware of both versions.
If it understands only one strain, the !Boot file will become corrupt.
###########################################################################
Parasite
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: UK, Cheshire?
Isolation Date: January 1992 by S. Haeck
Effective Length: 6K & 7K
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: Additional modules appearing within applications
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.23+ Scanner 1.20+
VProtect 1.12+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
---------------------------------------------------------------------------
General Comments:
This is a **very** nasty virus. Handle any infections with care!
The parasite virus was first discovered by S. Haeck in January 1992.
The two strains are identical, except that the first always uses
the same name for it's module, and the second has a random choice
of 20 (twenty) filenames. It will only activate on machines whose
network station number is <80 - which will include non-networked
machines, which typically have 0 or 1 in the CMOS. Do NOT try to
RMKill the module - a delayed action machine crash will result. It
will *wipe any of the following file/directory names - !vkiller,
vir, shield, prot and !guardian - this points at a UK origin since
it is not aware of Scanner.
It has a whole repertoire of dirty tricks, which are time triggered:
- Corruption of the net printer name (it uses this as workspace)
- Midnight, and xx:13: crash the computer
- Before 07:00: crash the computer 300-900 seconds later
- 00:00 to 00:59 on 1st Jan: crash the computer
- 1st of any month: claim 16K of RMA (not used)
- 21st June: set MouseStep to 1
- 21st December: set MouseStep to 127 (fast!)
- 29th February: Set MouseStep to -5 (fast, and reversed)
- If there is a 0 in the time, and the virus loaded from SCSI:*unplug
the Podule Manager (disabling the SCSI disc) - At 0x and x0 seconds,
if the module came from IDEFS: alias the IconSprites command so that
no further sprites are cached
Furthermore, there are some which can be fired at any time:
1 in 50: Change sound settings
1 in 25: Redefine character set to all spaces after 60-240 seconds
1 in 60: Corrupt the disc in drive 0
Lastly, there are a group of serious actions (which are limited so
only a certain number occur within a given period):
- Before 08:00 (14:00 Sundays): configure number of hard and floppy
drives to zero.
- Mondays: Configure Fontsize 0K, SpriteSize 512K, which will cripple
a 1Mb machine!
- 25th December: Configure MonitorType 3, Sync 0
- A 7 in the time: Configure Country to Greece
- 1 in 4: Configure ADFS, Harddiscs 2, Drive 5 (very tricky if you
don't happen to have two ST506 drives)
The module names which it can use are:
FontLibrary, CodeLibrary, ScreenObjct, PromptsPick, HPIBIntMngr,
PRomModules, BasicCryptr, ChrSelecter, WimpModMake, PaletteUtl2,
ModeUtility, FontUtility, TempManager, ColourConvt, IndexReader,
ArthurImage, SyncUtility, VIDCManager, FontPalette, HugoFiennes.
The first (6435 byte) strain always uses the name FontLibrary.
Note that Hugo Fiennes, whose name appears at several points in the
code, as well as being one of the module filenames, has much better
things to do than write viruses, and has no known connection with
this virus!
(Source: Alan Glover, with thanks to Geoff Riley for much of the
decoding)
###########################################################################
Runopt
===========================================================================
Last Updated: 25th October 1992
Aliases:
Origin: UK
Isolation Date: October 1992
Effective Length: 1684 bytes
Virus Type: Resident application infector
Symptoms: Desktop APPLICATION Task called 'Task Manager'.
---------------------------------------------------------------------------
Detection Media: Killer 1.381+ Memory: Killer 1.381+
VProtect 1.24+
Removal Media: Killer 1.381+ Memory: Killer 1.381+
---------------------------------------------------------------------------
General Comments:
In a similar manner to Icon, this virus uses a !Boot file to load
a BASIC program. The program is called RunOpt!, and is filetyped
as data.
Note that the real 'Task Manager' shows up as a module task NOT an
application task.
(Source: Paul Frohock)
###########################################################################
Sprite
===========================================================================
Last Updated: 21st April 1992
Aliases: 'Really Annoying Sprite Virus'
Origin: Germany ? Ireland ?
Isolation Date: February 1992 by Svlad Cjelli
Effective Length: 720 bytes
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: File "Sprite" and maybe !Str in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.27+ Memory: Killer 1.27+
Scanner 1.23+
Removal Media: Killer 1.27+ Memory: Killer 1.27+
delete Sprite, delete !Boot OR delete !Run and
rename !Str to !Run (depending whether !Str is
present or not).
---------------------------------------------------------------------------
General Comments:
This has got some similarities with Image, but until I've (Alan)
had a chance to do a code comparison, I'm not going to class them
as members of the same virus family.
In months which begin with an F it will change the pointer settings.
As far as I can tell, the parameter block is junk, and it's hard
to tell whether the call will return! If it does, a delayed routine
is programmed, which when entered will do FX200,3, zero all the CMOS
RAM, and display a message.
The message is:
Piracy IS theft - Your SYSTEM is DOOMED - Deutschland Uber Alles!
For people like me who don't know any German, a liberal translation
is 'Germany is best'. This is encrypted, so is not usually visible.
Important note: Initial reports about this virus suggested that it
could cause disc corruption. Aside from possible errors during attempted
infections, it does not have any maliciously targetted code for filing
systems.
Infection is by saving the virus code as 'Sprite' (filetyped as such),
and either creating a !Boot, or renaming !Run to !Str and saving
a new !Run which runs !Str.
(Source: Alan Glover, with thanks to Svlad Cjelli)
###########################################################################
SpriteUtils
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: UK
Isolation Date: June 1992
Effective Length: 3028 bytes
Virus Type: Resident application infector, stores code as
separate file.
Symptoms: File "Sprutils" appears in applications
---------------------------------------------------------------------------
Detection Media: Killer 1.360+ Memory: Killer 1.360+
VProtect 1.17+
Scanner 1.42+
Removal Media: Killer 1.360+ Memory: Killer 1.360+
Scanner 1.42+
---------------------------------------------------------------------------
General Comments:
This virus spreads by inserting a line in !run files, loading a trojan
SpriteUtils module.
It is my opinion that this virus is designed as an enabling tool
for further unpleasant activities triggered remotely over a network.
My reason for concluding this is that in addition to normal spreading
and replication it goes to great pains to alter the Econet Protection
setting to enable User Remote Procedure Calls.
It intercepts the SWI vectors to process Econet_SetProtection and
Econet_ReadProtection to return, and allow modification of, the value
which was present when the virus started.
It then supports two RPCs, one to turn off all protection, and the
other to restore the setting with just RPCs enabled.
It also attempts to disable VProtect, and will succeed with earlier
versions. However, a new version of VProtect will have no problem
in preventing the virus from being loaded in to a clean machine.
It has no timed or other malicious contents, however as usual there
are some consequences of the way it is written.
In particular, it will claim 2K of RMA workspace, and never release
it, nor does it restore the Econet protection setting it first found.
(Source: Alan Glover)
###########################################################################
T2
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: July 1992
Effective Length: 4304 bytes
Virus Type: Merges with absolute !RunImage files.
Symptoms: Messages from "T2" and spurious errors.
---------------------------------------------------------------------------
Detection Media: Killer 1.370+ Memory: Killer 1.370+
VProtect 1.20+ Scanner 1.43+
Scanner 1.43+
Removal Media: Killer 1.370+ Memory: Killer 1.370+
---------------------------------------------------------------------------
General Comments:
This is a very dangerous virus, which can cause severe data loss
if not treated rapidly.
On 1st Jan, 14th Feb, 1st May, 4th July, 31st October, 25th December
and Friday 13th a message from T2 will be displayed and it will write
invalid data to the first 32K of ADFS drives 0-7. On D or E format
floppies this will destroy the FS Map and Root Directory, on D format
hard discs it will destroy the boot block, FS Map and Root Directory.
On E format hard discs, it will destroy the boot block only, since
the Free Space map and Root directory are elsewhere on the disc surface.
It will also attempt to do the same to Nexus drives 4-7.
The messages are:
December 25th
Yuletide Jollities from T2
A special christmas present: New blank disks all round.
1st January
New Year's Resolution from T2
New Year's Resolution: I will keep my disks write protected.
14th February
St. Valentine's Day
Roses are red, Violets are blue, I've wiped your hard disk, Because
I hate you.
1st May
Mayday from T2
Mayday, mayday, mayday: your data's sinking.
31st October
Spookiness from T2
You've got a vicious virus AND blanked disks - spooky huh?
July 4th
Independence Day celebrations from T2
You are now fully independent of your saved data.
Friday 13th
Comiserations from T2
Bad luck, me ol' China. Your disks have kinda left you in the lurch,
as it were. Unfortunate, huh?
And the random choice ones:
Greetings from T2
I hate you. F*ck off and die. Painfully.
Comment from T2
You stink of sh*t.
Observation from T2
You're a f*cking c*nt.
Hi there, from your friendly virus
Hi there. You may (or may not) know me. I'm a virus. User meet
T2. T2 meet user. Good ... See ya around.
It also has a random chance routine, based on a 0.1 second timer,
which has various possible effects, including:
- A rude message (see above)
- Scrambled CMOS memory
- Crashing the machine
- Destroying disc data (as above)
There is not an easy quick check for this virus, since it will not
show up as a module or desktop task. The easiest way I can come up
with to do the following from BASIC (ensure that VProtect 1.20 or
above is NOT loaded to avoid a false alarm).
SYS "XOS_ServiceCall",,&C0FFEE TO ,A%:PRINT A%
If the number printed is zero, and VProtect 1.20+ is not loaded (or
any other anti-virus program aware of this virus) then it is loaded
and active.
(Source: Alan Glover)
###########################################################################
Terminator
===========================================================================
Last Updated: 11th September 1992
Aliases:
Origin: United Kingdom
Isolation Date: July 1992
Effective Length: 3648 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Additional files appear in applications (see
below)
---------------------------------------------------------------------------
Detection Media: Killer 1.372+ Memory: Killer 1.372+
Scanner 1.47+
Removal Media: Killer 1.372+ Memory: Killer 1.372+
delete named file, remove last line from !Boot.
---------------------------------------------------------------------------
General Comments:
Strictly speaking - this is an Icon variant. However it has been
changed sufficiently that it merits its own entry.
It can choose one of eight task names, and one of eight different
filenames/filetypes to save itself.
In other respects it acts and spreads like Icon, though there is
1 in 10 chance of drive zero being wiped on each infection.
The task names are : ADFS Filer, RMA Manager, Filer Extension, File
Compactor, ADFS Filer (again), MemAlloc, " " and "F*ck off!" (except
with no asterisk - you know what I mean...).
The filenames and filetypes are: Icon (Sprite), MemAlloc (Module),
RunCode (Absolute), ABCLib (Module), CLib (Module), Colours (Modules),
FPEmulator (Module) and !DeskBoot (Utility).
!Killer patches the virus before removing it to ensure that ADFSFiler
is not rmkilled by the virus.
(Source: Alan Glover)
###########################################################################
Thanatos
===========================================================================
Last Updated: 21st April 1992
Aliases: RISCOSext, RISCOS Extensions
Origin: United Kingdom
Isolation Date: May 1991
Effective Length: 11756 or 11764 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: Files "RISCOSext" and "TaskAlloc" in application
directories. Wimp task "Thanatos" visible in
the Task Manager.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.23+
VProtect 1.10+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete named files
---------------------------------------------------------------------------
General Comments:
This is an encrypted (simple EOR with &7A, lower-case "z") BASIC
program (crypted = 11756 bytes long, TOP-PAGE of BASIC program =
7660 bytes) called "RISCOSext" with a filetype of Absolute (yes,
a very poor piece of ARM code decrypts and runs it and wastes nearly
4K of space between &8100 and &9000 !). Associated with it is a Sprite
file (actually of filetype Module) called "TaskAlloc", which is 344
bytes long containing a rude sprite to replace the mouse pointer.
When run, it installs itself as a Wimp task named "Thanatos" and
then looks for double-clicks to infect application directories (copies
the RISCOSext and TaskAlloc files into there and then appends the
'usual' string to the !Boot file (to run RISCOSext).
The nasty section of the Thanatos Virus REALLY IS nasty, so I urge
you to study this carefully.
Rough once every 100000 times around the Wimp_Poll loop, Thanatos
can:
* 2 out of 13 chancesShut down icon bar application at random (whilst
displaying its own icon bar icon during the shutdown).
* 1 out of 13 chancesCause a Desktop Quit.
* 3 out of 13 chancesReverse the mouse pointer step (sets it -2).
* 1 out of 13 chancesCrash the machine by poking a duff instruction
at the start of memory.
* 1 out of 13 chancesRandomise the 240 bytes of CMOS. [If this happens,
you may have to either short or remove the battery from your machine,
as it might refuse to boot.]
* 4 out of 13 chancesRandomly display one of 8 very rude messages
- one of which also changes the mouse pointer shape to a rude graphic
and another will also shutdown an icon bar application (the same
routine as above).
* 1 out of 13 chancesWipe the contents of <Obey$Dir>.
It also has a "special date" section as follows:
Any Friday 13th: Advertises its own "virus killer" (from Armen Software).
April 1st10 Address exception errors, followed by coloured rectangles
and a 'stuck' mouse pointer for 10 seconds. An "April Fool" message
is then displayed.
December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed
by a "Merry Crimble" message.
October 31st:Formats the floppy in drive 0, followed by a "Spooky"
message.
January 1st: As December 25th, but followed by a New Year's Resolution
message (to keep your disks write-protected...).
[ The 11764 byte variant is functionally identical, but a slightly
earlier version ]
(Source: Richard K. Lloyd)
[Attempting to kill Thanatos by clicking 'Quit' in the Task Manager
will not work. However, Killer and VKiller will patch the missing
closedown code into the virus before removing it from memory.]
###########################################################################
TrapHandler
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: United Kingdom
Isolation Date: September 1991
Effective Length: 924 bytes
Virus Type: Resident !Boot file infector. Overwrites original
!Boot file completely (or creates a new one if
it doesn't find one) and stores own code here.
Symptoms: Applications which depend on a !Boot file fail
to run (i.e. if the !System !Boot file was overwritten,
!Edit would fail to run due to the fact that
the !System folder hasn't been seen. The same
applies if the !Boot file in the Fonts directory
is overwritten. The module 'TrapHandler'is present
in the module list.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Interferon 2.00+
Scanner 1.03+ Killer 1.17+
VProtect 1.10+ Scanner 1.23+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.03+ Interferon 2.10+
delete !boot file Scanner 1.20+
RMKill TrapHandler
---------------------------------------------------------------------------
General Comments:
The TrapHandler virus is written as a module which infects application
directories by overwriting the !Boot file with its own code. By hooking
onto the FSControl vector, it looks for a *Run action, and on finding
one (eg. the user opens a directory with applications, and if any
of these contain a !Boot file (which RISC OS automatically executes)),
TrapHandler overwrites the application's !Boot file with its own
code.
This code is loaded into memory by using a simple
*LOAD <Obey$Dir>.!Boot <address>
and then executing the code at <address>.
On any Friday after the 20th of any month it will open a regular
message box (i.e. using Wimp_ReportError) with the number of infections
in the header, and an 'Ignorance will be your undoing.' This message
is rather misleading, as the only destructive thing it does is overwrite
your !Boot files (although it could - as all viruses can - be modified
to do much nastier things). I might sound a bit trivial here - if
your $.!Boot on the harddisc was overwritten, you might get a bit
more than annoyed(!). However, as this !Boot file only gets run when
you reset your machine, it is not very likely to get infected by
this virus (unless you accidentally double-click on it or run it).
###########################################################################
Valid
===========================================================================
Last Updated: 21st April 1992
Aliases:
Origin: Unknown
Isolation Date: March 4, 1992 by Atle M. Bårdholt
Effective Length: 1389 bytes
Virus Type: Non-resident application infector, stores code
as separate file.
Symptoms: Files "Valid" and "Source" in application directories.
---------------------------------------------------------------------------
Detection Media: Killer 1.30+ Memory: n/a
Scanner 1.23+
VProtect 1.13+
Removal Media: Killer 1.30+ Memory: n/a
Scanner 1.23+
delete !Run and "Source". Rename "Valid" to
!Run.
---------------------------------------------------------------------------
General Comments:
Valid is a non-resident virus written in BASIC which works by renaming
the !Run file of the application to "Valid", then saving itself as
a file called "Source" and creating a new !Run file which points
to the virus code. Both have correct filetypes (e.g. Obey and BASIC).
In its current form it can hardly spread far. It surprises me that
it was even released at all. Due to a major flaw in the code, Valid
creates faulty !Run files every time it infects - effectively rendering
the application non-executable - making it easy to detect that something
is wrong. It is assumed, however, that this is fixed in other or
newer versions (the incore filename of the BASIC file is "Source2"),
as it is a very simple thing to do something about it. (This version
keeps the first 21 chars of the orginal !Run file instead of making
a new one.)
On floppy based systems this virus causes a noticeable slowdown when
it infects an application, as it uses the OSCLI command EnumDir to
create a list of applications to infect. This list is saved as a
file (as a result of EnumDir), and then loaded into some reserved
memory. When the processing of this data is finished, the file is
deleted.
Valid never infects an application twice, as it checks to see if
there's an "our" in the first line (part of RUN <Obey$Dir>.Source)
of the !Run file. Also, it is not certain it will infect a given
application - there's Ŵonly a 30% chance (determined by RND(10)>7)
of this happening. Valid does little besides replicate (if it had
worked properly), but does create a 0 byte file called "Infected!"Ŵ
in the application directory after any 22nd in any month.
###########################################################################
Vigay
===========================================================================
Last Updated: 21st April 1992
Aliases: DataDQM, Shakes
Origin: United Kingdom
Isolation Date: Probably April 1991
Effective Length: 2311 or 2432 bytes
Virus Type: Task. Stores code as separate file.
Symptoms: File "DataDQM" in application directories. The
Task "TaskManager" in the Task Manager window.
---------------------------------------------------------------------------
Detection Media: Killer 1.17+ Memory: Killer 1.17+
Scanner 1.23+
VProtect 1.10+
Removal Media: Killer 1.17+ Memory: Killer 1.17+
delete !Boot and file.
---------------------------------------------------------------------------
General Comments:
This is a BASIC program called "datadqm" with an associated 97-byte
!Boot file. The REMs at the start of the program are as follows:
REM (C)1989 PAUL VIGAY
REM
REM A nasty little Archie Virus !!
REM ... or is something up with your monitor ???
REM
REM version 1.1a (24th October 1989)
Hence you now know why it's called the "Vigay Virus" - the author's
name appears as a comment at the start! When first run, it initialises
as a Wimp task called "TaskManager" and then waits for either:
1) a chance of (500 * hours left of a Thursday) to 1 to crop up to
spark off a silly "wobble" demo (wobbles the screen and mouse pointer).
Yes, this demo only appears on a Thursday and more frequently as
the day wears on.
or,
2) a file/directory double-click, in which case it attempts to replicate
itself to the first application directory at that level that doesn't
already have either an "!Boot" or a DataDQM" file.
(Source: Richard K. Lloyd)
[Apparently there are several versions existing (but apparently not
circlulating), some activating on Fridays, others on Friday the 13th.
It is not known whether these Friday versions broke loose, and later
variants were also compiled using the Archimedes BASIC Compiler by
DABS Press. We are still speculating if any of these are available
to the general public. Also, it is worth clarifying that the 'TaskManager'
will appear as an application task, unlike the real Task Manager
which is a module task.]
###########################################################################
Virus Detection Utilities
---------------------------------------------------------------------------
(Note: only this programs which are still believed to be regularly
updated are included here)
Guardian: © Paul Vigay. Latest version known is !Guardian3 3.09
(14th Oct-1992). Multitasking application which keeps
an eye on tasks and also has virus scanner/removal capabilities.
IMPORTANT NOTE: At various places in the application it
claims to remove all known viruses, and to be "equal,
if not better, in spec than !Killer". Both these claims
are clearly false (the current version of !Guardian only
deals with five viruses - including his own (Vigay)).
Handle the software, and the author's claims, with care.
Hunter: © Michel Fasen. Latest version known is 1.16/9 (17-Feb-1992).
Multitasking application. Nice touch by using the Interface
manager. Not RISC OS 3 compatible. Public Domain.
Interferon: © Tor O. Houghton. Latest known version is 2.12 (13-Mar-1992).
Resident program which looks for transfer of data to
disc from areas below &8000, and from the RMA (e.g. most
viruses which are written as modules, for example). Public
Domain.
Killer: © Pineapple Software Ltd. Written by Alan Glover of Acorn
Computers Ltd. Latest version known is 1.381 (25-Oct-1992).
Multi-tasking scanner/disinfectant. Currently, this application
is the one which detects and removes all known viruses
on the Archimedes. Very user friendly interface, lots
of useful options, includes a nice window with look-up
virus information. Commercial product.
Scanner: © Tor O. Houghton. Latest version known is 1.51 (Oct-1992).
A non-WIMP application which detects and removes the most
common viruses. Commercial software, available direct
from the author.
VProtect: © Pineapple Software Ltd. Written by Alan Glover of Acorn
Computers Ltd. Latest version known is 1.24 (25-Oct-1992).
Resident program which, amongst other things, checks !Run
and !Boot and module files for infection before running
them. Supplied with !Killer.
As you can see, there are several virus utilities mentioned in section
3.0. For all of you who have written a virus utility and want it
to appear with correct information concerning version numbers, and
what it can detect and remove etc., could you please send your latest
version to one of the previously mentioned addresses.
This document exists in three parallel forms. Versions suffixed 'p'
are the Impression version (primarily maintained by Tor Houghton),
and those suffixed 'h' use the Binary Star !Clearview PD reader application
to present a hypertext document. Updates to the document may be sent
to either author, and both versions will get updated. The text version
(suffixed 't') is derived from the Cleariew version. There is also
an experimental vb version.
Also, could you please include a note on what the program/virus does?
Some help files we have seen have been very vague. All this information
is based on our own reactions, and may well be incorrect in some
parts. If you don't like it, send us some information (not too verbose).
###########################################################################
Acknowledgements & Credits
---------------------------------------------------------------------------
This list contains some of the many people who have helped in the
preparation and updating of this document. Despite their best efforts,
there are undoubtably some errors - which are wholly our own work
:-).
Simon Burrows: Additional virus documentation.
Svlad Cjelli: Additional virus documentation.
Michel Fasen: Additional virus documentation.
Eivind Hagen: For letting me borrow Impression of him!
Bjørn Hotvedt: For keeping up with the never-ending postings to and
from Alan (and other people!).
Richard K. Lloyd: For documentation on the older viruses.
Terje Slettebø: For help with the disassembly of the NetStatus virus.
Paul Frohock: For help and information long before !Killer saw light
of day (and still going strong :-) )!
The following pieces of software are amongst those I (Alan) use for
virus analysis - my thanks to those in the list below who have added
changes etc at my request or helped in other ways (you know who you
are...).
!QZap - Kevin Quinn (PD Desktop Disassembler)
!Dissi - John Tytgat (Registered version - Desktop Disassembler/Source
generator)
!DeskEdit - RISC Developments (!Edit, with many useful additions)
!Snoop - DT Software (Desktop examination tool)
!QDBug - Vertical Twist/QDE (Powerful Debugger/Monitor)
!Detour - Electronic Solutions (Path control utility)
###########################################################################
Contacting the authors
---------------------------------------------------------------------------
POST:
Tor Houghton Alan Glover
17K Park Village PO Box 459
University of Sussex Cambridge
Falmer CB1 4QB
Brighton UK
BN1 9RD
UK
EMAIL:
Tor O. Houghton: torh@cogs.susx.ac.uk
Alan Glover: aglover@acorn.co.uk
BBS:
The World of Cryton(+44) (0)749 670030 or (+44) (0)749 679794
Tor O. Houghton: #121
Alan Glover: #6
Arcade (+44) (0)81 654 2212
Alan Glover: #244
Excelsior! (M)BBS (+47) (0)2 84 63 79
Tor O. Houghton: Tor Houghton
(Note: Tor is presently unable to call BBSs, and I do not call very
often at the moment - use another means to contact either of us).
FAX:
Alan Glover (+44) (0)223 415222
Acorn Computers Ltd. (+44) (0)223 254264
Pineapple Software (+44) (0)81 598 2343
TELEPHONE:
Pineapple Software (+44) (0)81 599 1476
Acorn Computers Ltd. (+44) (0)223 254254
###########################################################################
Checklist
---------------------------------------------------------------------------
(last change 25/10/92)
Click on the name of the virus to read more about it.
Media Memory
Virus Utility D R D R
Archie Guardian Y N ? ?
Killer Y Y Y Y
Scanner Y N N N
Arcuebus Killer Y Y Y Y
BBCEconet Killer Y Y Y Y
Scanner Y N Y Y
Interferon N N Y N
Bigfoot Killer Y Y Y Y
Scanner Y N N N
CeBIT Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y N Y N
Code Killer Y Y Y Y
Scanner Y Y N N
Extend Guardian Y ? Y ?
Hunter Y Y N N
Interferon N N Y N
Killer Y Y Y Y
Scanner Y N Y N
Funky Killer Y Y Y Y
Garfield_I Killer Y Y Y Y
Scanner Y Y Y Y
Interferon N N Y N
Garfield_W Killer Y Y Y Y
Scanner Y Y Y Y
Interferon N N Y N
Handler Killer Y Y Y Y
Icon Hunter ! ! N N
IVSearch ! ! ? ?
Killer Y Y Y Y
Scanner Y Y N N
Image Killer Y Y Y Y
Scanner Y N Y Y
Increment Killer Y Y Y Y
Scanner Y N Y N
IRQFix Killer Y Y Y Y
Scanner Y Y N N
Link Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
Mode87 Killer Y Y Y Y
Scanner Y Y N N
Interferon N N Y N
Module Guardian Y Y ? ?
Hunter Y Y Y Y
Interferon N N Y N
Killer Y Y Y Y
Scanner Y Y N N
MyMod Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
NetManager Guardian ? ? ? ?
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
NetStatus Hunter ! ! Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
VirusKill Y Y ? ?
Parasite* Killer Y Y Y Y
Scanner Y N Y N
Runopt Killer Y Y Y Y
Sprite* Killer Y Y Y Y
Scanner Y N N N
SpriteUtils Killer Y Y Y Y
Scanner Y Y N N
T2 Killer Y Y Y Y
Scanner Y N N Y
Terminator* Killer Y Y Y Y
Scanner Y N N N
Thanatos* Hunter Y Y N N
Killer Y Y Y Y
Scanner Y N N N
Traphandler Hunter Y Y Y Y
Interferon N N Y Y
Killer Y Y Y Y
Scanner Y Y Y Y
Valid Killer Y Y na na
Scanner Y Y na na
Vigay Guardian Y Y ? ?
Killer Y Y Y Y
Scanner Y N N N
? Refers to cases where the documentation fails to explain exactly
what it does with the virus.
! Special cases (e.g. some killers might not detect all variants
of a
virus), refer to the separate virus entries in this document for
details.
na Not applicable, typically a virus which does not reside in memory.
###########################################################################
Quick Checks
---------------------------------------------------------------------------
(last change 25/10/92)
Click on the virus name to read more about it.
Archie - Attacks absolute (filetype &FF8) files.
Arcuebus - Installs a false NetStatus module (3.07).
BBCEconet - Attacks absolute files, encrypting part of them. Loads
trojan BBCEconet module.
Bigfoot - Desktop task called 'bigfoot', file with randomly chosen
name in capitals (BASIC file).
CeBIT - Attacks applications. File "TlodMod" in app. directory. Module
"TlodMod" in module list.
Code - Desktop task called 'Window Manager'. Applications may 'lose'
their sprites.
Extend - Attacks applications. Files "MonitorRM", "CheckMod", "ExtendRM",
"OSextend", ColourRM", "Fastmod", "CodeRM" or "MemRM" in app.
directory . Module "Extend" in module list.
Funky - Desktop task called 'Window Dude'.
Garfield_I - Creates application called !Pic, loads a module called
IconManager.
Garfield_W - Creates application called !Obey, loads a module called
WimpAIDS.
Handler - Creates an application task called 'Task Handler'.
Icon - Attacks applications. Files "Icon", "Poison" or "NewVirus"
in app. directories. Nameless WIMP task in the Task Manager.
Image - Attacks applications. Files "Image" and "!Spr" in app. directory.
Increment - Attacks applications. Appends to !Boot - look for 'load
<obey$dir>.!boot 8000' towards the end of the !Boot.
Irqfix - Attacks applications. Files "RiscExtRM", "WimpPoll", "OSSsystem",
"MiscUtil", "FastRom", "IRQFix" or "AppRM in app. directory. Module
"Irqfix" in module list.
Link - Attacks absolute (filetype &FF8) files. Module "BSToDel" in
module list. Infected files are re-stamped.
Mode87 - Loads a module called BBCEconet (replacing the real one).
Overwrites !Boot files.
Module - Attacks modules. Infected modules are re-stamped.
MyMod - Attacks applications. Files "SSLM" and "SSLF" in app. directories.
Module "MyMod" in module list.
NetManager - Attacks !Boot files. Module "NetManager" in module list.
NetStatus - Attacks !Boot files. Module "NetStatus" in module list
(at offset &018xxxxx). Ensure the program you use understands both
strains of this virus! Killer and Scanner do. See also Arcuebus.
Parasite - Attacks applications. Random of 20 filename choices for
the code carrier.
RunOpt - Starts an APPLICATION task called 'Task Manager'
Sprite - Attacks applications. Files "Sprite" and "!Str" in app.
directories.
SpriteUtils - Attacks applications. File SprUtils saved in applications.
Loads from !run.
T2 - Attacks !RunImage files of type &FF8. Files grow by about 4K.
See entry for details.
Terminator - An Icon variant which uses varied file/task names. Extra
files appear in directories.
Thanatos - Attacks applications. Files "RISCOSext" and "TaskAlloc"
in app. directory. "Thanatos" visible in the Task Manager.
TrapHandler - Attacks !Boot files. Module "TrapHandler" in module
list.
Valid - Attacks applications. Files "Valid" and "Source" in app.
directory.
Vigay - Attacks applications. File "DataDQM" in app. directories.
WIMP task named "TaskManager" in the Task Manager.
###########################################################################
Calendar
---------------------------------------------------------------------------
A number of viruses have messages which are programmed to be displayed
on a given day or dates. Some are specific dates (eg 4th July) others
are less specific such as the first monday of the month, or Friday
13th.
This section is subdivided into months, for the viruses with specific
dates and messages which could occur in any suitable month.
To read more about a particular virus mentioned in this section click
on the virus name (which will be underlined).
January
February
March
April
May
June
July
August
September
October
November
December
Any
###########################################################################
January
---------------------------------------------------------------------------
Date Virus Message/Action
1st Parasite Crashes computer before 01:00
1st T2 New Year's Resolution from T2...
1st Thanatos Suggested new-year's resolution...
###########################################################################
February
---------------------------------------------------------------------------
Date Virus Message/Action
14th T2 St. Valentine's Day Roses are red, Violets
are blue...
29th Parasite Set Mouse step rate to -5 (fast & reversed)
###########################################################################
March
---------------------------------------------------------------------------
Date Virus Message/Action
15th Bigfoot This is a HOLD UP! Give me all the PD software...
###########################################################################
April
---------------------------------------------------------------------------
Date Virus Message/Action
1st BBCEconet E.T. phones home!
1st Thanatos Address Exception at &0863FB3C
###########################################################################
May
---------------------------------------------------------------------------
Date Virus Message/Action
1st T2 Mayday from T2...
###########################################################################
June
---------------------------------------------------------------------------
Date Virus Message/Action
21st Parasite Set Mouse step rate to 1 (slow)
25th BBCEconet Ph'nglui mglw'nafh Chtulhu...
###########################################################################
July
---------------------------------------------------------------------------
Date Virus Message/Action
4th T2 Independence Day celebrations from T2...
4th Bigfoot Hay there its the 4th of July...
###########################################################################
August
---------------------------------------------------------------------------
Date Virus Message/Action
No viruses are known which display messages specifically during this
month.
###########################################################################
September
---------------------------------------------------------------------------
Date Virus Message/Action
6th (1992) Module Your computer has been virus infected...
###########################################################################
October
---------------------------------------------------------------------------
Date Virus Message/Action
31st T2 Spookiness from T2...
31st Thanatos Your disk's been formatted without you asking...
###########################################################################
November
---------------------------------------------------------------------------
Date Virus Message/Action
5th Bigfoot Wizz Bang! Its Guyfalks night...
###########################################################################
December
---------------------------------------------------------------------------
Date Virus Message/Action
21st Parasite Set Mouse step rate to 127 (very fast)
21st Parasite Change MonitorType and Sync settings
25th BBCEconet Merry Christmas!
25th Bigfoot Happy Christmas from BigFoot ... The VIRUS
25th T2 Yuletide Jollities from T2...
25th Thanatos Merry Chrimble! Hope you liked your pressy...
###########################################################################
Any Month
---------------------------------------------------------------------------
Date Virus Message/Action
13th Archie Hehe ArchieVirus strikes again
Friday 13th Link Message from LINK: Active since 30-Nov-91
Friday 13th BBCEconet It's Friday! Why are you working....
Friday 13th MyMod Hi there. It's me, with my latest addition...
Friday 13th T2 Comiserations from T2...
Friday >20thTraphandler Ignorance will be your undoing
First MondayGarfield_I The Garfield Virus is here to stay
First MondayGarfield_I Don't you just hate Mondays?
First MondayGarfield_W The Garfield Virus is here to stay
First MondayGarfield_W Don't you just hate Mondays?
Any ThursdayVigay Screen wobbles up/down
###########################################################################
Index
---------------------------------------------------------------------------
Introduction Introduction
Abstract
Virus Index Index to known viruses
Virus Detection Utilities
Acknowledgements & Credits
Contacting the authors
Checklist
Quick Checks
Calendar
Index of virus names and aliases:
Archie
Arcuebus
BBCEconet
Bigfoot
Boot
CeBIT
Code
DataDQM
Extend
Filer
FF8
Funky
Garfield_I
Garfield_W
Handler
Icon
Icon-A
Illegal
Image
Increment
IRQFix
Link
Mode87
Module
ModVir
MyMod
NetManager
NetStatus
Newvirus
Parasite
Poison
RISCOSExt
Runopt
Shakes
Sicarius
Silicon Herpes
Sprite
SpriteUtils
T2
Terminator
Thanatos
Traphandler
Valid
Vigay
