Acorn User: China

home *** CD-ROM | disk | FTP | other *** search

/ Acorn User: China / Acorn User China CD-ROM (UK) (Disc A) / Acorn User China CD-ROM (UK) (Disc A).bin / DEMON / ANTIVIRUS / AVRD184T

Wrap

Text File | 1994-02-04 | 137.3 KB | 3,995 lines

This is the textual version of the AVRD. In order to minimise editing overhead this version is now derived directly from the source of the HyperText version. The derivation is performed by a program, so the formatting may not always be perfect - but we'd rather spend our time coding !Killer/!Scanner ! Ignore any references to clicking in specific places in the document - this facility is only available in the HyperText version. ########################################################################### The Archimedes Virus Reference Document --------------------------------------------------------------------------- Version 1.84h (6th January 1994) Copyright © 1991-1994 Tor O. Houghton and Alan Glover This document is copyright. Profit based distribution (whether PD or Shareware) without prior consent from the authors, is strictly illegal. If in doubt, contact one of the authors. Note that this version of !ClearView also has certain conditions upon its distribution. This is the hypertext form of this document, using the Binary Star !ClearView package. Click here (on the underlined word) for a brief guide to using this software and details about obtaining enhanced versions. A full list of the contents, and an index of the viruses covered in this edition of this document can be seen by clicking the 'index' icon (the rightmost one), or the underlined word in this sentence. ########################################################################### Abstract --------------------------------------------------------------------------- As the number of people using the Acorn Archimedes range of computers has increased over the years, so has the number of viruses. This document contains the compiled information from various virus researchers and their killers. In particular, it is (as the title suggests) a compendium of the knowledge about viruses of Tor Houghton and Alan Glover. The purpose of this document is to give as many details as possible on each virus known, and to assist those who think they might be infected by a virus. A dilemma occurred as this document took form. How much information should be included? If we provided too much information, this document could well become an effective "cookbook" for people wanting to write a virus (and also be used by authors of anti-virus programs to claim coverage of virus they've never seen based on the information here). This is not our intention. The professionals and programmers who read this will easily identify the missing or omitted information because they already have this background knowledge - it is part of the working tools of our profession. The document is not intended to provide very detailed technical information on a virus (although this may happen as a way of explaining it), but to allow the reader to understand what the virus generally does, what makes it activate and what it does upon activation. Most important, however, it should help the user with the removal! 1.0 Introduction --------------------------------------------------------------------------- A virus is nothing magical. Anyone with a bit of programming skills and some knowledge about the machine's operating system is capable of creating a virus. Usually these programmers think it is fun, they've read too many cyberpunk books, or they are generally pitiful creatures who like to inflict damage. Final note: In spite of many journalist's secret wishes, a computer virus cannot spread from one type of computer to another. For example, a virus written on a PC running MS-DOS or Windows cannot infect the Archimedes - in native mode. If you are using the PC emulator, a virus functions perfectly under this environment too (probably with a few exceptions due to the fact that there are about 1000 viruses running under this particular operating system). The only area in which some crossover is possible is hardware - if you have a DOS virus which thrashes the floppy disc out of alignment, it will obviously affect it when it is used normally! 1.1 Some Definitions --------------------------------------------------------------------------- Connectivity: The level of ability a computer has to connect to other computers. Nowadays it is very easy to, for example, phone a BBS and download new software. The higher the level of connectivity, the higher the level of possible exposure to computer viruses. The same may also be considered true of other sources of software, such as PD libraries. Trojan Horse: This is a generic term (taken from Greek mythology) for a penetration method that includes hidden code. An example of this is the Link virus which, while being helpful in the ways of converting backspace to delete, also launches a virus into your computer. Virus: A computer virus can be defined as a malicious program capable of replicating itself. See "A Computer Security Glossary for the Advanced Practitioner" in the Computer Security Journal IV, No. 1, 1987 for a similar description. Please note that most computer viruses on the Archimedes do nothing but replicate, although there are a few exceptions. My own definition is 'a program which attempts to replicate without the user's knowledge or consent and may perform unauthorised actions'. Worm: A computer program which moves through your computer system, altering data as it copies itself and deleting the old copy. If a worm reproduces it could also be called a virus. There are no reports of worms on the Archimedes, mainly because it is such a closed system, and would be detected much too easily to become a hazard. Networks are more exposed to such nasties. 1.2 Entry Explanations --------------------------------------------------------------------------- Name: The most common name of the virus. Often chosen because of some text found in the virus, or like CeBIT, connected to some event (the biggest computer show in Europe). Aliases: Names which other anti-viral agent documents (usually brief notes which are included with the program) use for the same virus. This includes names that are commonly used by BBS users etc. Always try to use the name used here for a given virus rather than any of thealternative names. Origin: The country where the virus seems to have originated from (or at least, where it was isolated). Isolation Date: The date (as detailed as possible) when the virus was first found. Effective Length: The length the virus occupies on the disc. The actual length in memory may well be different. Virus Type: Task refers to viruses written as a multitasking program (i.e. appears on the Task Manager, with or without a task name). Resident refers to viruses which, by reserving some memory, insert themselves as a machine code program invisible to the task manager. By monitoring certain interrupts the virus is able to spread. Also, if the virus attaches itself to files, this is noted along with what type of files it infects. Symptoms: Odd behaviour which might occur if the virus is loaded. This could be spurious crashes or files suddenly appearing (or disappearing!). Take note that this has nothing to do with what the virus actually does when it activates, as this will be detailed as extensively as possible under the 'general comments' section. Detection: Refers to anti-virus agents (complete with earliest version number) which to our knowledge detects the virus. Please be so kind as to update me on this, as I know there are several anti-virus programs wandering around which I don't have! With the exception of Killer/VProtect and Scanner/Interferon these comments are based solely on the documentation provided with the programs - beware of claims to detect 'all known viruses' when only a subset of those here are listed! Removal: Refers either to programs which remove the virus from the infected file (complete with earliest version number), or if possible, which files to delete without destroying the program. Where it says 'Remove named file(s)', take note that if there is a !Boot file present, be sure to check this too (i.e. with !Edit). In particular, never assume that a Module may be RMKilled, or that an application task may be Quit. It might disappear, but it may also set up a time bomb with serious effects on the system. As a rule, it is unwise to attempt to remove a virus from memory yourself. However some anti-virus programs contain specific code to detect and remove viruses which are present in memory. Where an anti-virus program is known to be able to do this the program and version is given. The criteria for this is that the anti-virus program either neutralises or removes the virus from memory, leaving the machine in a safe enough state for the anti-virus program to remove the infection from your media. Even with this protection, you should still do a CTRL-Reset as soon as possible after you have been infected. General Comments: As detailed information about the virus as possible. Also, if there are any mutated versions of the virus, these are detailed here too, along with any relevant information. Please note that the number after the virus name states how many bytes it occupies on the disc. Source: The person who provided the information about the virus concerned. Where a name does not appear, it will probably have been written by Tor Houghton or Alan Glover. In some cases, an acknowledgment will be included to someone who has helped in the isolation or analysis of the virus. Sometimes square brackets ("[]") with a comment might appear. These are our comments, and offer additional useful information which we thought the original author left out. ########################################################################### Virus index --------------------------------------------------------------------------- Click on the virus name to find out more about it Alien Aprilfool Archie FF8 Arcuebus AxisHack BBCEconet Bigfoot BooHoo Breakfast CeBIT Code Sicarius Diehard Ebenezer EMod Ex_port Extend ExtendV2 FCodex Funky Garfield_I Garfield_W Handler Icon * Icon-A, Filer, Poison, NewVirus, Wraith Image Image2 Increment Irqfix Link Mode87 Module ModVir, Illegal MonitorDat MyMod Silicon Herpes NetManager NetStatus Boot NewDesk Parasite * Penicillin * Poltergeist Runopt Shy Sprite * SpriteUtils T2 * TaskManager Terminator * Thanatos * RISCOSExt Traphandler Valid VanDamme Vigay DataDQM, Shakes Whoops Wimpman Viruses marked with an asterisk (*) carry malicious code (in the case of Icon in the 2158 byte strain only). Any detection of one of these viruses should be treated thus: 1) Perform a CTRL-RESET as soon as possible.To be safe, press F12 and type FX 200,3 beforehand. This should get the virus out of memory, just leaving the storage media to be cleaned. Remember that infection can be as easy as opening a filer viewer! 2) Load a virus killer, and check that the virus is not active. Some virus killers (e.g. Pineapple's !Killer) are capable of removing any resident virus, and withstanding infection attempts whilst doing this. Bear in mind that not all anti-virus programs are intended to start up in an environment where a virus is active. 3) Run the virus killer through the system, opening the minimum possible number of filer windows. Obviously, if you keep your copy of the virus killer on a write-protected floppy this is quite easy! Remember to check removable discs too! Please note that spurious resets and/or errors which occur are usually the results of poor programming, and is therefore not considered malicious (it merely depicts the programmer's skills - he should have stuck to LOGO). Although not usually marked as malicious, some viruses will cause the !Boot of an application to be overwritten. This can cause things which usually happen automatically (eg: locating !System) to fail. ########################################################################### Alien =========================================================================== Last Updated: 21st November 1993 Aliases: Origin: United Kingdom Isolation Date: November 1993 Effective Length: 7831 bytes Virus Type: Resident application infector Symptoms: Error messages from 'Alien' --------------------------------------------------------------------------- Detection Media: Killer 1.511+ Memory: Killer 1.511+ VProtect 1.51+ Removal Media: Killer 1.511+ Memory: Killer 1.511+ --------------------------------------------------------------------------- General Comments: Whilst this is quite definitely an Icon variant, it does have a number of changes which make it rather different. For starters, it has a choice of 22 names and 21 filetypes between it chooses at random. The filenames are: ProgInfo, Image, DiscInfo, Data, Options, Temp, Data, data, Mod, Shit, Wanker, Boot, Mode, System, Dump, Remote, Symbol, Script, Desk, Screen, Monitor and Resiter. The filetypes are: FFD, FFA, FF8, FF4, FF2, FED, FEC, FEC, FEA, FE4, FE3, FE2, FE9, FF5, FE1, FF3, AFF, AE9, FF0, FF6, FF7. Practically all the textual commands within the program are expressed as sequences of CHR$(nnn). Inevitably choosing such a long-winded method has led to a number of typos and syntax errors in the expressions. Given the variety of possible filenames, VProtect detects it only as a Generic Icon virus. As it stands, it is almost harmless - there are so many errors in the text that few of its actions will actually work. However, its replication works fine.... ########################################################################### Aprilfool =========================================================================== Last Updated: 18th December 1992 Aliases: Origin: United Kingdom Isolation Date: December 1992 Effective Length: 1618 bytes Virus Type: Resident application infector Symptoms: RAM disc contains directory called 'Scrapheap' --------------------------------------------------------------------------- Detection Media: Killer 1.383+ Memory: Killer 1.383+ Removal Media: Killer 1.383+ Memory: Killer 1.383+ --------------------------------------------------------------------------- General Comments: This virus initialises as a desktop task called 'AprilFool'. It spreads by saving a copy of the virus into the application being infected. The file saved is BASIC., and called 'Virus'. It also renames the current !Boot to BootBackup and saves a new !Boot file. This may well cause great confusion, since any environmental variables set up by the !Boot file normally won't be! It holds copies of the virus and prototype !Boot file in the RAM disc - so the virus will not even work if you have no RAM disc configured! Aside from trying to infect applications, it will also delete !lemmings.LemBoot whenever it is encountered. On the 1st April it will bring up an error box from ADFS Filer saying 'April Fool'. ########################################################################### Archie =========================================================================== Last Updated: 24th November 1993 Aliases: FF8 Origin: United Kingdom Isolation Date: 1988 Effective Length: 920 bytes Virus Type: Resident Absolute (FF8) file infector. Symptoms: May cause "Address exception" or "Undefined instruction" errors. Absolute files will grow in length. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.02+ Killer 1.17+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ --------------------------------------------------------------------------- General Comments: This is a piece of ARM code that is appended to executables with the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has a tell-tale 4-character string at the end of its code, "1210", which is used as an "already-infected" flag. The first instruction of the original executable is saved near the end of the virus code space and is replaced by a branch to the first instruction of the Archie virus code. What Archievirus does when first run: 1.Attempts to infect executables (Absolute filetype) with the filespecs "@.*" and "%.*". In other words, all executables in the current and library directory are attacked. 2.Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA. If a call to OS_File 36 returns with an error, then it hasn't infected the RMA yet, so it proceeds to claim 920 bytes of RMA, copy itself into there and points a claim of the OS_File vector to its new RMA location. 3.The time is checked to see if it is the 13th of the month. If so, the code loops indefinitely, displaying the 45-character message (in the virus, this message is EORed with &64, and is therefore not easy to spot.): Hehe...ArchieVirus strikes again... 4.Assuming it wasn't the 13th of the month (and NO, it doesn't check for a Friday!), then the original first instruction of the executable is replaced and the original normal code continues from &8000 onwards. The OS_File vector claim is quite important, because this serves two purposes: a.It allows OS_File 36 to return without an error, signalling that the RMA is already infected. b.It checks for OS_Files 0 and 10 (Save memory to file), 11 (create empty file) and 12,14,16 and 255 (Load file). If any of these are encountered then an infection attack is activated (see step 1 above). Update: Nov '93. A case was reported of Archie instead an untyped file. It looks like it infected the file before its type was changed. From version 1.512 Killer will check for this. The other difference is that the routine responsible for displaying the message has been replaced by calls to move the disc head back and forth until the computer is reset. (Source: Richard K. Lloyd) ########################################################################### Arcuebus =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 9619 bytes Virus Type: Resident application infector Symptoms: Extra module files appear in applications --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: This virus spreads as a module within applications. The module has eight possible names: ProgUtil, Resource, InfoFile, SystemRS, ModularR, PureMath, SoundMdl and GraphMdl. When loaded (from a !Boot file) it installs itself as a NetStatus 3.07 (15 Sep 1988). A quick check for this virus is to press <F12> and type 'Help Virus'. The following text will be displayed: Congratulations. Your system has the Arcuebus virus. The following data may interest you:- Virus generation number: Dnnn This copy was born: <date/time> At the same time a sound sample (loaded as a voice called Percussion-Bass) is played. This says 'I am a servant of the <???>'. If anyone who hears this has a good idea what the last word is - do tell us! (Source: Paul Frohock) ########################################################################### Axishack =========================================================================== Last Updated: 13th September 1993 Aliases: Origin: UK Isolation Date: September 1993 Effective Length: 2189 bytes Virus Type: Resident application infector Symptoms: File called 'hack' appears in applications --------------------------------------------------------------------------- Detection Media: Killer 1.501+ Memory: Killer 1.501+ VProtect 1.43+ Removal Media: Killer 1.501+ Memory: Killer 1.501+ --------------------------------------------------------------------------- General Comments: This is a variant of Vigay which runs as a desktop task called Axis_Hack, and triggers on Saturdays rather than Thursday. See the entry for Vigay for more information. ########################################################################### BBCEconet =========================================================================== Last Updated: 29th June 1992 Aliases: Origin: United Kingdom Isolation Date: April 1992 Effective Length: 5280 bytes Virus Type: Resident Absolute (FF8) file infector. Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx) (see also Mode87!). --------------------------------------------------------------------------- Detection Media: Killer 1.33+ Memory: Killer 1.33+ Scanner 1.33+ Interferon 2.12+ Scanner 1.34+ VProtect 1.15+ Removal Media: Killer 1.33+ Memory: Killer 1.33+ Scanner 1.34+ --------------------------------------------------------------------------- General Comments: The action of this virus bears a marked similarity to Link, i.e. it appends code to absolutes and uses a module to perform the infection (in this case BBCEconet, which it installs). As with Link, it attempts to infect %.Squeeze. However, both viruses use the same check to see whether a file is infected so it is not possible to have an absolute simultaneously infected by Link and BBCEconet. The majority of this virus is kept encrypted when it is not executing, and it also encrypts a segment at the beginning of the absolute file. The encryption key changes with each infection. In short, you need dedicated software to remove it. The datestamp will not change, and as with Link, it temporarily patches Interferon to allow itself to infect without any alarms being given. There are various date fired routines, outlined below. Friday 13th: It's Friday! Why are you working? I first infected a commercial program with good help from Dr. Blob. Now you're infected too - and probably most of your penpals. I've got more in store! And... I've created XXXX copies of myself. Good luck! December 25th: Merry Christmas! April 1st: E.T. phones home! (It sends ATD 0749 679794 to the serial port, so if you have a Hayes compatible modem connected, it will dial this number - a well-known bulletin board service in Somerset.) June 25th: Ph'nglui mglw'nafh Chtulhu R'lyeh fthagn. And... I've created XXXX copies of myself. [The non-english part of this message was introduced by H.P. Lovecraft in his short story The Call of Cthulhu, where it translates to "In his house at R'lyeh, dead Cthulhu waits dreaming." Probably used by the virus writer as proof that he has read this book.] All of these messages will appear in an error box titled "Ouch! You've been bitten!" It may also clear the screen and print the word "LOVE" in mode 12. (Source: Alan Glover) ########################################################################### Bigfoot =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: August 1992 Effective Length: 5535 or 5580 bytes Virus Type: Task. Stores code as separate file. Symptoms: Additional files with random names in capital letters appear in applications --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ Scanner 1.47+ (5580 byte strain only?) Removal Media: Killer 1.381+ Memory: Killer 1.381+ delete named file, remove line from !Boot. --------------------------------------------------------------------------- General Comments: This is a fairly simple BASIC program, which installs as a desktop task called Bigfoot. It has messages for certain dates, namely: 25 Dec: Happy Christmas from BigFoot ... The VIRUS 05 Nov: "Wizz Bang! Its Guyfalks night BigFoot Strikes again! 04 Jul: "Hay there its the 4th of July ,American Independence! Best wishes from BigFoot 15 Mar: This is a HOLD UP! Give me all the PD software you can get,,, Or you SYSTEM gets it!!! By the way its the end of the fishing season. It infects by creating or modifying the !Boot file, using a random name of 1-10 upper case characters. The virus is saved as a BASIC file of the same name. However the BASIC itself always has REM>Bigfoot on the first line. Apart from spreading, it has no malicious code. The 5535 byte version can not be Quitted from the Task Manager. (Source: Alan Glover, with thanks to Paul Frohock and David Cox for initial analysis) ########################################################################### BooHoo =========================================================================== Last Updated: 6th December 1992 Aliases: Origin: UK Isolation Date: December 1992 Effective Length: 1104 bytes Virus Type: Resident module infector Symptoms: Modules grown by 1104 bytes and are datestamped --------------------------------------------------------------------------- Detection Media: Killer 1.382+ Memory: Killer 1.382+ VProtect 1.25+ Removal Media: Killer 1.382+ Memory: Killer 1.382+ --------------------------------------------------------------------------- General Comments: Like Module, this virus operates by merging with relocatable modules. However its infection method is somewhat more efficient than Module with the result that it will probably spread faster when left unchecked. Infected modules can be identified quickly by looking for the text 'VIRU' at the end of an infected module (this is the marker it uses to avoid reinfection). RMkilling an infected module will result in the message 'Wah, boo hoo!", but the module (and the virus) will close down. On the 23rd October initialising the virus will result in the message 'Happy Birthday!' being displayed. The module also returns to SWI &98000, returning R0 pointing to 'I'm alive and well, thank you!'. (Source: Alan Glover, with thanks to Craig Murphy) ########################################################################### Breakfast =========================================================================== Last Updated: 21st January 1993 Aliases: Origin: Belgium Isolation Date: January 1993 Effective Length: 6688 bytes Virus Type: Resident Absolute (FF8) file infector. Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx) (see also BBCEconet & Mode87!). --------------------------------------------------------------------------- Detection Media: Killer 1.391+ Memory: Killer 1.391+ VProtect 1.29+ Removal Media: Killer 1.391+ Memory: Killer 1.391+ --------------------------------------------------------------------------- General Comments: The action of this virus bears a marked similarity to Link & BBCEconet, i.e. it appends code to absolutes and uses a module to perform the infection (in this case BBCEconet, which it installs). As with Link, it attempts to infect %.Squeeze. However, both viruses use the same check to see whether a file is infected so it is not possible to have an absolute simultaneously infected by this virus and Link/BBCEconet. The majority of this virus is kept encrypted when it is not executing, and it also encrypts a segment at the beginning of the absolute file. The encryption key changes with each infection. In short, you need dedicated software to remove it. The datestamp will not change, and as with Link/BBCEconet, it temporarily patches Interferon to allow itself to infect without any alarms being given. There are various date fired routines, outlined below. Friday 13th: Have a nice day. You have been infected by copy # July 21st Cheer up, the worst is yet to come. I think. You have been infected by copy # November 5th: ...Remember, Remember, the 5th of November - Gunpowder, Treason and Plot... You have been infected by copy # January 1st: A contest of skill and cyberprank... Who can be the unspoken Maestro? I know Dr. Blob is quite good, but can he dig this one? You have been infected by copy # April 1st: <More details will be added when this routine has been analysed> (Source: Alan Glover) ########################################################################### CeBIT =========================================================================== Last Updated: 21st April 1992 Aliases: Lord of Darkness, TlodMod Origin: Germany Isolation Date: March 1991 Effective Length: 1240 bytes Virus Type: Resident !Boot file infector, stores code as separate file. Symptoms: File "TlodMod" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.23+ Killer 1.17+ VProtect 1.06+ Scanner 1.20+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: This is a module called "TlodMod" with the following title string: TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod. If this already exists, then no further action is taken. If it doesn't, however, it then attempts to append the following line to <Obey$Dir>.!Boot: rme. TlodMod 0 rml. <Obey$Dir>.TlodMod If it succeeds at this, a counter is incremented and the module is replicated as <Obey$Dir>.TlodMod. Every 16th successful infection will trip the virus into issuing a "*Wipe $.path.file*" (which will inevitably fail!) and then displaying a message accompanied by a simple graphic. The message displayed is thus: This is a warning to all Users, I am back on the Archimedes ... Your Archie is infected now and with him most of your programms. Don't worry, nothing is damaged, but keep in mind the protection! And always think about the other side of THE LORD OF DARKNESS ... Virus generation is <counter> (Source: Richard K. Lloyd) ########################################################################### Code =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: UK Isolation Date: June 1992 Effective Length: 2251 bytes Virus Type: Resident !Boot file infector, stores code as separate file. Symptoms: File "Code" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ VProtect 1.17+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ --------------------------------------------------------------------------- General Comments: This virus installs itself as a desktop task called "Window Manager". The 'Code' file is filetyped as &FF8, but is actually plain BASIC. The virus can either extend a !Boot or create one - if one is created it will be 44 bytes long. The only effects from this virus will be the the loss of sprites for some applications, since the !Boot file it creates does not contain an IconSprites statement to load the sprites. (Source: Alan Glover) ########################################################################### Diehard =========================================================================== Last Updated: 21st November 1993 Aliases: Icon (2173 byte) Origin: UK Isolation Date: October 1993 Effective Length: 2173 bytes Virus Type: Resident !Boot file infector, stores code as separate file. Symptoms: File "Setup" in application directories --------------------------------------------------------------------------- Detection Media: Killer 1.504+ Memory: Killer 1.504+ VProtect 1.49+ Removal Media: Killer 1.504+ Memory: Killer 1.504+ Scanner 1.42+ --------------------------------------------------------------------------- General Comments: Strictly speaking, this is an Icon variant. Please see the entry for it under the Icon section. ########################################################################### Ebenezer =========================================================================== Last Updated: 19th February 1993 Aliases: Origin: United Kingdom Isolation Date: February 1993 Effective Length: 2400 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File Run2 in application directory. --------------------------------------------------------------------------- Detection Media: Killer 1.393+ Memory: Killer 1.393+ VProtect 1.31+ Removal Media: Killer 1.393+ Memory: Killer 1.393+ --------------------------------------------------------------------------- General Comments: This is basically the Vigay virus, with amendments to the original program to make it slightly different. The changes are: Triggers on Friday rather than Thursday The virus is in a file called Run2 The desktop task is called "Filer" (which will show up as an application task, not a module task like the real Filer). ########################################################################### EMod =========================================================================== Last Updated: 31st March 1993 Aliases: Origin: United Kingdom Isolation Date: March 1993 Effective Length: 1686 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: Spurious files inside application directories --------------------------------------------------------------------------- Detection Media: Killer 1.400+ Memory: Killer 1.400+ VProtect 1.33+ Removal Media: Killer 1.400+ Memory: Killer 1.400+ --------------------------------------------------------------------------- General Comments: This virus is written in BASIC and uses an insertion in a !Boot file to load itself, whereupon it initialises as an application task called " ", which cannot be quitted from the Task Manager. The virus has no malicious code, however its coding is such that it may well generate errors whilst trying to infect something. The virus code is stored in one of the following names, chosen at random. If a file already exists with that name in the application it will choose again. !ReadMe (text),!Help (text),menus (text),Script (text),MemAlloc (module),!Run2 (obey),!RunImage (basic),messages (text),FPE (module),!Sprites23 (sprite),Windows (template),Templates (template),Scrap (data),KeyUtil (utility),Chars (bbcfont),Font (font),Subscripts (absolute),Palette (palette),Protect (module), WimpMan2 (module),Settings (data),Configure (utility),init (utility),!RunImage2 (basic),Choices (data) ########################################################################### Ex_port =========================================================================== Last Updated: 6th December 1992 Aliases: Origin: UK Isolation Date: November 1992 Effective Length: 1282 bytes Virus Type: Resident application infector Symptoms: Modules grown by 1104 bytes and are datestamped --------------------------------------------------------------------------- Detection Media: Killer 1.382+ Memory: Killer 1.382+ VProtect 1.25+ Removal Media: Killer 1.382+ Memory: Killer 1.382+ --------------------------------------------------------------------------- General Comments: This is written in BASIC, and always has the filename Ex_port, though the filetype maybe Sprite, Template, Text, Command, Data, Absolute, Module, Font or BBCFont. It installs itself as a nameless desktop task, so earlier versions of !Killer may detect it as the Extend virus. There are no messages or overtly malicious code, however its infection technique can cause problems. (Source: Alan Glover, with thanks to Toby Smith) ########################################################################### Extend =========================================================================== Last Updated: 21st November 1993 Aliases: Origin: United Kingdom Isolation Date: October 1990 Effective Length: 940 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "MonitorRM", "CheckMod", "ExtendRM", "OSextend", "ColourRM", "Fastmod", "CodeRM" or "MemRM" in application directory. Each time the code is executed it grabs 1k of RMA - this will eventually lead to a system crash. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ VProtect 1.06+ Killer 1.17+ Hunter 1.00+ Scanner 1.20+ Scanner 1.36+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove extra lines from !Boot. --------------------------------------------------------------------------- General Comments: It's a module which can go under 8 different filenames (the name is picked at random using the current time as a seed): MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM or MemRM. However, the module itself has the following title string: Extend 1.56 (08 Jul 1989) It is 940 (&3AC) bytes long and initialises itself as a nameless Wimp task which then looks for Wimp Message 5 (double-click). It attempts to either create an !Boot in the application directory or append to an already existing one with the following lines: IconSprites <Obey$Dir>.!Sprites [0D] RMEnsure Extend 0 RMRun <Obey$Dir>.ModName [0D] ||[FF] The "IconSprites" line is omitted if it is appended to an existing !Boot. "ModName" is one of the 8 possible filenames. The Extend Virus uses the &FF (i.e. decimal 255) byte at the end as a self-check to see if has infected the !Boot file already. Of course, it copies itself to the new name inside the application directory as you would expect. Note the incorrect use of &0D (decimal 13) to terminate the lines, rather than the more correct &0A (decimal 10). A shift-double-click does NOT cause an infection, but it DOES claim yet another 1K of never-to-be-released RMA. There is no damage apart from the claiming of RMA (which will eventually lead to a system crash). Two variants have appeared during October/November 1993. Both are malformed, so that the filenames have an additional character at the beginning. Killer/VProtect are aware of both of these from version 1.511. One has the module name as HLCC12, the other as Ohshit. (Source: Richard K. Lloyd) ########################################################################### ExtendV2 =========================================================================== Last Updated: 16th January 1993 Aliases: Origin: UK Isolation Date: December 1992 Effective Length: 1878 bytes Virus Type: Resident application infector Symptoms: Module file called 'ExtendV2' --------------------------------------------------------------------------- Detection Media: Killer 1.391+ Memory: Killer 1.391+ VProtect 1.27+ Removal Media: Killer 1.391+ Memory: Killer 1.391+ --------------------------------------------------------------------------- General Comments: This is an Icon variant, but has its own entry because it inserts a line in !Boot files saying 'Yes Extend Strikes Again !!!!'. It is filetyped as a module, using the filename 'ExtendV2'. ########################################################################### FCodex =========================================================================== Last Updated: 16th May 1993 Aliases: Origin: UK Isolation Date: May 1993 Effective Length: 1994 bytes Virus Type: Non-resident application infector Symptoms: Absolute file called FCodex --------------------------------------------------------------------------- Detection Media: Killer 1.405+ Memory: Killer 1.405+ VProtect 1.27+ Removal Media: Killer 1.405+ Memory: Killer 1.405+ --------------------------------------------------------------------------- General Comments: This is a non-resident BASIC program which infects applications via their !Run file (which should help to limit its spread somewhat). This virus is capable of wiping the contents of a disc, so handle with extreme care! The message below is displayed when it completes wiping a disc: HI! You have been virus infected! Aren't you happy? No! Well I've got more good news, if you have a hard disc then that is blank and your floppy disc is blank aswell, if it is not then you had the disc read tab on, LUCKY!! Bye for now.... ########################################################################### Funky =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1308 bytes Virus Type: Resident application infector Symptoms: Sprite file called 'Funky!', application task called 'Window Dude' --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: In common with the Icon family, this is a BASIC program hidden under a Sprite filetype. It initialises as a desktop task called 'Window Dude' and infects by saving copies of itself and amending !Boot files. (Source: Paul Frohock) ########################################################################### Garfield_I =========================================================================== Last updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June 1992 Effective Length: 1640, not including the files "!Boot", "!Run" and "!Sprites". Virus Type: Resident application infector. Symptoms: Directory "!Pic" with files "!Boot", "!Run", "!Mod" (module) and "!Sprites". Recursive infections possible. --------------------------------------------------------------------------- Detection Media: Killer 1.362+ Memory: Killer 1.362+ Scanner 1.42+ VProtect 1.20+ Scanner 1.47+ Removal Media: Killer 1.362+ Memory: Killer 1.362+ Scanner 1.42+ Scanner 1.47+ --------------------------------------------------------------------------- General Comments: Garfield_I is a resident virus, lodging itself in the RMA as a module "IconManager". When active, it creates a directory inside an application called "!Pic" with the files "!Boot", "!Run", "!Mod" and "!Sprites". The virus code is contained in "!Mod". It then proceeds to add the following lines to the infected application's "!Boot" file: RMEnsure IconManager 1.27 <obey$dir>.!pic Garfield_I uses the default Acorn sprite file sprite, so a casual glimpse in an application folder will not reveal it unless you a) use a different sprite for sprite files or you b) open the folder with "full info". It does not check for multiple infections. Infected applications will, more often than not, contain "!Pic" directories inside "!Pic" directories. Garfield_I activates on the first Monday of any month, displaying "The Garfield Virus is here to stay" then repeatedly "Don't you just hate Mondays?" until the machine is reset or switched off. (Source: Alan Glover) ########################################################################### Garfield_W =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June 1992 Effective Length: 1480, not including the files "!Boot", "!Run" and "!Sprites". Virus Type: Resident application infector. Symptoms: Directory "!Obey" with files "!Boot", "!Run", "!Mod" (module) and "!Sprites". Recursive infections possible. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ Scanner 1.41+ VProtect 1.17+ Interferon 2.00+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ --------------------------------------------------------------------------- General Comments: Garfield_W is a resident virus, lodging itself in the RMA as a module "WimpAIDS". When active, it creates a directory inside an application called "!Obey" with the files "!Boot", "!Run", "!Mod" and "!Sprites". The virus code is contained in "!Mod". It then proceeds to add the following lines to the infected application's "!Boot" file: <Obey$Dir>.!Obey |Above line is inoculation for the wimp virus Garfield_W uses the default Acorn Obey file sprite, so a casual glimpse in an application folder will not reveal it unless you a) use a different sprite for obey files or you b) open the folder with "full info". Garfield_W does not check for multiple infections. Infected applications will, more often than not, contain "!Obey" directories inside "!Obey" directories. Garfield_W activates on the first Monday of any month, displaying "The Garfield Virus is here to stay" then repeatedly "Don't you just hate Mondays?" until the machine is reset or switched off. [ Note: Although both Garfield_I and Garfield_W call themselves Garfield, and give the same message, we have given them separate entries since certain items differ between them - notably application and module names. ] (Source: Alan Glover) ########################################################################### Handler =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1532 bytes Virus Type: Resident application infector Symptoms: Desktop Task called 'Task Handler'. --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: This virus is loaded by a !run file, so is likely to spread slower than most. It renames the original !Run file to Obey. The virus itself is in an absolute called Handler. It may display a message: You have been infected with the Handler VIRUS The Virus is just to see how good a program can infect Sorry if it has up set you in any way, Thats about all i can say! Generation : Press any key to change the channel. (Source: Paul Frohock) ########################################################################### Icon =========================================================================== Last Updated: 6th January 1994 Aliases: Icon-A, Filer, Poison, NewVirus Origin: United Kingdom Isolation Date: 1990? Effective Length: 5498 bytes in base version Virus Type: Task. Stores code as separate file. Symptoms: Nameless wimp task on the Task Manager (sometimes). Silly error messages may appear without reason (sometimes). See below for likely additional files appearing inside applications --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.32+ Scanner 1.32+ IVSearch 2.05+ (note 1) VProtect 1.06+ Hunter 1.00+ (note 1) Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: The Icon virus family is a type of very contagious viruses. They are harmless to that extent that they do not destroy files. However, they are very annoying (although I must admit some of the messages were quite amusing!). Common for all the viruses in the Icon family is that the virus is an unnamed wimp task written in BASIC. It spreads by adding a few lines to the !Boot file of an application (without checking for multiple infections), and then saving the code as a file as with filetype sprite. <set the wimpslot> BASIC -quit <obey$dir>.<virusfile> The original virus displayed a stupid error message on start-up, and then every so often after that. Commonly also called the Filer virus as the error message header claims that it's from the Filer. Here are a few examples of what type of error messages which might appear: ".desreveR maertS tuptuO" "This error should not occur." "Previous error did not occur." "Could not reach top of stack." Known variant(s) of the Icon virus are: Icon-1170 Filename: Sprites. This variant sets the system date to 1939. Icon-1668 Filenames: !Runimage2, memaloc, mouserm, screen, prntdata, sys_pal, new_arc, drawfile, oldboot, oldrun, template, bbc_data and hd_cat. Squeezed BASIC version using various filenames/filetypes. No silly messages. (this strain added: 16th January 1993) Icon-1687 Filename: Icon No other effects. Icon-1988 Filename: YUKOHNO!, no filetype. Icon-1992 Filename: Wraith Icon-2096 Filename: Poison Random error code replaced with a *I am stuck - which might log the user on to a network if they're very unfortunate! Icon-2120 Filename: OldCMOS Icon-2158 Filename: Spr This one is nasty! Aside from usual Icon tricks it *replaces* the !Run file of an application with a command to format drive 0, so running the application will format the disc (... that it is on, in the worst case). Icon-2173 Filename: Setup (filetype Data) Versions of VProtect before 1.46 will not detect this virus, allowing it to remove VProtect and delete <Killer$dir>. Aside from this anti-social behaviour it is unremarkable. Icon-2285 Filename: !Spritey (untyped) Unremarkable. Icon-2616 Filename: Icon No silly messages from this version - also has the name of the person who modified it (yes, the UK Computer Crimes Unit have acted on this!). Icon-2622 Filename: Wright Icon-2631 Filename: Splodge Identical to 2616, except the change of name. Icon-2651 Filename:Options, desktop task called Options. No malicious code. Icon-2696 Filename:wallace, filetype module. Otherwise as 2616. Icon-2948 Filenames: »pic, new file, «READER», LO¢K, INTER»ACT Icon-2963 Can use one of the following names. Produces messages on Fri 13th & 5th November: AnimMod, FCoreFix, Modes, Overscan, Monitor, 3dIcons, ScrapMod, SysMod, Patch, Padfile, Compact, UtilMod, FreeMem, Graphics, Music, Support, WimpIcons, Taxan, Cambridge, VigayMod, SmiggyMod, ASCIIConv, StripLine, Redirect. Icon-2977 Dangerous variant sent anonymously to Pineapple Software. It is not yet known whether this strain is also in the wild. However, given it's date fired routines it has been added to VProtect & Killer's repertoire. Fri 13th: configure spritesize 512K, ramdisc 0K, and the message "Palette Strikes Again!!!" Apr 1st: configure idediscs 0, configure hardiscs 0, and the message "Palette has wiped your Hard Drive" (of course it hasn't). 30 minutes past the hour: configure floppies 2, configure idediscs 2, and the message "Your Floppy Drive Has Got An Erection" Jul 4th: configure tv 0,0 and the message "***SHAKES***" Dec 25th: *drive 0, *wipe *.* f ~c and the message "The AVRD doesn't know about this one." Feb 14th: *SET System$Dir <Obey$Dir>.^ and the message "Alan G 4 Tor H" Dec 26th: *unplug desktop, and the message "Sorry to wreck your new pressy but this *is* a virus." Jan 1st before 10am: *configure noscroll, *configure mousestep 20, and the message "Got over your hangover already?" Icon-3077 Filenames and filetype chosen at random from: Filenames: Anim,FCoreFix,Modes,OverDo,Monitor,3dIcons,Scrap,Sys,Patch,Padfile,Compact,Util,FreeMem,GraTask,Music,Support,WimpIcons,TaxMontr, Script,Preview,Reloc,Runtime,StripLine,ErrorGen,CLib,ABCLib,FPEmulator,Colours Icon-4508 Filename: Code 32, filetype Data. May cause unexpected colour changes in the desktop. Icon-5498 Filename: Icon, though the in-core name is 'Extra'. Does have silly messages. Icon-5574 Filename: Icon As 5498 with missing Hourglass_On call added. Silly message less likely to appear when it is loaded. Icon-5737 Filename: NewVirus As 5574, but with a three-key sequence to exit the program. High likelihood of a silly error at startup. Insignificant changes to !Boot save routine. Icon-5742 Filename: Icon Bugfix of 5737. Less likely to give silly errors when loaded. (Source: Alan Glover) ########################################################################### Image =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: Northern Ireland ? Isolation Date: Jan. 1992 by Svlad Cjelli Effective Length: 512 bytes Virus Type: Resident, although not in RMA Symptoms: Files "Image" and "!Spr" in application directories. The file "image" has no filetype, but !Spr has the type Obey. --------------------------------------------------------------------------- Detection Media: Killer 1.26+ Memory: Killer 1.26+ Scanner 1.13+ VProtect 1.07+ Removal Media: Killer 1.26+ Memory: Killer 1.26+ Scanner 1.15+ delete "Image". If there is a "!Spr" file, delete !Run and rename !Spr as !Run, otherwise delete !Boot. --------------------------------------------------------------------------- General Comments: This virus carries no payload, but spreads VERY fast, to the extent that you can delete the file, only to see it instantly re-appear again if it is in memory! It loads its code into the OS workspace, at &5500, it is therefore liable to crash the machine should the OS use that area of workspace. The !Run or !Boot file looks like this: LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d] Its action on infection is to save <Obey$Dir>.Image, and then either to create a !Boot file if one does not exist, or if it does, rename the !Run file to !Spr and then create a new !Run file. (Sources: Alan Glover, Svlad Cjelli) ########################################################################### Image2 =========================================================================== Last Updated: 29th October 1993 Aliases: Origin: Isolation Date: October 1993 Effective Length: 320 Virus Type: Resident in RMA Symptoms: Files "Image" and "!BootFAT" in application directories. The file "image" has filetype &FFC, but !Spr has the type Obey. --------------------------------------------------------------------------- Detection Media: Killer 1.509+ Memory: Killer 1.509+ VProtect 1.50+ Removal Media: Killer 1.509+ Memory: Killer 1.509+ --------------------------------------------------------------------------- General Comments: This virus carries no payload, but spreads VERY fast, to the extent that you can delete the file, only to see it instantly re-appear again if it is in memory! It loads its code into the RMA, but will not appear as a module of any sort. Its action on infection is to save <Obey$Dir>.Image, and then either to create a !Boot file if one does not exist, or if it does, rename the !Run file to !BootFat. ########################################################################### Increment =========================================================================== Last Updated: 18th September 1992 Aliases: Origin: UK, Cornwall ? Isolation Date: September 1992 Effective Length: 464 bytes Virus Type: Resident Symptoms: CMOS configuration settings seem to change randomly --------------------------------------------------------------------------- Detection Media: Killer 1.375+ Memory: Killer 1.375+ Scanner 1.49+ Scanner 1.49+ VProtect 1.23+ Removal Media: Killer 1.375+ Memory: Killer 1.375+ --------------------------------------------------------------------------- General Comments: The virus appends itself to existing !boot files. The virus may not be immediately obvious when an infected !boot file is viewed in !Edit because it inserts 28 or more line feeds between the legitimate file and the viral appendage. However CTRL-Down Arrow will move down to the bottom of the file and expose the telltale signs of a machine code appendage on the end of the file. On each infection the virus will increment a CMOS RAM location - the location is incremented too on each infection with the effect of seemingly random problems appearing (including ROM modules becoming unplugged for example). (Source: Alan Glover, with thanks to Lee Davies) ########################################################################### Irqfix =========================================================================== Last Updated: 14th September 1992 Aliases: Origin: United Kingdom Isolation Date: September 1992 Effective Length: 940 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "RiscExtRM", "WimpPoll", "OSSystem", "MiscUtil", "FastRom", "IRQFix" or "AppRM" in application directory. Each time the code is executed it grabs 1k of RMA - this will eventually lead to a system crash. --------------------------------------------------------------------------- Detection Media: Killer 1.374+ Memory: Killer 1.374+ Scanner 1.48+ Scanner 1.48+ VProtect 1.22+ Removal Media: Killer 1.374+ Memory: Killer 1.374+ Scanner 1.48+ delete named file, remove extra lines from !Boot. --------------------------------------------------------------------------- General Comments: This is a variant of Extend which uses IRQFix as the module name, and different filenames. In all other respects the code is identical to Extend. (Source: Alan Glover, with thanks to Alex Belton) ########################################################################### Link =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: United Kingdom Isolation Date: January 10th, 1992 Effective Length: 1416 bytes Virus Type: Resident Absolute file infector. Also a Trojan Horse. Symptoms: Module 'BSToDel' in module list. Files are re-stamped. --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Interferon 2.10+ Scanner 1.03+ Killer 1.27+ Hunter 1.16+ Hunter 1.16+ Scanner 1.20+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ Hunter 1.16+ Inteferon 2.10+ Scanner 1.20+ Hunter 1.16+ Scanner 1.20+ --------------------------------------------------------------------------- General Comments: The reason why I found the Link virus was because of the module 'BSToDel' appearing in the module list. Also, suddenly Killer 1.17 didn't work (It gave an "Integrity check failed" and refused to load)! As I already have made my own 'backspace to delete' utility as a module, I wondered where that module came from! (It certainly wasn't as a separate module on the disc.) Before installing itself as a module, it infects %.Squeeze (if there is a library directory, and if Squeeze is indeed in it) - just in case there wasn't enough room in the RMA. Then it hooks onto the FSControlV and InsV vectors. The latter so that it can do what the module title expects it to do: convert backspace (&08) to delete (&7F) (the reason why I also typed it as a Trojan Horse). The FSControl vector is used so that it can look for certain actions - namely *Run and *Copy. When it detects one of these, it does the following. Replaces the first three instructions in the file with its own, making an absolute branch to the end of the file. The rest of the module is then stored here, with the original three instructions too. To make detection a bit more difficult, it encrypts itself with an EOR variant (different key each time). On any Friday the 13th, it will display the message Message from LINK: Active since 30-Nov-91 every time it infects a program. [As Alan pointed out, this date is fixed, so meaning that it bears no relationship to the time which a system became infected.] The virus does no damage apart from attaching itself to files. Files infected by the Link virus are re-stamped to the date they were infected. Also, at the end of the module (and effectively each infected file - although encrypted) the word 'LINK' appears. I first thought this was used as an 'already infected' flag, but this is not so. What it does is check the second instruction in the file, and if this is 'MOV PC,R0' (probably reckons that few programs have this as their second instruction) it recognizes it as infected. If not, the file is infected. This method of checking the file might add to the difficulty of making an inoculator. Why didn't Interferon detect this virus? At first, I thought that there might be a bug in Interferon, but as I found out, the Link virus checks to see if Interferon is in memory by using OS_Module 18 (look-up module name). By doing this, it also finds where the module code is. Then, it changes a CMP instruction within the code so that Interferon never detects OS_GBPB. After the infection is finished, the Link virus changes the code back to what it was. [I'm working on a CRC routine for a future version of Interferon at the moment, so Interferon should be 100% operational 'real soon now'.] ########################################################################### Mode87 =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: Unknown. UK? Isolation Date: Unknown - possibly autumn 1991 Effective Length: 848 bytes Virus Type: Resident !Boot file infector. Symptoms: Module 'Mode87' in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ Interferon 1.10+ VProtect 1.17+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ --------------------------------------------------------------------------- General Comments: Mode87 installs itself in the RMA as "BBCEconet". The way to tell the difference from this and the original Acorn network module, is that the address of where the module lies is at &01xxxxxx instead of a ROM address (&03xxxxxx) by typing *Modules. If Acorn's original module is not *Unplugged, it will install itself on top of this, and not easily seen in the module list. Mode87 is not malevolent. Although it destroys the original !Boot file of an application, it is not treated as a virus with serious damage potential. Mode87 simply overwrites any !Boot file already there (and if there isn't one, it creates a new one) with: | Boot file IconSprites <Obey$Dir>.!Sprites RMLoad <Obey$Dir>.Mode87 Then it proceeds to save itself as a module with the filename "Mode87". If it has reached an infection count of 256, an expanding circle (black, if you are using the standard desktop palette) will "eat" your screen. Control will then return to normal. Mode87 releases its vector claim on OS_FSControl, so it is quite safe to *RMKill it. (Source: Tor Houghton) ########################################################################### Module =========================================================================== Last Updated: 11th September 1992 Aliases: Illegal, ModVir Origin: Unknown Isolation Date: October 1991 Effective Length: 956 bytes Virus Type: Resident module infector. Symptoms: Modules grow by approx. 1k, and are re-datestamped. May cause system crashes when accessing files (load, save, etc. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Hunter 1.00+ Killer 1.17+ Scanner 1.14+ Hunter 1.00+ VProtect 1.10+ Removal Media: Killer 1.26+ Memory: Killer 1.26+ Hunter 1.00+ Hunter 1.00+ Scanner 1.46+ --------------------------------------------------------------------------- General Comments: This is a very nicely written virus which appends itself to modules, redirecting three module entry points to pass through itself before being handed on to the module's original entry point. It spreads by infecting a module as it is loaded, and then the newly loaded module infects the next one loaded, and so on... This virus is likely to be very widespread, since it was distributed on the Archimedes World February 1992 cover disc in the MicroDrive demo (in it, several modules were infected). It does nothing until 6th September 1992, when it will display the message: Your computer has been virus infected. This is intended to be a friendly virus, and hasn't done any damage to your disc as is possible now, but it isn't active anymore from now on. Be more careful with illegal software next time! [Along with a generation counter. Another interesting observation is that it does not infect locked modules. Infects whenever it notices a RUN or LOAD action on a module. As a result, THIS VIRUS IS EXTREMELY CONTAGIOUS.] The message that it isn't active anymore is not true! It ALWAYS (even after 06-Sep-1992) attaches itself to the OS_File (FileV) vector. The virus first calls the previous owner of the OS_File vector (FileSwitch?). This means that the module will be loaded and initialised. If the length of the module minus the initialise word of the module is equal to 956 (i.e. the length of the virus), then the module is already infected and the virus deactivates itself (the newly loaded module has already attached itself to the OS_File vector). If the module isn't infected, the virus attaches itself at the end of the module, overwriting the init/final/service words in the module header, preserving the original 3 words. (Source: Alan Glover, Michel Fasen) ########################################################################### MonitorDat =========================================================================== Last Updated: 24th November 1993 Aliases: Origin: United Kingdom Isolation Date: November 1993 Effective Length: 2355 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File MonitorDat in application directory. --------------------------------------------------------------------------- Detection Media: Killer 1.512+ Memory: Killer 1.512+ VProtect 1.52+ Removal Media: Killer 1.512+ Memory: Killer 1.512+ --------------------------------------------------------------------------- General Comments: This is basically the Vigay virus, with amendments to the original program to make it slightly different. The changes are: Triggers on Monday rather than Thursday The virus is in a file called MonitorDat ########################################################################### MyMod =========================================================================== Last Updated: 21st April 1992 Aliases: Silicon Herpes Origin: United Kingdom Isolation Date: June-August 1991 Effective Length: 2948 bytes Virus Type: Resident Symptoms: Additional files "SSLM" (filetype Module) and "SSLF" in application directories. Message on every Friday the 13th. Module "MyMod" in module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.15+ Killer 1.17+ VProtect 1.10+ Scanner 1.20+ Hunter 1.16+ Hunter 1.16+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.16+ Hunter 1.16+ Interferon 2.10+ Scanner 1.20+ delete "SSLM", rename "SSLF" to !Boot. --------------------------------------------------------------------------- General Comments: This works by redirecting the Alias$@RunType for Obey files, so spreads very fast. Once on each Friday 13th you'll get this message: Hi there. It's me, with my latest addition to the ARCHIMEDIES range of computer programs. This one's called silicon herpes. It's annoying but DOES NO REAL DAMAGE!!! Anyway, it's Friday the 13th, and what can you expect. Acorn state that RISC OS has high protection against programs of this nature. I can't call it a virus, as a virus does damage With Acorn making these bold statements about RISC OS I decided to write a demonstration to disprove their theories. I must admit though, it was quite difficult. Anyway, I don't want to keep you so I'd like to say, have a very happy Christmas, Easter, Summer or what ever, and hang kickin There's a likelihood of various spurious errors from one of the variants (both are the same length) since it addresses application memory directly! (Source: Alan Glover) ########################################################################### NetManager =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June-August 1991 Effective Length: 900 bytes Virus Type: Resident !Boot file infector Symptoms: Module 'NetManager' in module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ VProtect 1.10+ Killer 1.17+ Scanner 1.40+ Scanner 1.20+ Removal Media: Killer 1.17+ Memory: Killer 1.17 Scanner 1.40+ Scanner 1.20+ Interferon 2.10+ delete !Boot. RMKill NetManager --------------------------------------------------------------------------- General Comments: I believe this to be the prototype for, or maybe the inspiration for, the TrapHandler virus. Although the coding is quite different in places, there's quite a similarity in the design. There are a number of coding errors in the virus, most notably around the time bomb area, making it harmless in this form. The intention of the code is to check for Friday 13th, and display a message, however it will never detonate (... unless there's a fixed version in circulation ... though that's what I believe TrapHandler is). It's fortunate that it never displays the message, because there's another coding error and the message isn't actually there! (Source: Alan Glover) ########################################################################### NetStatus =========================================================================== Last Updated: 21st April 1992 Aliases: Boot Origin: Norway or Belgium Isolation Date: October 1991 Effective Length: 2048 or 2072 bytes Virus Type: Resident !Boot file infector Symptoms: !Boot filelength increase. --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Interferon 1.10+ Scanner 1.02+ Killer 1.27+ VProtect 1.10+ Scanner 1.20+ Hunter 1.16+ Hunter 1.16+ VirusKill 1.00+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.17+ Hunter 1.16+ Hunter 1.16+ Interferon 1.10+ Scanner 1.20+ RMKill NetStatus --------------------------------------------------------------------------- General Comments: NetStatus is written as a module, and in many ways it functions exactly the same way as the TrapHandler virus, as it saves all of its code in an application's !Boot file. It differs strongly from from this one, however, as NetStatus does not overwrite the !Boot file. The original !Boot instructions are executed after the virus has been loaded, making it more difficult to spot than TrapHandler. Some times a message will appear (after a mode change): Hello, there. Just a little message. The infection count is: <infection count> This program is harmless 10 Jun 1991 [This message is encrypted, and will neither show up in memory nor in the infected !Boot file.] One might think that NetStatus should be placed as a 'variant' of TrapHandler, as the way the two viruses work are so similar (both viruses work by loading the !Boot file into memory below &8000 and then jumping to the code). However, seeing that the code itself was so different, I chose to let it have its own entry. Also, NetStatus infects the !Boot file instead of overwriting it! If you think you might have been infected by this virus, do *Help NetStatus to see if it is version 2.00, and if it is, do a *Modules to check where it resides. If the address is 018xxxxx then you are infected, if not, the address should be 038xxxxx. [This virus has the potential to cause chaos on Econet networks, where it will replace the real NetStatus module - causing anything that relies on it to fail.] Known variant(s) of the NetStatus virus are: NetStatus-2048 This appears to be an earlier version of NetStatus. Some code is missing in this version, but they appear identical in operation. Please note that not many virus killers are aware of both versions. If it understands only one strain, the !Boot file will become corrupt. ########################################################################### NewDesk =========================================================================== Last Updated: 3rd March 1993 Aliases: Origin: UK Isolation Date: March 1993 Effective Length: 2439 bytes Virus Type: Resident !Boot file infector Symptoms: !Boot filelength increase. --------------------------------------------------------------------------- Detection Media: Killer 1.375+ Memory: Killer 1.375+ VProtect 1.32+ Removal Media: Killer 1.375+ Memory: Killer 1.375+ --------------------------------------------------------------------------- General Comments: This is a BASIC program filetyped as a Sprite. It is loaded by !Boot and runs as a desktop task choosing one of the following names at random: "HandyHint", "Desktop X-tras", "Help", "Clock", "VProtect", "adfs 2", "RamFiler", "FormEd" or "Editor" (note: VProtect as used by this virus will show up as an application task. The real VProtect from Pineapple Software shows up as a module task) On April 1st or any Friday 13th it will *unplug Desktop, ADFS, BASIC and TaskManager. ########################################################################### Parasite =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: UK, Cheshire? Isolation Date: January 1992 by S. Haeck Effective Length: 6K & 7K Virus Type: Resident application infector, stores code as separate file. Symptoms: Additional modules appearing within applications --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.23+ Scanner 1.20+ VProtect 1.12+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ --------------------------------------------------------------------------- General Comments: This is a **very** nasty virus. Handle any infections with care! The parasite virus was first discovered by S. Haeck in January 1992. The two strains are identical, except that the first always uses the same name for its module, and the second has a random choice of 20 (twenty) filenames. It will only activate on machines whose network station number is <80 - which will include non-networked machines, which typically have 0 or 1 in the CMOS. Do NOT try to RMKill the module - a delayed action machine crash will result. It will *wipe any of the following file/directory names - !vkiller, vir, shield, prot and !guardian - this points at a UK origin since it is not aware of Scanner. It has a whole repertoire of dirty tricks, which are time triggered: - Corruption of the net printer name (it uses this as workspace) - Midnight, and xx:13: crash the computer - Before 07:00: crash the computer 300-900 seconds later - 00:00 to 00:59 on 1st Jan: crash the computer - 1st of any month: claim 16K of RMA (not used) - 21st June: set MouseStep to 1 - 21st December: set MouseStep to 127 (fast!) - 29th February: Set MouseStep to -5 (fast, and reversed) - If there is a 0 in the time, and the virus loaded from SCSI:*unplug the Podule Manager (disabling the SCSI disc) - At 0x and x0 seconds, if the module came from IDEFS: alias the IconSprites command so that no further sprites are cached Furthermore, there are some which can be fired at any time: 1 in 50: Change sound settings 1 in 25: Redefine character set to all spaces after 60-240 seconds 1 in 60: Corrupt the disc in drive 0 Lastly, there are a group of serious actions (which are limited so only a certain number occur within a given period): - Before 08:00 (14:00 Sundays): configure number of hard and floppy drives to zero. - Mondays: Configure Fontsize 0K, SpriteSize 512K, which will cripple a 1Mb machine! - 25th December: Configure MonitorType 3, Sync 0 - A 7 in the time: Configure Country to Greece - 1 in 4: Configure ADFS, Harddiscs 2, Drive 5 (very tricky if you don't happen to have two ST506 drives) The module names which it can use are: FontLibrary, CodeLibrary, ScreenObjct, PromptsPick, HPIBIntMngr, PRomModules, BasicCryptr, ChrSelecter, WimpModMake, PaletteUtl2, ModeUtility, FontUtility, TempManager, ColourConvt, IndexReader, ArthurImage, SyncUtility, VIDCManager, FontPalette, HugoFiennes. The first (6435 byte) strain always uses the name FontLibrary. Note that Hugo Fiennes, whose name appears at several points in the code, as well as being one of the module filenames, has much better things to do than write viruses, and has no known connection with this virus! (Source: Alan Glover, with thanks to Geoff Riley for much of the decoding) ########################################################################### Penicillin =========================================================================== Last Updated: 6th December 1992 Aliases: Origin: UK Isolation Date: December 1992 Effective Length: 7306 bytes Virus Type: Resident application infector Symptoms: Data file called Penicillin in application directories --------------------------------------------------------------------------- Detection Media: Killer 1.382+ Memory: Killer 1.382+ VProtect 1.25+ Removal Media: Killer 1.382+ Memory: Killer 1.382+ --------------------------------------------------------------------------- General Comments: This is basically speaking an Icon variant, and therefore bears common features with the base Icon strain. However, it is one of the more malicious variants, with tricks including: - Configuring FontSize to 128K - Altering the mouse step settings, and causing pseudo random movement - Configure TV 0,0 which will turn interlace on (screen shakes) - Makes a noise - Reads &12000 bytes from ADFS::0 to address 0 - this will almost certainly crash the machine - Configure the machine for no floppy drives - Change the mouse rectangle settings On the 13th of any month there is a random chance that it will: - Create a random mouse rectangle and enter an endless loop - Mark three sectors of the disc in ADFS drive 0 as defective (Source: Alan Glover, with thanks to Rick Sterry) ########################################################################### Poltergeist =========================================================================== Last Updated: 3rd March 1993 Aliases: Origin: UK Isolation Date: March 1993 Effective Length: 2573 bytes Virus Type: Resident application infector Symptoms: Two files apparently with no name in application directories --------------------------------------------------------------------------- Detection Media: Killer 1.395+ Memory: Killer 1.395+ VProtect 1.32+ Removal Media: Killer 1.395+ Memory: Killer 1.395+ --------------------------------------------------------------------------- General Comments: This file consists of two files of the same filetype. One is a BASIC program, the other is a sprite for the filetype. Once loaded the virus redefines the character used to name the files to a blank so there is a chance that the files would sit unnoticed inside an application. However 'Select All' will soon show their presence! Although it runs as a desktop task it will not show up on the Task Manager display. It has various actions which are fired at random (some with a degree of weighting to make them relatively infrequent): * Set the screen border to a random colour. * Change the screen border colour several times * Redefine the character set as spaces * Redfine a randomly chosen lower case character as a space * Set the mouse pointer to a random colour * Move the mouse pointer to a random position * Redefine the character set randomly * Draw a line on the screen * Redefine a colour at random * Draw a triangle on the screen * Change the text direction/orientation setting * Unlink the mouse from the pointer * Select Country Greece ########################################################################### Runopt =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1684 bytes Virus Type: Resident application infector Symptoms: Desktop APPLICATION Task called 'Task Manager'. --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: In a similar manner to Icon, this virus uses a !Boot file to load a BASIC program. The program is called RunOpt!, and is filetyped as data. Note that the real 'Task Manager' shows up as a module task NOT an application task. (Source: Paul Frohock) ########################################################################### Shy =========================================================================== Last Updated: 20th October 1993 Aliases: Origin: UK Isolation Date: October 1993 Effective Length: 324 bytes Virus Type: Resident application infector Symptoms: A missing number in a *modules listing --------------------------------------------------------------------------- Detection Media: Killer 1.508+ Memory: Killer 1.508+ VProtect 1.49+ Removal Media: Killer 1.508+ Memory: Killer 1.508+ --------------------------------------------------------------------------- General Comments: This is a harmless virus which infects files of type &FF8 and resides in memory as a module. The title of the module is made up of a number of delete characters, with the effect that in a *modules display the line for the virus' module will not appear - which will cause the count of modules to seem to skip one. ########################################################################### Sprite =========================================================================== Last Updated: 21st April 1992 Aliases: 'Really Annoying Sprite Virus' Origin: Germany ? Ireland ? Isolation Date: February 1992 by Svlad Cjelli Effective Length: 720 bytes Virus Type: Resident application infector, stores code as separate file. Symptoms: File "Sprite" and maybe !Str in applications --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.23+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ delete Sprite, delete !Boot OR delete !Run and rename !Str to !Run (depending whether !Str is present or not). --------------------------------------------------------------------------- General Comments: This has got some similarities with Image, but until I've (Alan) had a chance to do a code comparison, I'm not going to class them as members of the same virus family. In months which begin with an F it will change the pointer settings. As far as I can tell, the parameter block is junk, and it's hard to tell whether the call will return! If it does, a delayed routine is programmed, which when entered will do FX200,3, zero all the CMOS RAM, and display a message. The message is: Piracy IS theft - Your SYSTEM is DOOMED - Deutschland Uber Alles! For people like me who don't know any German, a liberal translation is 'Germany is best'. This is encrypted, so is not usually visible. Important note: Initial reports about this virus suggested that it could cause disc corruption. Aside from possible errors during attempted infections, it does not have any maliciously targetted code for filing systems. Infection is by saving the virus code as 'Sprite' (filetyped as such), and either creating a !Boot, or renaming !Run to !Str and saving a new !Run which runs !Str. (Source: Alan Glover, with thanks to Svlad Cjelli) ########################################################################### SpriteUtils =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: UK Isolation Date: June 1992 Effective Length: 3028 bytes Virus Type: Resident application infector, stores code as separate file. Symptoms: File "Sprutils" appears in applications --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ VProtect 1.17+ Scanner 1.42+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ --------------------------------------------------------------------------- General Comments: This virus spreads by inserting a line in !run files, loading a trojan SpriteUtils module. It is my opinion that this virus is designed as an enabling tool for further unpleasant activities triggered remotely over a network. My reason for concluding this is that in addition to normal spreading and replication it goes to great pains to alter the Econet Protection setting to enable User Remote Procedure Calls. It intercepts the SWI vectors to process Econet_SetProtection and Econet_ReadProtection to return, and allow modification of, the value which was present when the virus started. It then supports two RPCs, one to turn off all protection, and the other to restore the setting with just RPCs enabled. It also attempts to disable VProtect, and will succeed with earlier versions. However, a new version of VProtect will have no problem in preventing the virus from being loaded in to a clean machine. It has no timed or other malicious contents, however as usual there are some consequences of the way it is written. In particular, it will claim 2K of RMA workspace, and never release it, nor does it restore the Econet protection setting it first found. (Source: Alan Glover) ########################################################################### TaskManager =========================================================================== Last Updated: 8th February 1993 Aliases: Origin: UK Isolation Date: Jan 1993 Effective Length: around 11200-11700 bytes Virus Type: Resident application infector, stores code as separate file. Symptoms: File " Log" appears in applications --------------------------------------------------------------------------- Detection Media: Killer 1.392+ Memory: Killer 1.392+ VProtect 1.30+ Removal Media: Killer 1.392+ Memory: Killer 1.392+ --------------------------------------------------------------------------- This virus spreads by appending loading instructions to !Boot files, and saving a file called ' Log' (filetype &ff8 - absolue) inside an application (the leading space is character code 160 - the 'hard' space). When active it runs as a desktop task called 'Task Manager' - note that like Vigay this will appear as an application task unlike the real Task Manager which is a module task. Aside from spreading it has no malicious code. (Source: Alan Glover) ########################################################################### T2 =========================================================================== Last Updated: 22nd May 1993 Aliases: Origin: United Kingdom Isolation Date: July 1992 Effective Length: 4304 bytes Virus Type: Merges with absolute !RunImage files. Symptoms: Messages from "T2" and spurious errors. --------------------------------------------------------------------------- Detection Media: Killer 1.370+ Memory: Killer 1.370+ VProtect 1.20+ Scanner 1.43+ Scanner 1.43+ Removal Media: Killer 1.370+ Memory: Killer 1.370+ --------------------------------------------------------------------------- General Comments: This is a very dangerous virus, which can cause severe data loss if not treated rapidly. On 1st Jan, 14th Feb, 1st May, 4th July, 31st October, 25th December and Friday 13th a message from T2 will be displayed and it will write invalid data to the first 32K of ADFS drives 0-7. On D or E format floppies this will destroy the FS Map and Root Directory, on D format hard discs it will destroy the boot block, FS Map and Root Directory. On E format hard discs, it will destroy the boot block only, since the Free Space map and Root directory are elsewhere on the disc surface. It will also attempt to do the same to Nexus drives 4-7. Additional information, 22nd May 1993: A variant has shown up using &DECAFF instead of &COFFEE, otherwise it is identical. The messages are: December 25th Yuletide Jollities from T2 A special christmas present: New blank disks all round. 1st January New Year's Resolution from T2 New Year's Resolution: I will keep my disks write protected. 14th February St. Valentine's Day Roses are red, Violets are blue, I've wiped your hard disk, Because I hate you. 1st May Mayday from T2 Mayday, mayday, mayday: your data's sinking. 31st October Spookiness from T2 You've got a vicious virus AND blanked disks - spooky huh? July 4th Independence Day celebrations from T2 You are now fully independent of your saved data. Friday 13th Comiserations from T2 Bad luck, me ol' China. Your disks have kinda left you in the lurch, as it were. Unfortunate, huh? And the random choice ones: Greetings from T2 I hate you. F*ck off and die. Painfully. Comment from T2 You stink of sh*t. Observation from T2 You're a f*cking c*nt. Hi there, from your friendly virus Hi there. You may (or may not) know me. I'm a virus. User meet T2. T2 meet user. Good ... See ya around. It also has a random chance routine, based on a 0.1 second timer, which has various possible effects, including: - A rude message (see above) - Scrambled CMOS memory - Crashing the machine - Destroying disc data (as above) There is not an easy quick check for this virus, since it will not show up as a module or desktop task. The easiest way I can come up with is to do the following two commands from BASIC (ensure that VProtect 1.20 or above is NOT loaded to avoid a false alarm). SYS "XOS_ServiceCall",,&C0FFEE TO ,A%:PRINT A% SYS "XOS_ServiceCall",,&DECAFF TO ,A%:PRINT A% If either number printed is zero, and VProtect 1.20+ is not loaded (or any other anti-virus program aware of this virus) then it is loaded and active. (Source: Alan Glover) ########################################################################### Terminator =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: July 1992 Effective Length: 3648 bytes Virus Type: Task. Stores code as separate file. Symptoms: Additional files appear in applications (see below) --------------------------------------------------------------------------- Detection Media: Killer 1.372+ Memory: Killer 1.372+ Scanner 1.47+ Removal Media: Killer 1.372+ Memory: Killer 1.372+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: Strictly speaking - this is an Icon variant. However it has been changed sufficiently that it merits its own entry. It can choose one of eight task names, and one of eight different filenames/filetypes to save itself. In other respects it acts and spreads like Icon, though there is 1 in 10 chance of drive zero being wiped on each infection. The task names are : ADFS Filer, RMA Manager, Filer Extension, File Compactor, ADFS Filer (again), MemAlloc, " " and "F*ck off!" (except with no asterisk - you know what I mean...). The filenames and filetypes are: Icon (Sprite), MemAlloc (Module), RunCode (Absolute), ABCLib (Module), CLib (Module), Colours (Modules), FPEmulator (Module) and !DeskBoot (Utility). !Killer patches the virus before removing it to ensure that ADFSFiler is not rmkilled by the virus. (Source: Alan Glover) ########################################################################### Thanatos =========================================================================== Last Updated: 21st April 1992 Aliases: RISCOSext, RISCOS Extensions Origin: United Kingdom Isolation Date: May 1991 Effective Length: 11756 or 11764 bytes Virus Type: Task. Stores code as separate file. Symptoms: Files "RISCOSext" and "TaskAlloc" in application directories. Wimp task "Thanatos" visible in the Task Manager. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.23+ VProtect 1.10+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named files --------------------------------------------------------------------------- General Comments: This is an encrypted (simple EOR with &7A, lower-case "z") BASIC program (crypted = 11756 bytes long, TOP-PAGE of BASIC program = 7660 bytes) called "RISCOSext" with a filetype of Absolute (yes, a very poor piece of ARM code decrypts and runs it and wastes nearly 4K of space between &8100 and &9000 !). Associated with it is a Sprite file (actually of filetype Module) called "TaskAlloc", which is 344 bytes long containing a rude sprite to replace the mouse pointer. When run, it installs itself as a Wimp task named "Thanatos" and then looks for double-clicks to infect application directories (copies the RISCOSext and TaskAlloc files into there and then appends the 'usual' string to the !Boot file (to run RISCOSext). The nasty section of the Thanatos Virus REALLY IS nasty, so I urge you to study this carefully. Roughly once every 100000 times around the Wimp_Poll loop, Thanatos can: * 2 out of 13 chances Shut down icon bar application at random (whilst displaying its own icon bar icon during the shutdown). * 1 out of 13 chances Cause a Desktop Quit. * 3 out of 13 chances Reverse the mouse pointer step (sets it -2). * 1 out of 13 chances Crash the machine by poking a duff instruction at the start of memory. * 1 out of 13 chances Randomise the 240 bytes of CMOS. [If this happens, you may have to either short or remove the battery from your machine, as it might refuse to boot.] * 4 out of 13 chances Randomly display one of 8 very rude messages - one of which also changes the mouse pointer shape to a rude graphic and another will also shutdown an icon bar application (the same routine as above). * 1 out of 13 chances Wipe the contents of <Obey$Dir>. It also has a "special date" section as follows: Any Friday 13th: Advertises its own "virus killer" (from Armen Software). April 1st 10 Address exception errors, followed by coloured rectangles and a 'stuck' mouse pointer for 10 seconds. An "April Fool" message is then displayed. December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed by a "Merry Crimble" message. October 31st:Formats the floppy in drive 0, followed by a "Spooky" message. January 1st: As December 25th, but followed by a New Year's Resolution message (to keep your disks write-protected...). [ The 11764 byte variant is functionally identical, but a slightly earlier version ] (Source: Richard K. Lloyd) [Attempting to kill Thanatos by clicking 'Quit' in the Task Manager will not work. However, Killer and VKiller will patch the missing closedown code into the virus before removing it from memory.] ########################################################################### TrapHandler =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: United Kingdom Isolation Date: September 1991 Effective Length: 924 bytes Virus Type: Resident !Boot file infector. Overwrites original !Boot file completely (or creates a new one if it doesn't find one) and stores own code here. Symptoms: Applications which depend on a !Boot file fail to run (i.e. if the !System !Boot file was overwritten, !Edit would fail to run due to the fact that the !System folder hasn't been seen. The same applies if the !Boot file in the Fonts directory is overwritten. The module 'TrapHandler'is present in the module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.03+ Killer 1.17+ VProtect 1.10+ Scanner 1.23+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.03+ Interferon 2.10+ delete !boot file Scanner 1.20+ RMKill TrapHandler --------------------------------------------------------------------------- General Comments: The TrapHandler virus is written as a module which infects application directories by overwriting the !Boot file with its own code. By hooking onto the FSControl vector, it looks for a *Run action, and on finding one (eg. the user opens a directory with applications, and if any of these contain a !Boot file (which RISC OS automatically executes)), TrapHandler overwrites the application's !Boot file with its own code. This code is loaded into memory by using a simple *LOAD <Obey$Dir>.!Boot <address> and then executing the code at <address>. On any Friday after the 20th of any month it will open a regular message box (i.e. using Wimp_ReportError) with the number of infections in the header, and an 'Ignorance will be your undoing.' This message is rather misleading, as the only destructive thing it does is overwrite your !Boot files (although it could - as all viruses can - be modified to do much nastier things). I might sound a bit trivial here - if your $.!Boot on the harddisc was overwritten, you might get a bit more than annoyed(!). However, as this !Boot file only gets run when you reset your machine, it is not very likely to get infected by this virus (unless you accidentally double-click on it or run it). ########################################################################### Valid =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: Unknown Isolation Date: March 4, 1992 by Atle M. Bårdholt Effective Length: 1389 bytes Virus Type: Non-resident application infector, stores code as separate file. Symptoms: Files "Valid" and "Source" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.30+ Memory: n/a Scanner 1.23+ VProtect 1.13+ Removal Media: Killer 1.30+ Memory: n/a Scanner 1.23+ delete !Run and "Source". Rename "Valid" to !Run. --------------------------------------------------------------------------- General Comments: Valid is a non-resident virus written in BASIC which works by renaming the !Run file of the application to "Valid", then saving itself as a file called "Source" and creating a new !Run file which points to the virus code. Both have correct filetypes (e.g. Obey and BASIC). In its current form it can hardly spread far. It surprises me that it was even released at all. Due to a major flaw in the code, Valid creates faulty !Run files every time it infects - effectively rendering the application non-executable - making it easy to detect that something is wrong. It is assumed, however, that this is fixed in other or newer versions (the incore filename of the BASIC file is "Source2"), as it is a very simple thing to do something about it. (This version keeps the first 21 chars of the orginal !Run file instead of making a new one.) On floppy based systems this virus causes a noticeable slowdown when it infects an application, as it uses the OSCLI command EnumDir to create a list of applications to infect. This list is saved as a file (as a result of EnumDir), and then loaded into some reserved memory. When the processing of this data is finished, the file is deleted. Valid never infects an application twice, as it checks to see if there's an "our" in the first line (part of RUN <Obey$Dir>.Source) of the !Run file. Also, it is not certain it will infect a given application - there's Ŵonly a 30% chance (determined by RND(10)>7) of this happening. Valid does little besides replicate (if it had worked properly), but does create a 0 byte file called "Infected!"Ŵ in the application directory after any 22nd in any month. ########################################################################### VanDamme =========================================================================== Last Updated: 8th June 1993 Aliases: Origin: Unknown Isolation Date: May 1993 Effective Length: 1517 bytes Virus Type: Non-resident application infector, stores code as separate file. Symptoms: Files with nonsensical names in applications --------------------------------------------------------------------------- Detection Media: Killer 1.410+ Memory: 1.410+ Removal Media: Killer 1.410+ Memory: 1.410+ --------------------------------------------------------------------------- General Comments: VanDamme is clearly an Icon derivative. However its major differences are that it has been run through a BASIC squasher, resulting in the small size. It chooses a name composed of random lower case letters for each infection, and a pseudo random filetype choice. It has a (very unlikely) random chance of formatting a disc. ########################################################################### Vigay =========================================================================== Last Updated: 21st April 1992 Aliases: DataDQM, Shakes Origin: United Kingdom Isolation Date: Probably April 1991 Effective Length: 2311 or 2432 bytes Virus Type: Task. Stores code as separate file. Symptoms: File "DataDQM" in application directories. The Task "TaskManager" in the Task Manager window. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.23+ VProtect 1.10+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete !Boot and file. --------------------------------------------------------------------------- General Comments: This is a BASIC program called "datadqm" with an associated 97-byte !Boot file. The REMs at the start of the program are as follows: REM (C)1989 PAUL VIGAY REM REM A nasty little Archie Virus !! REM ... or is something up with your monitor ??? REM REM version 1.1a (24th October 1989) Hence you now know why it's called the "Vigay Virus" - the author's name appears as a comment at the start! When first run, it initialises as a Wimp task called "TaskManager" and then waits for either: 1) a chance of (500 * hours left of a Thursday) to 1 to crop up to spark off a silly "wobble" demo (wobbles the screen and mouse pointer). Yes, this demo only appears on a Thursday and more frequently as the day wears on. or, 2) a file/directory double-click, in which case it attempts to replicate itself to the first application directory at that level that doesn't already have either an "!Boot" or a DataDQM" file. (Source: Richard K. Lloyd) [Apparently there are several versions existing (but apparently not circlulating), some activating on Fridays, others on Friday the 13th. It is not known whether these Friday versions broke loose, and later variants were also compiled using the Archimedes BASIC Compiler by DABS Press. We are still speculating if any of these are available to the general public. Also, it is worth clarifying that the 'TaskManager' will appear as an application task, unlike the real Task Manager which is a module task.] ########################################################################### Whoops =========================================================================== Last Updated: 1st June 1993 Aliases: Origin: United Kingdom Isolation Date: May 1993 Effective Length: 8091 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "!memalloc" in application directory. --------------------------------------------------------------------------- Detection Media: Killer 1.408+ Memory: Killer 1.408+ VProtect 1.39+ Removal Media: Killer 1.408+ Memory: Killer 1.408+ --------------------------------------------------------------------------- General Comments: The virus is a BASIC program called !Memalloc and filetyped as a module. It loads as a desktop task called 'Paint'. However when told to quit it will re-initialise as a nameless desktop task. The virus is written to continue spreading until May 1995, after which it will start removing itself. It has a number of possible tricks, chosen by a random number: i) Give a spurious error and reboot the computer ii) Move the mouse pointer around iii) Give a spurious error iv) Close a window v) Stop the desktop for a random time (it turns on the hourglass) ########################################################################### Wimpman =========================================================================== Last Updated: 19th February 1993 Aliases: Origin: United Kingdom Isolation Date: February 1993 Effective Length: 1555 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "Wimpman" in application directory. --------------------------------------------------------------------------- Detection Media: Killer 1.393+ Memory: Killer 1.393+ VProtect 1.31+ Removal Media: Killer 1.393+ Memory: Killer 1.393+ --------------------------------------------------------------------------- General Comments: This bears quite a similarity to the Icon family of viruses. The virus is a BASIC program, but is filetyped as a module. Aside from spreading (and hiding from the Task Manager display it has no other notable features). ########################################################################### Virus Detection Utilities --------------------------------------------------------------------------- Interferon: © Tor O. Houghton. Latest known version is 2.12 (13-Mar-1992). Resident program which looks for transfer of data to disc from areas below &8000, and from the RMA (e.g. most viruses which are written as modules, for example). Public Domain. Killer: © Pineapple Software Ltd. Written by Alan Glover of Acorn Computers Ltd. Latest version known is 1.600 (4-Dec-1993). Multi-tasking scanner/disinfectant. Currently, this application is the one which detects and removes all known viruses on the Archimedes. Very user friendly interface, lots of useful options,includes a nice window with look-up virus information. Commercial product. Scanner: © Tor O. Houghton. Latest version known is 1.56 (Oct-1992). A non-WIMP application which detects and removes the most common viruses. Commercial software, available direct from the author. Further updates are unlikely in the short term. VProtect: © Pineapple Software Ltd. Written by Alan Glover of Acorn Computers Ltd. Latest version known is 1.53 (4-Dec-93). Resident program which, amongst other things, checks !Run and !Boot and module files for infection before running them. Supplied with !Killer. This document exists in three parallel forms. Versions suffixed 'p' are the Impression version (primarily maintained by Tor Houghton), and those suffixed 'h' use the Binary Star !Clearview PD reader application to present a hypertext document. Updates to the document may be sent to either author, and both versions will get updated. The text version (suffixed 't') is derived from the Cleariew version. There is also an experimental vb version. The Impression version is currently substantially out of date - for recent information always refer to the h or t versions. Also, could you please include a note on what the program/virus does? Some help files we have seen have been very vague. All this information is based on our own reactions, and may well be incorrect in some parts. If you don't like it, send us some information (not too verbose). ########################################################################### Acknowledgements & Credits --------------------------------------------------------------------------- This list contains some of the many people who have helped in the preparation and updating of this document. Despite their best efforts, there are undoubtably some errors - which are wholly our own work :-). Simon Burrows: Additional virus documentation. Svlad Cjelli: Additional virus documentation. Michel Fasen: Additional virus documentation. Eivind Hagen: For letting me borrow Impression of him! Bjørn Hotvedt: For keeping up with the never-ending postings to and from Alan (and other people!). Richard K. Lloyd: For documentation on the older viruses. Terje Slettebø: For help with the disassembly of the NetStatus virus. Paul Frohock: For help and information long before !Killer saw light of day (and still going strong :-) )! The following pieces of software are amongst those I (Alan) use for virus analysis - my thanks to those in the list below who have added changes etc at my request or helped in other ways (you know who you are...). QDBug - Vertical Twist (Debugging tool) !QZap - Kevin Quinn (PD Desktop Disassembler) !Dissi - John Tytgat (Registered version - Desktop Disassembler/Source generator) !DeskEdit - RISC Developments (!Edit, with many useful additions) !Snoop - DT Software (Desktop examination tool) Thanks also to Mark Smith and David Pilling for help with ARCFS and SparkFS. ########################################################################### Contacting the authors --------------------------------------------------------------------------- POST: Tor Houghton Alan Glover 17K Park Village PO Box 459 University of Sussex Cambridge Falmer CB1 4QB Brighton UK BN1 9RD UK EMAIL: Tor O. Houghton: torh@cogs.susx.ac.uk Alan Glover: aglover@acorn.co.uk, or alan@pinesoft.demon.co.uk FAX: Alan Glover (+44) (0)223 415222 Acorn Computers Ltd. (+44) (0)223 254264 Pineapple Software (+44) (0)81 598 2343 TELEPHONE: Pineapple Software (+44) (0)81 599 1476 Acorn Computers Ltd. (+44) (0)223 254254 ########################################################################### Checklist --------------------------------------------------------------------------- (last change 30th October 1993) Click on the name of the virus to read more about it. Media Memory Virus Utility D R D R Alien Killer Y Y Y Y Aprilfool Killer Y Y Y Y Archie Guardian Y N ? ? Killer Y Y Y Y Scanner Y N N N Arcuebus Killer Y Y Y Y Axishack Killer Y Y Y Y BBCEconet Killer Y Y Y Y Scanner Y N Y Y Interferon N N Y N Bigfoot Killer Y Y Y Y Scanner Y N N N Boohoo Killer Y Y Y Y Breakfast Killer Y Y Y Y CeBIT Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y N Y N Code Killer Y Y Y Y Scanner Y Y N N Diehard Killer Y Y Y Y Ebenezer Killer Y Y Y Y Ex_port Killer Y Y Y Y Extend Guardian Y ? Y ? Hunter Y Y N N Interferon N N Y N Killer Y Y Y Y Scanner Y N Y N ExtendV2 Killer Y Y Y Y FCodex Killer Y Y Y Y Funky Killer Y Y Y Y Garfield_I Killer Y Y Y Y Scanner Y Y Y Y Interferon N N Y N Garfield_W Killer Y Y Y Y Scanner Y Y Y Y Interferon N N Y N Handler Killer Y Y Y Y Icon Hunter ! ! N N IVSearch ! ! ? ? Killer Y Y Y Y Scanner Y Y N N Image Killer Y Y Y Y Scanner Y N Y Y Image2 Killer Y Y Y Y Increment Killer Y Y Y Y Scanner Y N Y N IRQFix Killer Y Y Y Y Scanner Y Y N N Link Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y Mode87 Killer Y Y Y Y Scanner Y Y N N Interferon N N Y N Module Guardian Y Y ? ? Hunter Y Y Y Y Interferon N N Y N Killer Y Y Y Y Scanner Y Y N N MonitorDat Killer Y Y Y Y MyMod Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y NetManager Guardian ? ? ? ? Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y NetStatus Hunter ! ! Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y VirusKill Y Y ? ? NewDesk Killer Y Y Y Y Parasite* Killer Y Y Y Y Scanner Y N Y N Penicillin* Killer Y Y Y Y Poltergeist Killer Y Y Y Y Runopt Killer Y Y Y Y Shy Killer Y Y Y Y Sprite* Killer Y Y Y Y Scanner Y N N N SpriteUtils Killer Y Y Y Y Scanner Y Y N N Taskmanager Killer Y Y Y Y T2 Killer Y Y Y Y Scanner Y N N Y Terminator* Killer Y Y Y Y Scanner Y N N N Thanatos* Hunter Y Y N N Killer Y Y Y Y Scanner Y N N N Traphandler Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y Valid Killer Y Y na na Scanner Y Y na na VanDamme Killer Y Y Y Y Vigay Guardian Y Y ? ? Killer Y Y Y Y Scanner Y N N N Whoops Killer Y Y Y Y Wimpman Killer Y Y Y Y ? Refers to cases where the documentation fails to explain exactly what it does with the virus. ! Special cases (e.g. some killers might not detect all variants of a virus), refer to the separate virus entries in this document for details. na Not applicable, typically a virus which does not reside in memory. ########################################################################### Quick Checks --------------------------------------------------------------------------- (last change 24th November 1993) Click on the virus name to read more about it. Alien - Icon variant - wide choice of specific names and filetypes. Aprilfool - Creates directory called ScrapHeap on RAM disc. Desktop task called 'aprilfool'. Archie - Attacks absolute (filetype &FF8) files. Arcuebus - Installs a false NetStatus module (3.07). Axishack - Desktop task called Axis_Hack. BBCEconet - Attacks absolute files, encrypting part of them. Loads trojan BBCEconet module. Bigfoot - Desktop task called 'bigfoot', file with randomly chosen name in capitals (BASIC file). Boohoo - Attacks modules. Infected modules are re-stamped. Killing an infected module gives 'Yah, boo hoo', hence the name! Breakfast - Attacks absolute files, encrypting part of them. Loads trojan BBCEconet module. CeBIT - Attacks applications. File "TlodMod" in app. directory. Module "TlodMod" in module list. Code - Desktop task called 'Window Manager'. Applications may 'lose' their sprites. Diehard - Icon-2173: data file called Setup. Ebenezer - Desktop application task called "Filer". Screen judder on Fridays. EMod - Nameless wimp task which never quits. Ex_port - File called ex_port (various filetypes) inside applications. Extend - Attacks applications. Files "MonitorRM", "CheckMod", "ExtendRM", "OSextend", ColourRM", "Fastmod", "CodeRM" or "MemRM" in app. directory . Module "Extend" in module list. ExtendV2 - Icon variant which describes itself as Extend FCodex - File called 'FCodex' inside applications. Funky - Desktop task called 'Window Dude'. Garfield_I - Creates application called !Pic, loads a module called IconManager. Garfield_W - Creates application called !Obey, loads a module called WimpAIDS. Handler - Creates an application task called 'Task Handler'. Icon - Attacks applications. Files of various names in app. directories. Nameless WIMP task in the Task Manager, or missing memory in the Task Manager. Image - Attacks applications. Files "Image" and "!Spr" in app. directory. Image2 - Attacks applications. Files "Image" and "!BootFAT" in app. directory. Increment - Attacks applications. Appends to !Boot - look for 'load <obey$dir>.!boot 8000' towards the end of the !Boot. Irqfix - Attacks applications. Files "RiscExtRM", "WimpPoll", "OSSsystem", "MiscUtil", "FastRom", "IRQFix" or "AppRM in app. directory. Module "Irqfix" in module list. Link - Attacks absolute (filetype &FF8) files. Module "BSToDel" in module list. Infected files are re-stamped. Mode87 - Loads a module called BBCEconet (replacing the real one). Overwrites !Boot files. Module - Attacks modules. Infected modules are re-stamped. MonitorDat - Chance of screen wobble on Mondays. File called MonitorDat inside applications. MyMod - Attacks applications. Files "SSLM" and "SSLF" in app. directories. Module "MyMod" in module list. NetManager - Attacks !Boot files. Module "NetManager" in module list. NetStatus - Attacks !Boot files. Module "NetStatus" in module list (at offset &018xxxxx). Ensure the program you use understands both strains of this virus! Killer and Scanner do. See also Arcuebus. NewDesk - Sprite file called NewDesk, various task names. Parasite - Attacks applications. Random of 20 filename choices for the code carrier. Penicillin - Malicious Icon variant - always a Data file called Penicillin. Poltergeist - Creates files with an 'invisible' name and a grey sprite. RunOpt - Starts an APPLICATION task called 'Task Manager' Shy - *Modules will show a module number missing (providing another module has been loaded since). Sprite - Attacks applications. Files "Sprite" and "!Str" in app. directories. SpriteUtils - Attacks applications. File SprUtils saved in applications. Loads from !run. Taskmanager - Attack applications. File ' Log' inside applications. Produces a desktop application task called 'Task Manager'. T2 - Attacks !RunImage files of type &FF8. Files grow by about 4K. See entry for details. Terminator - An Icon variant which uses varied file/task names. Extra files appear in directories. Thanatos - Attacks applications. Files "RISCOSext" and "TaskAlloc" in app. directory. "Thanatos" visible in the Task Manager. TrapHandler - Attacks !Boot files. Module "TrapHandler" in module list. Valid - Attacks applications. Files "Valid" and "Source" in app. directory. VanDamme - Attack applications. Files with randomly chosen lower case names of a variety of filetypes. Vigay - Attacks applications. File "DataDQM" in app. directories. WIMP task named "TaskManager" in the Task Manager. Whoops - Attacks applications. File !Memalloc added to application. Wimpman - File called 'WimpMan' in application directories. Filetyped as a module, but is BASIC. ########################################################################### Calendar --------------------------------------------------------------------------- A number of viruses have messages which are programmed to be displayed on a given day or dates. Some are specific dates (eg 4th July) others are less specific such as the first monday of the month, or Friday 13th. This section is subdivided into months, for the viruses with specific dates and messages which could occur in any suitable month. To read more about a particular virus mentioned in this section click on the virus name (which will be underlined). January February March April May June July August September October November December Any ########################################################################### January --------------------------------------------------------------------------- Date Virus Message/Action 1st Parasite Crashes computer before 01:00 1st T2 New Year's Resolution from T2... 1st Thanatos Suggested new-year's resolution... 1st Breakfast A contest of skill and cyberprank... 1st Icon Got over your hangover already? (before 10am) ########################################################################### February --------------------------------------------------------------------------- Date Virus Message/Action 14th T2 St. Valentine's Day Roses are red, Violets are blue... 14th Icon Alan G 4 Tor H 29th Parasite Set Mouse step rate to -5 (fast & reversed) ########################################################################### March --------------------------------------------------------------------------- Date Virus Message/Action 15th Bigfoot This is a HOLD UP! Give me all the PD software... ########################################################################### April --------------------------------------------------------------------------- Date Virus Message/Action 1st BBCEconet E.T. phones home! 1st Thanatos Address Exception at &0863FB3C 1st Aprilfool April fool 1st Breakfast <details to be added> 1st NewDesk Ha!, Ha!, Ha!. I had you fooled there 1st Icon Palette has wiped your Hard Drive ########################################################################### May --------------------------------------------------------------------------- Date Virus Message/Action 1st T2 Mayday from T2... ########################################################################### June --------------------------------------------------------------------------- Date Virus Message/Action 21st Parasite Set Mouse step rate to 1 (slow) 25th BBCEconet Ph'nglui mglw'nafh Chtulhu... ########################################################################### July --------------------------------------------------------------------------- Date Virus Message/Action 4th T2 Independence Day celebrations from T2... 4th Icon ***SHAKES*** 4th Bigfoot Hay there its the 4th of July... 21st Breakfast Cheer up, the worst is yet to come. I think. ########################################################################### August --------------------------------------------------------------------------- Date Virus Message/Action No viruses are known which display messages specifically during this month. ########################################################################### September --------------------------------------------------------------------------- Date Virus Message/Action 6th (1992) Module Your computer has been virus infected... ########################################################################### October --------------------------------------------------------------------------- Date Virus Message/Action 23rd BooHoo Happy Birthday! 31st T2 Spookiness from T2... 31st Thanatos Your disk's been formatted without you asking... ########################################################################### November --------------------------------------------------------------------------- Date Virus Message/Action 5th Bigfoot Wizz Bang! Its Guyfalks night... 5th Breakfast Remember, Remember, the 5th of November - Gunpowder, Treason and Plot... 5th Icon It's Bonfire Night ########################################################################### December --------------------------------------------------------------------------- Date Virus Message/Action 21st Parasite Set Mouse step rate to 127 (very fast) 21st Parasite Change MonitorType and Sync settings 25th BBCEconet Merry Christmas! 25th Bigfoot Happy Christmas from BigFoot ... The VIRUS 25th T2 Yuletide Jollities from T2... 25th Thanatos Merry Chrimble! Hope you liked your pressy... 25th Icon The AVRD doesn't know about this one. 26th Icon Sorry to wreck your new pressy but this *is* a virus. ########################################################################### Any Month --------------------------------------------------------------------------- Date Virus Message/Action 13th Archie Hehe ArchieVirus strikes again 13th Penicillin Creates random mouse rectangle and endlessly loops 13th Penicillin Marks three sectors on ADFS::0 as defective 13th Icon Random graphics Friday 13th Link Message from LINK: Active since 30-Nov-91 Friday 13th BBCEconet It's Friday! Why are you working.... Friday 13th MyMod Hi there. It's me, with my latest addition... Friday 13th T2 Comiserations from T2... Friday 13th Breakfast Have a nice day. Friday 13th NewDesk Ha!, Ha!, Ha!. Unlucky for some Friday 13th Icon Palette Strikes Again!!! Friday >20thTraphandler Ignorance will be your undoing First MondayGarfield_I The Garfield Virus is here to stay First MondayGarfield_I Don't you just hate Mondays? First MondayGarfield_W The Garfield Virus is here to stay First MondayGarfield_W Don't you just hate Mondays? Any Monday MonitorDat Screen wobbles up/down Any ThursdayVigay Screen wobbles up/down Any Friday Ebenezer Screen wobbles up/down Any SaturdayAxishack Screen wobbles up/down xx:30 Icon Your Floppy Drive Has Got An Erection ########################################################################### Index --------------------------------------------------------------------------- Introduction Introduction Abstract Virus Index Index to known viruses Virus Detection Utilities Acknowledgements & Credits Contacting the authors Checklist Quick Checks Calendar Index of virus names and aliases: Alien Aprilfool Archie Arcuebus Axishack BBCEconet Bigfoot Boohoo Boot CeBIT Code DataDQM Diehard Ebenezer EMod Ex_port Extend FCodex Filer FF8 Funky Garfield_I Garfield_W Handler HLCC12 Icon Icon-A Illegal Image Image2 Increment IRQFix Link Mode87 Module ModVir MonitorDat MyMod NetManager NetStatus NewDesk Newvirus Ohsh*t Parasite Penicillin Poison Poltergeist RISCOSExt Runopt Shakes Shy Sicarius Silicon Herpes Sprite SpriteUtils Taskmanager T2 Terminator Thanatos Traphandler Valid VanDamme Vigay Whoops Wimpman Wraith Wright