Acorn User: China

home *** CD-ROM | disk | FTP | other *** search

/ Acorn User: China / Acorn User China CD-ROM (UK) (Disc B) / Acorn User China CD-ROM (UK) (Disc B).bin / STUTTGART / ANTIVIRUS / SCANNER / AVRD158t < prev

Wrap

Text File | 1992-10-27 | 101.5 KB | 2,863 lines

This is the textual version of the AVRD. In order to minimise editing overhead this version is now derived directly from the source of the HyperText version. The derivation is performed by a program, so the formatting may not always be perfect - but we'd rather spend our time coding !Killer/!Scanner ! Ignore any references to clicking in specific places in the document - this facility is only available in the HyperText version. ########################################################################### The Archimedes Virus Reference Document --------------------------------------------------------------------------- Version 1.58h (October 25, 1992) Copyright © 1991, 1992 Tor O. Houghton and Alan Glover This document is copyright. Profit based distribution (whether PD or Shareware) without prior consent from the authors, is strictly illegal. If in doubt, contact one of the authors. Note that this version of !ClearView also has certain conditions upon it's distribution. This is the hypertext form of this document, using the Binary Star !ClearView package. Click here (on the underlined word) for a brief guide to using this software and details about obtaining enhanced versions. A full list of the contents, and an index of the viruses covered in this edition of this document can be seen by clicking the 'index' icon (the rightmost one), or the underlined word in this sentence. ########################################################################### Abstract --------------------------------------------------------------------------- As the number of people using the Archimedes range of computers has increased over the years, so has the number of viruses. This document should be of interest to all users of an Acorn computer running a version of RISC OS, and contains the compiled information from various virus researchers and their killers. In particular, it is (as the title suggests) a compendium of the knowledge about viruses of Tor Houghton and Alan Glover. The purpose of this document is to give as many details as possible on each virus known, and to assist those who think they might be infected by a virus. A dilemma occurred as this document took form. How much information should be included? If we provided too much information, this document could well become an effective "cookbook" for people wanting to write a virus. This is not our intention. The professionals and programmers who read this will easily identify the missing or omitted information because they already have this background knowledge - it is part of the working tools of our profession. The document is not intended to provide very detailed technical information on a virus (although this may happen as a way of explaining it), but to allow the reader to understand what the virus generally does, what makes it activate and what it does upon activation. Most important, however, it should help the user with the removal! 1.0 Introduction --------------------------------------------------------------------------- A virus is nothing magical. Anyone with a bit of programming skills and some knowledge about the machine's operating system is capable of creating a virus. Usually these programmers think it is fun, they've read too many cyberpunk books, or they are generally pitiful creatures who like to inflict damage. Final note: In spite of many journalist's secret wishes, a computer virus cannot spread from one type of computer to another. For example, a virus written on a PC running MS-DOS or Windows cannot infect the Archimedes - in native mode. If you are using the PC emulator, a virus functions perfectly under this environment too (probably with a few exceptions due to the fact that there are about 1000 viruses running under this particular operating system). The only area in which some crossover is possible is hardware - if you have a DOS virus which thrashes the floppy disc out of alignment, it will obviously affect it when it is used normally! 1.1 Some Definitions --------------------------------------------------------------------------- Connectivity: The level of ability a computer has to connect to other computers. Nowadays it is very easy to, for example, phone a BBS and download new software. The higher level of connectivity, the higher the level of possible exposure to computer viruses. The same may also be considered true of other sources of software, such as PD libraries. Trojan Horse: This is a generic name (taken from Greek mythology) for a penetration method that includes hidden code. An example of this is the Link virus which, while being helpful in the ways of converting backspace to delete, also launches a virus into your computer. Virus: A computer virus can be defined as a malicious program capable of replicating itself. See "A Computer Security Glossary for the Advanced Practitioner" in the Computer Security Journal IV, No. 1, 1987 for a similar description. Please note that most computer viruses on the Archimedes do nothing but replicate, although there are a few exceptions. Worm: A computer program which moves through your computer system, altering data as it copies itself and deleting the old copy. If a worm reproduces it could also be called a virus. There are no reports of worms on the Archimedes, mainly because it is such a closed system, and would be detected much too easily to become a hazard. Networks are more exposed to such nasties. 1.2 Entry Explanations --------------------------------------------------------------------------- Name: The most common name of the virus. Often chosen because of some text found in the virus, or like CeBIT, connected to some event (the biggest computer show in Europe). Aliases: Names which other anti-viral agent documents (usually brief notes which are included with the program) use for the same virus. This includes names that are commonly used by BBS users etc. Origin: The country where the virus seems to have originated from. Isolation Date: The date (as detailed as possible) when the virus was first found. Effective Length: The length the virus occupies on the disc. The actual length in memory may well be shorter. Virus Type: Task refers to viruses written as a multitasking program (i.e. appears on the Task Manager, with or without a task name). Resident refers to viruses which, by reserving some memory, insert themselves as a machine code program invisible to the task manager. By monitoring certain interrupts the virus is able to spread. Also, if the virus attaches itself to files, this is noted along with what type of files it infects. Symptoms: Odd behaviour which might occur if the virus is loaded. This could be spurious crashes or files suddenly appearing (or disappearing!). Take note that this has nothing to do with what the virus actually does when it activates, as this will be detailed as extensive as possible under the 'general comments' section. Detection: Refers to anti-virus agents (complete with earliest version number) which to our knowledge detects the virus. Please be so kind as to update me on this, as I know there are several anti-virus programs wandering around which I don't have! Removal: Refers either to programs which remove the virus from the infected file (complete with earliest version number), or if possible, which files to delete without destroying the program. Where it says 'Remove named file(s)', take note that if there is a !Boot file present, be sure to check this too (i.e. with !Edit). In particular, never assume that a Module may be RMKilled, or that an application task may be Quit. It might disappear, but it may also set up a time bomb with serious effects on the system. As a rule, it is unwise to attempt to remove a virus from memory yourself. However some anti-virus programs contain specific code to detect and remove viruses which are present in memory. Where an anti-virus program is known to be able to do this the program and version is given. The criteria for this is that the anti-virus program either neutralises or removes the virus from memory, leaving the machine in a safe enough state for the anti-virus program to remove the infection from your media. Even with this protection, you should still do a CTRL-Reset as soon as possible after you have been infected. General Comments: As detailed information about the virus as possible. Also, if there are any mutated versions of the virus, these are stated here too, along with any relevant information. Please note that the number after the virus name states how many bytes it occupies on the disc. Source: The person who provided the information about the virus concerned. Where a name does not appear, it will probably have been written by Tor Houghton or Alan Glover. In some cases, an acknowledgment will be included to someone who has helped in the isolation or analysis of the virus. Sometimes square brackets ("[]") with a comment might appear. These are our comments, and offer additional useful information which we thought the original author left out. ########################################################################### Virus index --------------------------------------------------------------------------- Click on the virus name to find out more about it Archie FF8 Arcuebus BBCEconet Bigfoot CeBIT Code Sicarius Extend Funky Garfield_I Garfield_W Handler Icon Icon-A, Filer, Poison, NewVirus Image Increment Irqfix Link Mode87 Module ModVir, Illegal MyMod Silicon Herpes NetManager NetStatus Boot Parasite * Runopt Sprite * SpriteUtils T2 * Terminator * Thanatos * RISCOSExt Traphandler Valid Vigay DataDQM, Shakes Viruses marked with an asterisk (*) indicate that they carry malicious code. Any detection of one of these viruses should be treated thus: 1) Perform a CTRL-RESET as soon as possible.To be safe, press F12 and type FX 200,3 beforehand. This should get the virus out of memory, just leaving the storage media to be cleaned. Remember that infection can be as easy as opening a filer viewer! 2) Load a virus killer, and check that the virus is not active. Some virus killers (e.g. Pineapple's !Killer) are capable of removing any resident virus, and withstanding infection attempts whilst doing this. Bear in mind that not all anti-virus programs are intended to start up in an environment where a virus is active. 3) Run the virus killer through the system, opening the minimum possible number of filer windows. Obviously, if you keep your copy of the virus killer on a write-protected floppy this is quite easy! Remember to check removable discs too! Please note that spurious resets and/or errors which occur are usually the results of poor programming, and is therefore not considered malicious (it merely depicts the programmer's skills - he should have stuck to LOGO). Although not usually marked as malicious, some viruses will cause the !Boot of an application to be overwritten. This can cause things which usually happen automatically (eg: locating !System) to fail. ########################################################################### Archie =========================================================================== Last Updated: 21st April 1992 Aliases: FF8 Origin: United Kingdom Isolation Date: 1988 Effective Length: 920 bytes Virus Type: Resident Absolute (FF8) file infector. Symptoms: May cause "Address exception" or "Undefined instruction" errors. Absolute files will grow in length. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.02+ Killer 1.17+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ --------------------------------------------------------------------------- General Comments: This is a piece of ARM code that is appended to executables with the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has a tell-tale 4-character string at the end of its code, "1210", which is used as an "already-infected" flag. The first instruction of the original executable is saved near the end of the virus code space and is replaced by a branch to the first instruction of the Archie virus code. What Archievirus does when first run: 1.Attempts to infect executables (Absolute filetype) with the filespecs "@.*" and "%.*". In other words, all executables in the current and library directory are attacked. 2.Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA. If a call to OS_File 36 returns with an error, then it hasn't infected the RMA yet, so it proceeds to claim 920 bytes of RMA, copy itself into there and points a claim of the OS_File vector to its new RMA location. 3.The time is checked to see if it is the 13th of the month. If so, the code loops indefinitely, displaying the 45-character message (in the virus, this message is EORed with &64, and is therefore not easy to spot.): Hehe...ArchieVirus strikes again... 4.Assuming it wasn't the 13th of the month (and NO, it doesn't check for a Friday!), then the original first instruction of the executable is replaced and the original normal code continues from &8000 onwards. The OS_File vector claim is quite important, because this serves two purposes: a.It allows OS_File 36 to return without an error, signalling that the RMA is already infected. b.It checks for OS_Files 0 and 10 (Save memory to file), 11 (create empty file) and 12,14,16 and 255 (Load file). If any of these are encountered then an infection attack is activated (see step 1 above). (Source: Richard K. Lloyd) ########################################################################### Arcuebus =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 9619 bytes Virus Type: Resident application infector Symptoms: Extra module files appear in applications --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: This virus spreads as a module within applications. The module has eight possible names: ProgUtil, Resource, InfoFile, SystemRS, ModularR, PureMath, SoundMdl and GraphMdl. When loaded (from a !Boot file) it installs itself as a NetStatus 3.07 (15 Sep 1988). A quick check for this virus is to press <F12> and type 'Help Virus'. The following text will be displayed: Congratulations. Your system has the Arcuebus virus. The following data may interest you:- Virus generation number: Dnnn This copy was born: <date/time> At the same time a sound sample (loaded as a voice called Percussion-Bass) is played. This says 'I am a servant of the <???>'. If anyone who hears this has a good idea what the last word is - do tell us! (Source: Paul Frohock) ########################################################################### BBCEconet =========================================================================== Last Updated: 29th June 1992 Aliases: Origin: United Kingdom Isolation Date: April 1992 Effective Length: 5280 bytes Virus Type: Resident Absolute (FF8) file infector. Symptoms: Module "BBCEconet 0.09" resident in RMA (&018xxxxx) (see also Mode87!). --------------------------------------------------------------------------- Detection Media: Killer 1.33+ Memory: Killer 1.33+ Scanner 1.33+ Interferon 2.12+ Scanner 1.34+ VProtect 1.15+ Removal Media: Killer 1.33+ Memory: Killer 1.33+ Scanner 1.34+ --------------------------------------------------------------------------- General Comments: The action of this virus bears a marked similarity to Link, i.e. it appends code to absolutes and uses a module to perform the infection (in this case BBCEconet, which it installs). As with Link, it attempts to infect %.Squeeze. However, both viruses use the same check to see whether a file is infected so it is not possible to have an absolute simultaneously infected by Link and BBCEconet. The majority of this virus is kept encrypted when it is not executing, and it also encrypts a segment at the beginning of the absolute file. The encryption key changes with each infection. In short, you need dedicated software to remove it. The datestamp will not change, and as with Link, it temporarily patches Interferon to allow itself to infect without any alarms being given. There are various date fired routines, outlined below. Friday 13th: It's Friday! Why are you working? I first infected a commercial program with good help from Dr. Blob. Now you're infected too - and probably most of your penpals. I've got more in store! And... I've created XXXX copies of myself. Good luck! December 25th: Merry Christmas! April 1st: E.T. phones home! (It sends ATD 0749 679794 to the serial port, so if you have a Hayes compatible modem connected, it will dial this number - a well-known bulletin board service in Somerset.) June 25th: Ph'nglui mglw'nafh Chtulhu R'lyeh fthagn. And... I've created XXXX copies of myself. [The non-english part of this message was introduced by H.P. Lovecraft in his short story The Call of Cthulhu, where it translates to "In his house at R'lyeh, dead Cthulhu waits dreaming." Probably used by the virus writer as proof that he has read this book.] All of these messages will appear in an error box titled "Ouch! You've been bitten!" It may also clear the screen and print the word "LOVE" in mode 12. (Source: Alan Glover) ########################################################################### Bigfoot =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: August 1992 Effective Length: 5535 or 5580 bytes Virus Type: Task. Stores code as separate file. Symptoms: Additional files with random names in capital letters appear in applications --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ Scanner 1.47+ (5580 byte strain only?) Removal Media: Killer 1.381+ Memory: Killer 1.381+ delete named file, remove line from !Boot. --------------------------------------------------------------------------- General Comments: This is a fairly simple BASIC program, which installs as a desktop task called Bigfoot. It has messages for certain dates, namely: 25 Dec: Happy Christmas from BigFoot ... The VIRUS 05 Nov: "Wizz Bang! Its Guyfalks night BigFoot Strikes again! 04 Jul: "Hay there its the 4th of July ,American Independence! Best wishes from BigFoot 15 Mar: This is a HOLD UP! Give me all the PD software you can get,,, Or you SYSTEM gets it!!! By the way its the end of the fishing season. It infects by creating or modifying the !Boot file, using a random name of 1-10 upper case characters. The virus is saved as a BASIC file of the same name. However the BASIC itself always has REM>Bigfoot on the first line. Apart from spreading, it has no malicious code. The 5535 byte version can not be Quitted from the Task Manager. (Source: Alan Glover, with thanks to Paul Frohock and David Cox for initial analysis) ########################################################################### CeBIT =========================================================================== Last Updated: 21st April 1992 Aliases: Lord of Darkness, TlodMod Origin: Germany Isolation Date: March 1991 Effective Length: 1240 bytes Virus Type: Resident !Boot file infector, stores code as separate file. Symptoms: File "TlodMod" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.23+ Killer 1.17+ VProtect 1.06+ Scanner 1.20+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: This is a module called "TlodMod" with the following title string: TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod. If this already exists, then no further action is taken. If it doesn't, however, it then attempts to append the following line to <Obey$Dir>.!Boot: rme. TlodMod 0 rml. <Obey$Dir>.TlodMod If it succeeds at this, a counter is incremented and the module is replicated as <Obey$Dir>.TlodMod. Every 16th successful infection will trip the virus into issuing a "*Wipe $.path.file*" (which will inevitably fail!) and then displaying a message accompanied by a simple graphic. The message displayed is thus: This is a warning to all Users, I am back on the Archimedes ... Your Archie is infected now and with him most of your programms. Don't worry, nothing is damaged, but keep in mind the protection! And always think about the other side of THE LORD OF DARKNESS ... Virus generation is <counter> (Source: Richard K. Lloyd) ########################################################################### Code =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: UK Isolation Date: June 1992 Effective Length: 2251 bytes Virus Type: Resident !Boot file infector, stores code as separate file. Symptoms: File "Code" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ VProtect 1.17+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ --------------------------------------------------------------------------- General Comments: This virus installs itself as a desktop task called "Window Manager". The 'Code' file is filetyped as &FF8, but is actually plain BASIC. The virus can either extend a !Boot or create one - if one is created it will be 44 bytes long. The only effects from this virus will be the the loss of sprites for some applications, since the !Boot file it creates does not contain an IconSprites statement to load the sprites. (Source: Alan Glover) ########################################################################### Extend =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: United Kingdom Isolation Date: October 1990 Effective Length: 940 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "MonitorRM", "CheckMod", "ExtendRM", "OSextend", "ColourRM", "Fastmod", "CodeRM" or "MemRM" in application directory. Each time the code is executed it grabs 1k of RMA - this will eventually lead to a system crash. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ VProtect 1.06+ Killer 1.17+ Hunter 1.00+ Scanner 1.20+ Scanner 1.36+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove extra lines from !Boot. --------------------------------------------------------------------------- General Comments: It's a module which can go under 8 different filenames (the name is picked at random using the current time as a seed): MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM or MemRM. However, the module itself has the following title string: Extend 1.56 (08 Jul 1989) It is 940 (&3AC) bytes long and initialises itself as a nameless Wimp task which then looks for Wimp Message 5 (double-click). It attempts to either create an !Boot in the application directory or append to an already existing one with the following lines: IconSprites <Obey$Dir>.!Sprites [0D] RMEnsure Extend 0 RMRun <Obey$Dir>.ModName [0D] ||[FF] The "IconSprites" line is omitted if it is appended to an existing !Boot. "ModName" is one of the 8 possible filenames. The Extend Virus uses the &FF (i.e. decimal 255) byte at the end as a self-check to see if has infected the !Boot file already. Of course, it copies itself to the new name inside the application directory as you would expect. Note the incorrect use of &0D (decimal 13) to terminate the lines, rather than the more correct &0A (decimal 10). A shift-double-click does NOT cause an infection, but it DOES claim yet another 1K of never-to-be-released RMA. There is no damage apart from the claiming of RMA (which will eventually lead to a system crash). (Source: Richard K. Lloyd) ########################################################################### Funky =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1308 bytes Virus Type: Resident application infector Symptoms: Sprite file called 'Funky!', application task called 'Window Dude' --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: In common with the Icon family, this is a BASIC program hidden under a Sprite filetype. It initialises as a desktop task called 'Window Dude' and infects by saving copies of itself and amending !Boot files. (Source: Paul Frohock) ########################################################################### Garfield_I =========================================================================== Last updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June 1992 Effective Length: 1640, not including the files "!Boot", "!Run" and "!Sprites". Virus Type: Resident application infector. Symptoms: Directory "!Pic" with files "!Boot", "!Run", "!Mod" (module) and "!Sprites". Recursive infections possible. --------------------------------------------------------------------------- Detection Media: Killer 1.362+ Memory: Killer 1.362+ Scanner 1.42+ VProtect 1.20+ Scanner 1.47+ Removal Media: Killer 1.362+ Memory: Killer 1.362+ Scanner 1.42+ Scanner 1.47+ --------------------------------------------------------------------------- General Comments: Garfield_I is a resident virus, lodging itself in the RMA as a module "IconManager". When active, it creates a directory inside an application called "!Pic" with the files "!Boot", "!Run", "!Mod" and "!Sprites". The virus code is contained in "!Mod". It then proceeds to add the following lines to the infected application's "!Boot" file: RMEnsure IconManager 1.27 <obey$dir>.!pic Garfield_I uses the default Acorn sprite file sprite, so a casual glimpse in an application folder will not reveal it unless you a) use a different sprite for sprite files or you b) open the folder with "full info". It does not check for multiple infections. Infected applications will, more often than not, contain "!Pic" directories inside "!Pic" directories. Garfield_I activates on the first Monday of any month, displaying "The Garfield Virus is here to stay" then repeatedly "Don't you just hate Mondays?" until the machine is reset or switched off. (Source: Alan Glover) ########################################################################### Garfield_W =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June 1992 Effective Length: 1480, not including the files "!Boot", "!Run" and "!Sprites". Virus Type: Resident application infector. Symptoms: Directory "!Obey" with files "!Boot", "!Run", "!Mod" (module) and "!Sprites". Recursive infections possible. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ Scanner 1.41+ VProtect 1.17+ Interferon 2.00+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ --------------------------------------------------------------------------- General Comments: Garfield_W is a resident virus, lodging itself in the RMA as a module "WimpAIDS". When active, it creates a directory inside an application called "!Obey" with the files "!Boot", "!Run", "!Mod" and "!Sprites". The virus code is contained in "!Mod". It then proceeds to add the following lines to the infected application's "!Boot" file: <Obey$Dir>.!Obey |Above line is inoculation for the wimp virus Garfield_W uses the default Acorn Obey file sprite, so a casual glimpse in an application folder will not reveal it unless you a) use a different sprite for obey files or you b) open the folder with "full info". Garfield_W does not check for multiple infections. Infected applications will, more often than not, contain "!Obey" directories inside "!Obey" directories. Garfield_W activates on the first Monday of any month, displaying "The Garfield Virus is here to stay" then repeatedly "Don't you just hate Mondays?" until the machine is reset or switched off. [ Note: Although both Garfield_I and Garfield_W call themselves Garfield, and give the same message, we have given them separate entries since certain items differ between them - notably application and module names. ] (Source: Alan Glover) ########################################################################### Handler =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1532 bytes Virus Type: Resident application infector Symptoms: Desktop Task called 'Task Handler'. --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: This virus is loaded by a !run file, so is likely to spread slower than most. It renames the original !Run file to Obey. The virus itself is in an absolute called Handler. It may display a message: You have been infected with the Handler VIRUS The Virus is just to see how good a program can infect Sorry if it has up set you in any way, Thats about all i can say! Generation : Press any key to change the channel. (Source: Paul Frohock) ########################################################################### Icon =========================================================================== Last Updated: 7th July 1992 Aliases: Icon-A, Filer, Poison, NewVirus Origin: United Kingdom Isolation Date: 1990? Effective Length: 5498 bytes in base version Virus Type: Task. Stores code as separate file. Symptoms: Nameless wimp task on the Task Manager. Silly error messages may appear without reason. The files "Icon", "Poison", "Splodge" or "NewVirus" in application directories --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.32+ Scanner 1.32+ IVSearch 2.05+ (note 1) VProtect 1.06+ Hunter 1.00+ (note 1) Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: The Icon virus family is a type of very contagious viruses. They are harmless to that extent that they do not destroy files. However, they are very annoying (although I must admit some of the messages were quite amusing!). Common for all the viruses in the Icon family is that the virus is an unnamed wimp task written in BASIC. It spreads by adding a few lines to the !Boot file of an application (without checking for multiple infections), and then saving the code as a file as with filetype sprite. <set the wimpslot> BASIC -quit <obey$dir>.<virusfile> The original virus displayed a stupid error message on start-up, and then every so often after that. Commonly also called the Filer virus as the error message header claims that it's from the Filer. Here are a few examples of what type of error messages which might appear: ".desreveR maertS tuptuO" "This error should not occur." "Previous error did not occur." "Could not reach top of stack." Known variant(s) of the Icon virus are: Icon-2096 Filename: Poison Random error code replaced with a *I am stuck - which might log the user on to a network if they're very unfortunate! Icon-2616 Filename: Icon No silly messages from this version - also has the name of the person who modified it (yes, the UK Computer Crimes Unit have acted on this!). Icon-2631 Filename: Splodge Identical to 2616, except the change of name. Icon-5498 Filename: Icon, though the in-core name is 'Extra'. Does have silly messages. Icon-5574 Filename: Icon As 5498 with missing Hourglass_On call added. Silly message less likely to appear when it is loaded. Icon-5737 Filename: NewVirus As 5574, but with a three-key sequence to exit the program. High likelihood of a silly error at startup. Insignificant changes to !Boot save routine. Icon-5742 Filename: Icon Bugfix of 5737. Less likely to give silly errors when loaded. (Source: Alan Glover) ########################################################################### Image =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: Northern Ireland ? Isolation Date: Jan. 1992 by Svlad Cjelli Effective Length: 512 bytes Virus Type: Resident, although not in RMA Symptoms: Files "Image" and "!Spr" in application directories. The file "image" has no filetype, but !Spr has the type Obey. --------------------------------------------------------------------------- Detection Media: Killer 1.26+ Memory: Killer 1.26+ Scanner 1.13+ VProtect 1.07+ Removal Media: Killer 1.26+ Memory: Killer 1.26+ Scanner 1.15+ delete "Image". If there is a "!Spr" file, delete !Run and rename !Spr as !Run, otherwise delete !Boot. --------------------------------------------------------------------------- General Comments: This virus carries no payload, but spreads VERY fast, to the extent that you can delete the file, only to see it instantly re-appear again if it is in memory! It loads its code into the OS workspace, at &5500, it is therefore liable to crash the machine should the OS use that area of workspace. The !Run or !Boot file looks like this: LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d] It's action on infection is to save <Obey$Dir>.Image, and then either to create a !Boot file if one does not exist, or if it does, rename the !Run file to !Spr and then create a new !Run file. (Sources: Alan Glover, Svlad Cjelli) ########################################################################### Increment =========================================================================== Last Updated: 18th September 1992 Aliases: Origin: UK, Cornwall ? Isolation Date: September 1992 Effective Length: 464 bytes Virus Type: Resident Symptoms: CMOS configuration settings seem to change randomly --------------------------------------------------------------------------- Detection Media: Killer 1.375+ Memory: Killer 1.375+ Scanner 1.49+ Scanner 1.49+ VProtect 1.23+ Removal Media: Killer 1.375+ Memory: Killer 1.375+ --------------------------------------------------------------------------- General Comments: The virus appends itself to existing !boot files. The virus may not be immediately obvious when an infected !boot file is viewed in !Edit because it inserts 28 or more line feeds between the legitimate file and the viral appendage. However CTRL-Down Arrow will move down to the bottom of the file and expose the telltale signs of a machine code appendage on the end of the file. On each infection the virus will increment a CMOS RAM location - the location is incremented too on each infection with the effect of seemingly random problems appearing (including ROM modules becoming unplugged for example). (Source: Alan Glover, with thanks to Lee Davies) ########################################################################### Irqfix =========================================================================== Last Updated: 14th September 1992 Aliases: Origin: United Kingdom Isolation Date: September 1992 Effective Length: 940 bytes Virus Type: Resident task. Stores code as separate file. Symptoms: File "RiscExtRM", "WimpPoll", "OSSystem", "MiscUtil", "FastRom", "IRQFix" or "AppRM" in application directory. Each time the code is executed it grabs 1k of RMA - this will eventually lead to a system crash. --------------------------------------------------------------------------- Detection Media: Killer 1.374+ Memory: Killer 1.374+ Scanner 1.48+ Scanner 1.48+ VProtect 1.22+ Removal Media: Killer 1.374+ Memory: Killer 1.374+ Scanner 1.48+ delete named file, remove extra lines from !Boot. --------------------------------------------------------------------------- General Comments: This is a variant of Extend which uses IRQFix as the module name, and different filenames. In all other respects the code is identical to Extend. (Source: Alan Glover, with thanks to Alex Belton) ########################################################################### Link =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: United Kingdom Isolation Date: January 10th, 1992 Effective Length: 1416 bytes Virus Type: Resident Absolute file infector. Also a Trojan Horse. Symptoms: Module 'BSToDel' in module list. Files are re-stamped. --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Interferon 2.10+ Scanner 1.03+ Killer 1.27+ Hunter 1.16+ Hunter 1.16+ Scanner 1.20+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ Hunter 1.16+ Inteferon 2.10+ Scanner 1.20+ Hunter 1.16+ Scanner 1.20+ --------------------------------------------------------------------------- General Comments: The reason why I found the Link virus was because of the module 'BSToDel' appearing in the module list. Also, suddenly Killer 1.17 didn't work (It gave an "Integrity check failed" and refused to load)! As I already have made my own 'backspace to delete' utility as a module, I wondered where that module came from! (It certainly wasn't as a separate module on the disc.) Before installing itself as a module, it infects %.Squeeze (if there is a library directory, and if Squeeze is indeed in it) - just in case there wasn't enough room in the RMA. Then it hooks onto the FSControlV and InsV vectors. The latter so that it can do what the module title expects it to do: convert backspace (&08) to delete (&7F) (the reason why I also typed it as a Trojan Horse). The FSControl vector is used so that it can look for certain actions - namely *Run and *Copy. When it detects one of these, it does the following. Replaces the first three instructions in the file with its own, making an absolute branch to the end of the file. The rest of the module is then stored here, with the original three instructions too. To make detection a bit more difficult, it encrypts itself with an EOR variant (different key each time). On any Friday the 13th, it will display the message Message from LINK: Active since 30-Nov-91 every time it infects a program. [As Alan pointed out, this date is fixed, so meaning that it bears no relationship to the time which a system became infected.] The virus does no damage apart from attaching itself to files. Files infected by the Link virus are re-stamped to the date they were infected. Also, at the end of the module (and effectively each infected file - although encrypted) the word 'LINK' appears. I first thought this was used as an 'already infected' flag, but this is not so. What it does is check the second instruction in the file, and if this is 'MOV PC,R0' (probably reckons that few programs have this as their second instruction) it recognizes it as infected. If not, the file is infected. This method of checking the file might add to the difficulty of making an inoculator. Why didn't Interferon detect this virus? At first, I thought that there might be a bug in Interferon, but as I found out, the Link virus checks to see if Interferon is in memory by using OS_Module 18 (look-up module name). By doing this, it also finds where the module code is. Then, it changes a CMP instruction within the code so that Interferon never detects OS_GBPB. After the infection is finished, the Link virus changes the code back to what it was. [I'm working on a CRC routine for a future version of Interferon at the moment, so Interferon should be 100% operational 'real soon now'.] ########################################################################### Mode87 =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: Unknown. UK? Isolation Date: Unknown - possibly autumn 1991 Effective Length: 848 bytes Virus Type: Resident !Boot file infector. Symptoms: Module 'Mode87' in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ Interferon 1.10+ VProtect 1.17+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.41+ --------------------------------------------------------------------------- General Comments: Mode87 installs itself in the RMA as "BBCEconet". The way to tell the difference from this and the original Acorn network module, is that the address of where the module lies is at &01xxxxxx instead of a ROM address (&03xxxxxx) by typing *Modules. If Acorn's original module is not *Unplugged, it will install itself on top of this, and not easily seen in the module list. Mode87 is not malevolent. Although it destroys the original !Boot file of an application, it is not treated as a virus with serious damage potential. Mode87 simply overwrites any !Boot file already there (and if there isn't one, it creates a new one) with: | Boot file IconSprites <Obey$Dir>.!Sprites RMLoad <Obey$Dir>.Mode87 [00][00][00] Then it proceeds to save itself as a module with the filename "Mode87". If it has reached an infection count of 256, an expanding circle (black, if you are using the standard desktop palette) will "eat" your screen. Control will then return to normal. Mode87 releases its vector claim on OS_FSControl, so it is quite safe to *RMKill it. (Source: Tor Houghton) ########################################################################### Module =========================================================================== Last Updated: 11th September 1992 Aliases: Illegal, ModVir Origin: Unknown Isolation Date: October 1991 Effective Length: 956 bytes Virus Type: Resident module infector. Symptoms: Modules grow by approx. 1k, and are re-datestamped. May cause system crashes when accessing files (load, save, etc. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Hunter 1.00+ Killer 1.17+ Scanner 1.14+ Hunter 1.00+ VProtect 1.10+ Removal Media: Killer 1.26+ Memory: Killer 1.26+ Hunter 1.00+ Hunter 1.00+ Scanner 1.46+ --------------------------------------------------------------------------- General Comments: This is a very nicely written virus which appends itself to modules, redirecting three module entry points to pass through itself before being handed on to the module's original entry point. It spreads by infecting a module as it is loaded, and then the newly loaded module infects the next one loaded, and so on... This virus is likely to be very widespread, since it was distributed on the Archimedes World February 1992 cover disc in the MicroDrive demo (in it, several modules were infected). It does nothing until 6th September 1992, when it will display the message: Your computer has been virus infected. This is intended to be a friendly virus, and hasn't done any damage to your disc as is possible now, but it isn't active anymore from now on. Be more careful with illegal software next time! [Along with a generation counter. Another interesting observation is that it does not infect locked modules. Infects whenever it notices a RUN or LOAD action on a module. As a result, THIS VIRUS IS EXTREMELY CONTAGIOUS.] The message that it isn't active anymore is not true! It ALWAYS (even after 06-Sep-1992) attaches itself to the OS_File (FileV) vector. The virus first calls the previous owner of the OS_File vector (FileSwitch?). This means that the module will be loaded and initialised. If the length of the module minus the initialise word of the module is equal to 956 (i.e. the length of the virus), then the module is already infected and the virus deactivates itself (the newly loaded module has already attached itself to the OS_File vector). If the module isn't infected, the virus attaches itself at the end of the module, overwriting the init/final/service words in the module header, preserving the original 3 words. (Source: Alan Glover, Michel Fasen) ########################################################################### MyMod =========================================================================== Last Updated: 21st April 1992 Aliases: Silicon Herpes Origin: United Kingdom Isolation Date: June-August 1991 Effective Length: 2948 bytes Virus Type: Resident Symptoms: Additional files "SSLM" (filetype Module) and "SSLF" in application directories. Message on every Friday the 13th. Module "MyMod" in module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.15+ Killer 1.17+ VProtect 1.10+ Scanner 1.20+ Hunter 1.16+ Hunter 1.16+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.16+ Hunter 1.16+ Interferon 2.10+ Scanner 1.20+ delete "SSLM", rename "SSLF" to !Boot. --------------------------------------------------------------------------- General Comments: This works by redirecting the Alias$@RunType for Obey files, so spreads very fast. Once on each Friday 13th you'll get this message: Hi there. It's me, with my latest addition to the ARCHIMEDIES range of computer programs. This one's called silicon herpes. It's annoying but DOES NO REAL DAMAGE!!! Anyway, it's Friday the 13th, and what can you expect. Acorn state that RISC OS has high protection against programs of this nature. I can't call it a virus, as a virus does damage With Acorn making these bold statements about RISC OS I decided to write a demonstration to disprove their theories. I must admit though, it was quite difficult. Anyway, I don't want to keep you so I'd like to say, have a very happy Christmas, Easter, Summer or what ever, and hang kickin There's a likelihood of various spurious errors from one of the variants (both are the same length) since it addresses application memory directly! (Source: Alan Glover) ########################################################################### NetManager =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: June-August 1991 Effective Length: 900 bytes Virus Type: Resident !Boot file infector Symptoms: Module 'NetManager' in module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ VProtect 1.10+ Killer 1.17+ Scanner 1.40+ Scanner 1.20+ Removal Media: Killer 1.17+ Memory: Killer 1.17 Scanner 1.40+ Scanner 1.20+ Interferon 2.10+ delete !Boot. RMKill NetManager --------------------------------------------------------------------------- General Comments: I believe this to be the prototype for, or maybe the inspiration for, the TrapHandler virus. Although the coding is quite different in places, there's quite a similarity in the design. There are a number of coding errors in the virus, most notably around the time bomb area, making it harmless in this form. The intention of the code is to check for Friday 13th, and display a message, however it will never detonate (... unless there's a fixed version in circulation ... though that's what I believe TrapHandler is). It's fortunate that it never displays the message, because there's another coding error and the message isn't actually there! (Source: Alan Glover) ########################################################################### NetStatus =========================================================================== Last Updated: 21st April 1992 Aliases: Boot Origin: Norway or Belgium Isolation Date: October 1991 Effective Length: 2048 or 2072 bytes Virus Type: Resident !Boot file infector Symptoms: !Boot filelength increase. --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Interferon 1.10+ Scanner 1.02+ Killer 1.27+ VProtect 1.10+ Scanner 1.20+ Hunter 1.16+ Hunter 1.16+ VirusKill 1.00+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.17+ Hunter 1.16+ Hunter 1.16+ Interferon 1.10+ Scanner 1.20+ RMKill NetStatus --------------------------------------------------------------------------- General Comments: NetStatus is written as a module, and in many ways it functions exactly the same way as the TrapHandler virus, as it saves all of its code in an application's !Boot file. It differs strongly from from this one, however, as NetStatus does not overwrite the !Boot file. The original !Boot instructions are executed after the virus has been loaded, making it more difficult to spot than TrapHandler. Some times a message will appear (after a mode change): Hello, there. Just a little message. The infection count is: <infection count> This program is harmless 10 Jun 1991 [This message is encrypted, and will neither show up in memory nor in the infected !Boot file.] One might think that NetStatus should be placed as a 'variant' of TrapHandler, as the way the two viruses work are so similar (both viruses work by loading the !Boot file into memory below &8000 and then jumping to the code). However, seeing that the code itself was so different, I chose to let it have it's own entry. Also, NetStatus infects the !Boot file instead of overwriting it! If you think you might have been infected by this virus, do *Help NetStatus to see if it is version 2.00, and if it is, do a *Modules to check where it resides. If the address is 018xxxxx then you are infected, if not, the address should be 038xxxxx. [This virus has the potential to cause chaos on Econet networks, where it will replace the real NetStatus module - causing anything that relies on it to fail.] Known variant(s) of the NetStatus virus are: NetStatus-2048 This appears to be an earlier version of NetStatus. Some code is missing in this version, but they appear identical in operation. Please note that not many virus killers are aware of both versions. If it understands only one strain, the !Boot file will become corrupt. ########################################################################### Parasite =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: UK, Cheshire? Isolation Date: January 1992 by S. Haeck Effective Length: 6K & 7K Virus Type: Resident application infector, stores code as separate file. Symptoms: Additional modules appearing within applications --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.23+ Scanner 1.20+ VProtect 1.12+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ --------------------------------------------------------------------------- General Comments: This is a **very** nasty virus. Handle any infections with care! The parasite virus was first discovered by S. Haeck in January 1992. The two strains are identical, except that the first always uses the same name for it's module, and the second has a random choice of 20 (twenty) filenames. It will only activate on machines whose network station number is <80 - which will include non-networked machines, which typically have 0 or 1 in the CMOS. Do NOT try to RMKill the module - a delayed action machine crash will result. It will *wipe any of the following file/directory names - !vkiller, vir, shield, prot and !guardian - this points at a UK origin since it is not aware of Scanner. It has a whole repertoire of dirty tricks, which are time triggered: - Corruption of the net printer name (it uses this as workspace) - Midnight, and xx:13: crash the computer - Before 07:00: crash the computer 300-900 seconds later - 00:00 to 00:59 on 1st Jan: crash the computer - 1st of any month: claim 16K of RMA (not used) - 21st June: set MouseStep to 1 - 21st December: set MouseStep to 127 (fast!) - 29th February: Set MouseStep to -5 (fast, and reversed) - If there is a 0 in the time, and the virus loaded from SCSI:*unplug the Podule Manager (disabling the SCSI disc) - At 0x and x0 seconds, if the module came from IDEFS: alias the IconSprites command so that no further sprites are cached Furthermore, there are some which can be fired at any time: 1 in 50: Change sound settings 1 in 25: Redefine character set to all spaces after 60-240 seconds 1 in 60: Corrupt the disc in drive 0 Lastly, there are a group of serious actions (which are limited so only a certain number occur within a given period): - Before 08:00 (14:00 Sundays): configure number of hard and floppy drives to zero. - Mondays: Configure Fontsize 0K, SpriteSize 512K, which will cripple a 1Mb machine! - 25th December: Configure MonitorType 3, Sync 0 - A 7 in the time: Configure Country to Greece - 1 in 4: Configure ADFS, Harddiscs 2, Drive 5 (very tricky if you don't happen to have two ST506 drives) The module names which it can use are: FontLibrary, CodeLibrary, ScreenObjct, PromptsPick, HPIBIntMngr, PRomModules, BasicCryptr, ChrSelecter, WimpModMake, PaletteUtl2, ModeUtility, FontUtility, TempManager, ColourConvt, IndexReader, ArthurImage, SyncUtility, VIDCManager, FontPalette, HugoFiennes. The first (6435 byte) strain always uses the name FontLibrary. Note that Hugo Fiennes, whose name appears at several points in the code, as well as being one of the module filenames, has much better things to do than write viruses, and has no known connection with this virus! (Source: Alan Glover, with thanks to Geoff Riley for much of the decoding) ########################################################################### Runopt =========================================================================== Last Updated: 25th October 1992 Aliases: Origin: UK Isolation Date: October 1992 Effective Length: 1684 bytes Virus Type: Resident application infector Symptoms: Desktop APPLICATION Task called 'Task Manager'. --------------------------------------------------------------------------- Detection Media: Killer 1.381+ Memory: Killer 1.381+ VProtect 1.24+ Removal Media: Killer 1.381+ Memory: Killer 1.381+ --------------------------------------------------------------------------- General Comments: In a similar manner to Icon, this virus uses a !Boot file to load a BASIC program. The program is called RunOpt!, and is filetyped as data. Note that the real 'Task Manager' shows up as a module task NOT an application task. (Source: Paul Frohock) ########################################################################### Sprite =========================================================================== Last Updated: 21st April 1992 Aliases: 'Really Annoying Sprite Virus' Origin: Germany ? Ireland ? Isolation Date: February 1992 by Svlad Cjelli Effective Length: 720 bytes Virus Type: Resident application infector, stores code as separate file. Symptoms: File "Sprite" and maybe !Str in applications --------------------------------------------------------------------------- Detection Media: Killer 1.27+ Memory: Killer 1.27+ Scanner 1.23+ Removal Media: Killer 1.27+ Memory: Killer 1.27+ delete Sprite, delete !Boot OR delete !Run and rename !Str to !Run (depending whether !Str is present or not). --------------------------------------------------------------------------- General Comments: This has got some similarities with Image, but until I've (Alan) had a chance to do a code comparison, I'm not going to class them as members of the same virus family. In months which begin with an F it will change the pointer settings. As far as I can tell, the parameter block is junk, and it's hard to tell whether the call will return! If it does, a delayed routine is programmed, which when entered will do FX200,3, zero all the CMOS RAM, and display a message. The message is: Piracy IS theft - Your SYSTEM is DOOMED - Deutschland Uber Alles! For people like me who don't know any German, a liberal translation is 'Germany is best'. This is encrypted, so is not usually visible. Important note: Initial reports about this virus suggested that it could cause disc corruption. Aside from possible errors during attempted infections, it does not have any maliciously targetted code for filing systems. Infection is by saving the virus code as 'Sprite' (filetyped as such), and either creating a !Boot, or renaming !Run to !Str and saving a new !Run which runs !Str. (Source: Alan Glover, with thanks to Svlad Cjelli) ########################################################################### SpriteUtils =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: UK Isolation Date: June 1992 Effective Length: 3028 bytes Virus Type: Resident application infector, stores code as separate file. Symptoms: File "Sprutils" appears in applications --------------------------------------------------------------------------- Detection Media: Killer 1.360+ Memory: Killer 1.360+ VProtect 1.17+ Scanner 1.42+ Removal Media: Killer 1.360+ Memory: Killer 1.360+ Scanner 1.42+ --------------------------------------------------------------------------- General Comments: This virus spreads by inserting a line in !run files, loading a trojan SpriteUtils module. It is my opinion that this virus is designed as an enabling tool for further unpleasant activities triggered remotely over a network. My reason for concluding this is that in addition to normal spreading and replication it goes to great pains to alter the Econet Protection setting to enable User Remote Procedure Calls. It intercepts the SWI vectors to process Econet_SetProtection and Econet_ReadProtection to return, and allow modification of, the value which was present when the virus started. It then supports two RPCs, one to turn off all protection, and the other to restore the setting with just RPCs enabled. It also attempts to disable VProtect, and will succeed with earlier versions. However, a new version of VProtect will have no problem in preventing the virus from being loaded in to a clean machine. It has no timed or other malicious contents, however as usual there are some consequences of the way it is written. In particular, it will claim 2K of RMA workspace, and never release it, nor does it restore the Econet protection setting it first found. (Source: Alan Glover) ########################################################################### T2 =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: July 1992 Effective Length: 4304 bytes Virus Type: Merges with absolute !RunImage files. Symptoms: Messages from "T2" and spurious errors. --------------------------------------------------------------------------- Detection Media: Killer 1.370+ Memory: Killer 1.370+ VProtect 1.20+ Scanner 1.43+ Scanner 1.43+ Removal Media: Killer 1.370+ Memory: Killer 1.370+ --------------------------------------------------------------------------- General Comments: This is a very dangerous virus, which can cause severe data loss if not treated rapidly. On 1st Jan, 14th Feb, 1st May, 4th July, 31st October, 25th December and Friday 13th a message from T2 will be displayed and it will write invalid data to the first 32K of ADFS drives 0-7. On D or E format floppies this will destroy the FS Map and Root Directory, on D format hard discs it will destroy the boot block, FS Map and Root Directory. On E format hard discs, it will destroy the boot block only, since the Free Space map and Root directory are elsewhere on the disc surface. It will also attempt to do the same to Nexus drives 4-7. The messages are: December 25th Yuletide Jollities from T2 A special christmas present: New blank disks all round. 1st January New Year's Resolution from T2 New Year's Resolution: I will keep my disks write protected. 14th February St. Valentine's Day Roses are red, Violets are blue, I've wiped your hard disk, Because I hate you. 1st May Mayday from T2 Mayday, mayday, mayday: your data's sinking. 31st October Spookiness from T2 You've got a vicious virus AND blanked disks - spooky huh? July 4th Independence Day celebrations from T2 You are now fully independent of your saved data. Friday 13th Comiserations from T2 Bad luck, me ol' China. Your disks have kinda left you in the lurch, as it were. Unfortunate, huh? And the random choice ones: Greetings from T2 I hate you. F*ck off and die. Painfully. Comment from T2 You stink of sh*t. Observation from T2 You're a f*cking c*nt. Hi there, from your friendly virus Hi there. You may (or may not) know me. I'm a virus. User meet T2. T2 meet user. Good ... See ya around. It also has a random chance routine, based on a 0.1 second timer, which has various possible effects, including: - A rude message (see above) - Scrambled CMOS memory - Crashing the machine - Destroying disc data (as above) There is not an easy quick check for this virus, since it will not show up as a module or desktop task. The easiest way I can come up with to do the following from BASIC (ensure that VProtect 1.20 or above is NOT loaded to avoid a false alarm). SYS "XOS_ServiceCall",,&C0FFEE TO ,A%:PRINT A% If the number printed is zero, and VProtect 1.20+ is not loaded (or any other anti-virus program aware of this virus) then it is loaded and active. (Source: Alan Glover) ########################################################################### Terminator =========================================================================== Last Updated: 11th September 1992 Aliases: Origin: United Kingdom Isolation Date: July 1992 Effective Length: 3648 bytes Virus Type: Task. Stores code as separate file. Symptoms: Additional files appear in applications (see below) --------------------------------------------------------------------------- Detection Media: Killer 1.372+ Memory: Killer 1.372+ Scanner 1.47+ Removal Media: Killer 1.372+ Memory: Killer 1.372+ delete named file, remove last line from !Boot. --------------------------------------------------------------------------- General Comments: Strictly speaking - this is an Icon variant. However it has been changed sufficiently that it merits its own entry. It can choose one of eight task names, and one of eight different filenames/filetypes to save itself. In other respects it acts and spreads like Icon, though there is 1 in 10 chance of drive zero being wiped on each infection. The task names are : ADFS Filer, RMA Manager, Filer Extension, File Compactor, ADFS Filer (again), MemAlloc, " " and "F*ck off!" (except with no asterisk - you know what I mean...). The filenames and filetypes are: Icon (Sprite), MemAlloc (Module), RunCode (Absolute), ABCLib (Module), CLib (Module), Colours (Modules), FPEmulator (Module) and !DeskBoot (Utility). !Killer patches the virus before removing it to ensure that ADFSFiler is not rmkilled by the virus. (Source: Alan Glover) ########################################################################### Thanatos =========================================================================== Last Updated: 21st April 1992 Aliases: RISCOSext, RISCOS Extensions Origin: United Kingdom Isolation Date: May 1991 Effective Length: 11756 or 11764 bytes Virus Type: Task. Stores code as separate file. Symptoms: Files "RISCOSext" and "TaskAlloc" in application directories. Wimp task "Thanatos" visible in the Task Manager. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.23+ VProtect 1.10+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete named files --------------------------------------------------------------------------- General Comments: This is an encrypted (simple EOR with &7A, lower-case "z") BASIC program (crypted = 11756 bytes long, TOP-PAGE of BASIC program = 7660 bytes) called "RISCOSext" with a filetype of Absolute (yes, a very poor piece of ARM code decrypts and runs it and wastes nearly 4K of space between &8100 and &9000 !). Associated with it is a Sprite file (actually of filetype Module) called "TaskAlloc", which is 344 bytes long containing a rude sprite to replace the mouse pointer. When run, it installs itself as a Wimp task named "Thanatos" and then looks for double-clicks to infect application directories (copies the RISCOSext and TaskAlloc files into there and then appends the 'usual' string to the !Boot file (to run RISCOSext). The nasty section of the Thanatos Virus REALLY IS nasty, so I urge you to study this carefully. Rough once every 100000 times around the Wimp_Poll loop, Thanatos can: * 2 out of 13 chancesShut down icon bar application at random (whilst displaying its own icon bar icon during the shutdown). * 1 out of 13 chancesCause a Desktop Quit. * 3 out of 13 chancesReverse the mouse pointer step (sets it -2). * 1 out of 13 chancesCrash the machine by poking a duff instruction at the start of memory. * 1 out of 13 chancesRandomise the 240 bytes of CMOS. [If this happens, you may have to either short or remove the battery from your machine, as it might refuse to boot.] * 4 out of 13 chancesRandomly display one of 8 very rude messages - one of which also changes the mouse pointer shape to a rude graphic and another will also shutdown an icon bar application (the same routine as above). * 1 out of 13 chancesWipe the contents of <Obey$Dir>. It also has a "special date" section as follows: Any Friday 13th: Advertises its own "virus killer" (from Armen Software). April 1st10 Address exception errors, followed by coloured rectangles and a 'stuck' mouse pointer for 10 seconds. An "April Fool" message is then displayed. December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed by a "Merry Crimble" message. October 31st:Formats the floppy in drive 0, followed by a "Spooky" message. January 1st: As December 25th, but followed by a New Year's Resolution message (to keep your disks write-protected...). [ The 11764 byte variant is functionally identical, but a slightly earlier version ] (Source: Richard K. Lloyd) [Attempting to kill Thanatos by clicking 'Quit' in the Task Manager will not work. However, Killer and VKiller will patch the missing closedown code into the virus before removing it from memory.] ########################################################################### TrapHandler =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: United Kingdom Isolation Date: September 1991 Effective Length: 924 bytes Virus Type: Resident !Boot file infector. Overwrites original !Boot file completely (or creates a new one if it doesn't find one) and stores own code here. Symptoms: Applications which depend on a !Boot file fail to run (i.e. if the !System !Boot file was overwritten, !Edit would fail to run due to the fact that the !System folder hasn't been seen. The same applies if the !Boot file in the Fonts directory is overwritten. The module 'TrapHandler'is present in the module list. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Interferon 2.00+ Scanner 1.03+ Killer 1.17+ VProtect 1.10+ Scanner 1.23+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.03+ Interferon 2.10+ delete !boot file Scanner 1.20+ RMKill TrapHandler --------------------------------------------------------------------------- General Comments: The TrapHandler virus is written as a module which infects application directories by overwriting the !Boot file with its own code. By hooking onto the FSControl vector, it looks for a *Run action, and on finding one (eg. the user opens a directory with applications, and if any of these contain a !Boot file (which RISC OS automatically executes)), TrapHandler overwrites the application's !Boot file with its own code. This code is loaded into memory by using a simple *LOAD <Obey$Dir>.!Boot <address> and then executing the code at <address>. On any Friday after the 20th of any month it will open a regular message box (i.e. using Wimp_ReportError) with the number of infections in the header, and an 'Ignorance will be your undoing.' This message is rather misleading, as the only destructive thing it does is overwrite your !Boot files (although it could - as all viruses can - be modified to do much nastier things). I might sound a bit trivial here - if your $.!Boot on the harddisc was overwritten, you might get a bit more than annoyed(!). However, as this !Boot file only gets run when you reset your machine, it is not very likely to get infected by this virus (unless you accidentally double-click on it or run it). ########################################################################### Valid =========================================================================== Last Updated: 21st April 1992 Aliases: Origin: Unknown Isolation Date: March 4, 1992 by Atle M. Bårdholt Effective Length: 1389 bytes Virus Type: Non-resident application infector, stores code as separate file. Symptoms: Files "Valid" and "Source" in application directories. --------------------------------------------------------------------------- Detection Media: Killer 1.30+ Memory: n/a Scanner 1.23+ VProtect 1.13+ Removal Media: Killer 1.30+ Memory: n/a Scanner 1.23+ delete !Run and "Source". Rename "Valid" to !Run. --------------------------------------------------------------------------- General Comments: Valid is a non-resident virus written in BASIC which works by renaming the !Run file of the application to "Valid", then saving itself as a file called "Source" and creating a new !Run file which points to the virus code. Both have correct filetypes (e.g. Obey and BASIC). In its current form it can hardly spread far. It surprises me that it was even released at all. Due to a major flaw in the code, Valid creates faulty !Run files every time it infects - effectively rendering the application non-executable - making it easy to detect that something is wrong. It is assumed, however, that this is fixed in other or newer versions (the incore filename of the BASIC file is "Source2"), as it is a very simple thing to do something about it. (This version keeps the first 21 chars of the orginal !Run file instead of making a new one.) On floppy based systems this virus causes a noticeable slowdown when it infects an application, as it uses the OSCLI command EnumDir to create a list of applications to infect. This list is saved as a file (as a result of EnumDir), and then loaded into some reserved memory. When the processing of this data is finished, the file is deleted. Valid never infects an application twice, as it checks to see if there's an "our" in the first line (part of RUN <Obey$Dir>.Source) of the !Run file. Also, it is not certain it will infect a given application - there's Ŵonly a 30% chance (determined by RND(10)>7) of this happening. Valid does little besides replicate (if it had worked properly), but does create a 0 byte file called "Infected!"Ŵ in the application directory after any 22nd in any month. ########################################################################### Vigay =========================================================================== Last Updated: 21st April 1992 Aliases: DataDQM, Shakes Origin: United Kingdom Isolation Date: Probably April 1991 Effective Length: 2311 or 2432 bytes Virus Type: Task. Stores code as separate file. Symptoms: File "DataDQM" in application directories. The Task "TaskManager" in the Task Manager window. --------------------------------------------------------------------------- Detection Media: Killer 1.17+ Memory: Killer 1.17+ Scanner 1.23+ VProtect 1.10+ Removal Media: Killer 1.17+ Memory: Killer 1.17+ delete !Boot and file. --------------------------------------------------------------------------- General Comments: This is a BASIC program called "datadqm" with an associated 97-byte !Boot file. The REMs at the start of the program are as follows: REM (C)1989 PAUL VIGAY REM REM A nasty little Archie Virus !! REM ... or is something up with your monitor ??? REM REM version 1.1a (24th October 1989) Hence you now know why it's called the "Vigay Virus" - the author's name appears as a comment at the start! When first run, it initialises as a Wimp task called "TaskManager" and then waits for either: 1) a chance of (500 * hours left of a Thursday) to 1 to crop up to spark off a silly "wobble" demo (wobbles the screen and mouse pointer). Yes, this demo only appears on a Thursday and more frequently as the day wears on. or, 2) a file/directory double-click, in which case it attempts to replicate itself to the first application directory at that level that doesn't already have either an "!Boot" or a DataDQM" file. (Source: Richard K. Lloyd) [Apparently there are several versions existing (but apparently not circlulating), some activating on Fridays, others on Friday the 13th. It is not known whether these Friday versions broke loose, and later variants were also compiled using the Archimedes BASIC Compiler by DABS Press. We are still speculating if any of these are available to the general public. Also, it is worth clarifying that the 'TaskManager' will appear as an application task, unlike the real Task Manager which is a module task.] ########################################################################### Virus Detection Utilities --------------------------------------------------------------------------- (Note: only this programs which are still believed to be regularly updated are included here) Guardian: © Paul Vigay. Latest version known is !Guardian3 3.09 (14th Oct-1992). Multitasking application which keeps an eye on tasks and also has virus scanner/removal capabilities. IMPORTANT NOTE: At various places in the application it claims to remove all known viruses, and to be "equal, if not better, in spec than !Killer". Both these claims are clearly false (the current version of !Guardian only deals with five viruses - including his own (Vigay)). Handle the software, and the author's claims, with care. Hunter: © Michel Fasen. Latest version known is 1.16/9 (17-Feb-1992). Multitasking application. Nice touch by using the Interface manager. Not RISC OS 3 compatible. Public Domain. Interferon: © Tor O. Houghton. Latest known version is 2.12 (13-Mar-1992). Resident program which looks for transfer of data to disc from areas below &8000, and from the RMA (e.g. most viruses which are written as modules, for example). Public Domain. Killer: © Pineapple Software Ltd. Written by Alan Glover of Acorn Computers Ltd. Latest version known is 1.381 (25-Oct-1992). Multi-tasking scanner/disinfectant. Currently, this application is the one which detects and removes all known viruses on the Archimedes. Very user friendly interface, lots of useful options, includes a nice window with look-up virus information. Commercial product. Scanner: © Tor O. Houghton. Latest version known is 1.51 (Oct-1992). A non-WIMP application which detects and removes the most common viruses. Commercial software, available direct from the author. VProtect: © Pineapple Software Ltd. Written by Alan Glover of Acorn Computers Ltd. Latest version known is 1.24 (25-Oct-1992). Resident program which, amongst other things, checks !Run and !Boot and module files for infection before running them. Supplied with !Killer. As you can see, there are several virus utilities mentioned in section 3.0. For all of you who have written a virus utility and want it to appear with correct information concerning version numbers, and what it can detect and remove etc., could you please send your latest version to one of the previously mentioned addresses. This document exists in three parallel forms. Versions suffixed 'p' are the Impression version (primarily maintained by Tor Houghton), and those suffixed 'h' use the Binary Star !Clearview PD reader application to present a hypertext document. Updates to the document may be sent to either author, and both versions will get updated. The text version (suffixed 't') is derived from the Cleariew version. There is also an experimental vb version. Also, could you please include a note on what the program/virus does? Some help files we have seen have been very vague. All this information is based on our own reactions, and may well be incorrect in some parts. If you don't like it, send us some information (not too verbose). ########################################################################### Acknowledgements & Credits --------------------------------------------------------------------------- This list contains some of the many people who have helped in the preparation and updating of this document. Despite their best efforts, there are undoubtably some errors - which are wholly our own work :-). Simon Burrows: Additional virus documentation. Svlad Cjelli: Additional virus documentation. Michel Fasen: Additional virus documentation. Eivind Hagen: For letting me borrow Impression of him! Bjørn Hotvedt: For keeping up with the never-ending postings to and from Alan (and other people!). Richard K. Lloyd: For documentation on the older viruses. Terje Slettebø: For help with the disassembly of the NetStatus virus. Paul Frohock: For help and information long before !Killer saw light of day (and still going strong :-) )! The following pieces of software are amongst those I (Alan) use for virus analysis - my thanks to those in the list below who have added changes etc at my request or helped in other ways (you know who you are...). !QZap - Kevin Quinn (PD Desktop Disassembler) !Dissi - John Tytgat (Registered version - Desktop Disassembler/Source generator) !DeskEdit - RISC Developments (!Edit, with many useful additions) !Snoop - DT Software (Desktop examination tool) !QDBug - Vertical Twist/QDE (Powerful Debugger/Monitor) !Detour - Electronic Solutions (Path control utility) ########################################################################### Contacting the authors --------------------------------------------------------------------------- POST: Tor Houghton Alan Glover 17K Park Village PO Box 459 University of Sussex Cambridge Falmer CB1 4QB Brighton UK BN1 9RD UK EMAIL: Tor O. Houghton: torh@cogs.susx.ac.uk Alan Glover: aglover@acorn.co.uk BBS: The World of Cryton(+44) (0)749 670030 or (+44) (0)749 679794 Tor O. Houghton: #121 Alan Glover: #6 Arcade (+44) (0)81 654 2212 Alan Glover: #244 Excelsior! (M)BBS (+47) (0)2 84 63 79 Tor O. Houghton: Tor Houghton (Note: Tor is presently unable to call BBSs, and I do not call very often at the moment - use another means to contact either of us). FAX: Alan Glover (+44) (0)223 415222 Acorn Computers Ltd. (+44) (0)223 254264 Pineapple Software (+44) (0)81 598 2343 TELEPHONE: Pineapple Software (+44) (0)81 599 1476 Acorn Computers Ltd. (+44) (0)223 254254 ########################################################################### Checklist --------------------------------------------------------------------------- (last change 25/10/92) Click on the name of the virus to read more about it. Media Memory Virus Utility D R D R Archie Guardian Y N ? ? Killer Y Y Y Y Scanner Y N N N Arcuebus Killer Y Y Y Y BBCEconet Killer Y Y Y Y Scanner Y N Y Y Interferon N N Y N Bigfoot Killer Y Y Y Y Scanner Y N N N CeBIT Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y N Y N Code Killer Y Y Y Y Scanner Y Y N N Extend Guardian Y ? Y ? Hunter Y Y N N Interferon N N Y N Killer Y Y Y Y Scanner Y N Y N Funky Killer Y Y Y Y Garfield_I Killer Y Y Y Y Scanner Y Y Y Y Interferon N N Y N Garfield_W Killer Y Y Y Y Scanner Y Y Y Y Interferon N N Y N Handler Killer Y Y Y Y Icon Hunter ! ! N N IVSearch ! ! ? ? Killer Y Y Y Y Scanner Y Y N N Image Killer Y Y Y Y Scanner Y N Y Y Increment Killer Y Y Y Y Scanner Y N Y N IRQFix Killer Y Y Y Y Scanner Y Y N N Link Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y Mode87 Killer Y Y Y Y Scanner Y Y N N Interferon N N Y N Module Guardian Y Y ? ? Hunter Y Y Y Y Interferon N N Y N Killer Y Y Y Y Scanner Y Y N N MyMod Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y NetManager Guardian ? ? ? ? Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y NetStatus Hunter ! ! Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y VirusKill Y Y ? ? Parasite* Killer Y Y Y Y Scanner Y N Y N Runopt Killer Y Y Y Y Sprite* Killer Y Y Y Y Scanner Y N N N SpriteUtils Killer Y Y Y Y Scanner Y Y N N T2 Killer Y Y Y Y Scanner Y N N Y Terminator* Killer Y Y Y Y Scanner Y N N N Thanatos* Hunter Y Y N N Killer Y Y Y Y Scanner Y N N N Traphandler Hunter Y Y Y Y Interferon N N Y Y Killer Y Y Y Y Scanner Y Y Y Y Valid Killer Y Y na na Scanner Y Y na na Vigay Guardian Y Y ? ? Killer Y Y Y Y Scanner Y N N N ? Refers to cases where the documentation fails to explain exactly what it does with the virus. ! Special cases (e.g. some killers might not detect all variants of a virus), refer to the separate virus entries in this document for details. na Not applicable, typically a virus which does not reside in memory. ########################################################################### Quick Checks --------------------------------------------------------------------------- (last change 25/10/92) Click on the virus name to read more about it. Archie - Attacks absolute (filetype &FF8) files. Arcuebus - Installs a false NetStatus module (3.07). BBCEconet - Attacks absolute files, encrypting part of them. Loads trojan BBCEconet module. Bigfoot - Desktop task called 'bigfoot', file with randomly chosen name in capitals (BASIC file). CeBIT - Attacks applications. File "TlodMod" in app. directory. Module "TlodMod" in module list. Code - Desktop task called 'Window Manager'. Applications may 'lose' their sprites. Extend - Attacks applications. Files "MonitorRM", "CheckMod", "ExtendRM", "OSextend", ColourRM", "Fastmod", "CodeRM" or "MemRM" in app. directory . Module "Extend" in module list. Funky - Desktop task called 'Window Dude'. Garfield_I - Creates application called !Pic, loads a module called IconManager. Garfield_W - Creates application called !Obey, loads a module called WimpAIDS. Handler - Creates an application task called 'Task Handler'. Icon - Attacks applications. Files "Icon", "Poison" or "NewVirus" in app. directories. Nameless WIMP task in the Task Manager. Image - Attacks applications. Files "Image" and "!Spr" in app. directory. Increment - Attacks applications. Appends to !Boot - look for 'load <obey$dir>.!boot 8000' towards the end of the !Boot. Irqfix - Attacks applications. Files "RiscExtRM", "WimpPoll", "OSSsystem", "MiscUtil", "FastRom", "IRQFix" or "AppRM in app. directory. Module "Irqfix" in module list. Link - Attacks absolute (filetype &FF8) files. Module "BSToDel" in module list. Infected files are re-stamped. Mode87 - Loads a module called BBCEconet (replacing the real one). Overwrites !Boot files. Module - Attacks modules. Infected modules are re-stamped. MyMod - Attacks applications. Files "SSLM" and "SSLF" in app. directories. Module "MyMod" in module list. NetManager - Attacks !Boot files. Module "NetManager" in module list. NetStatus - Attacks !Boot files. Module "NetStatus" in module list (at offset &018xxxxx). Ensure the program you use understands both strains of this virus! Killer and Scanner do. See also Arcuebus. Parasite - Attacks applications. Random of 20 filename choices for the code carrier. RunOpt - Starts an APPLICATION task called 'Task Manager' Sprite - Attacks applications. Files "Sprite" and "!Str" in app. directories. SpriteUtils - Attacks applications. File SprUtils saved in applications. Loads from !run. T2 - Attacks !RunImage files of type &FF8. Files grow by about 4K. See entry for details. Terminator - An Icon variant which uses varied file/task names. Extra files appear in directories. Thanatos - Attacks applications. Files "RISCOSext" and "TaskAlloc" in app. directory. "Thanatos" visible in the Task Manager. TrapHandler - Attacks !Boot files. Module "TrapHandler" in module list. Valid - Attacks applications. Files "Valid" and "Source" in app. directory. Vigay - Attacks applications. File "DataDQM" in app. directories. WIMP task named "TaskManager" in the Task Manager. ########################################################################### Calendar --------------------------------------------------------------------------- A number of viruses have messages which are programmed to be displayed on a given day or dates. Some are specific dates (eg 4th July) others are less specific such as the first monday of the month, or Friday 13th. This section is subdivided into months, for the viruses with specific dates and messages which could occur in any suitable month. To read more about a particular virus mentioned in this section click on the virus name (which will be underlined). January February March April May June July August September October November December Any ########################################################################### January --------------------------------------------------------------------------- Date Virus Message/Action 1st Parasite Crashes computer before 01:00 1st T2 New Year's Resolution from T2... 1st Thanatos Suggested new-year's resolution... ########################################################################### February --------------------------------------------------------------------------- Date Virus Message/Action 14th T2 St. Valentine's Day Roses are red, Violets are blue... 29th Parasite Set Mouse step rate to -5 (fast & reversed) ########################################################################### March --------------------------------------------------------------------------- Date Virus Message/Action 15th Bigfoot This is a HOLD UP! Give me all the PD software... ########################################################################### April --------------------------------------------------------------------------- Date Virus Message/Action 1st BBCEconet E.T. phones home! 1st Thanatos Address Exception at &0863FB3C ########################################################################### May --------------------------------------------------------------------------- Date Virus Message/Action 1st T2 Mayday from T2... ########################################################################### June --------------------------------------------------------------------------- Date Virus Message/Action 21st Parasite Set Mouse step rate to 1 (slow) 25th BBCEconet Ph'nglui mglw'nafh Chtulhu... ########################################################################### July --------------------------------------------------------------------------- Date Virus Message/Action 4th T2 Independence Day celebrations from T2... 4th Bigfoot Hay there its the 4th of July... ########################################################################### August --------------------------------------------------------------------------- Date Virus Message/Action No viruses are known which display messages specifically during this month. ########################################################################### September --------------------------------------------------------------------------- Date Virus Message/Action 6th (1992) Module Your computer has been virus infected... ########################################################################### October --------------------------------------------------------------------------- Date Virus Message/Action 31st T2 Spookiness from T2... 31st Thanatos Your disk's been formatted without you asking... ########################################################################### November --------------------------------------------------------------------------- Date Virus Message/Action 5th Bigfoot Wizz Bang! Its Guyfalks night... ########################################################################### December --------------------------------------------------------------------------- Date Virus Message/Action 21st Parasite Set Mouse step rate to 127 (very fast) 21st Parasite Change MonitorType and Sync settings 25th BBCEconet Merry Christmas! 25th Bigfoot Happy Christmas from BigFoot ... The VIRUS 25th T2 Yuletide Jollities from T2... 25th Thanatos Merry Chrimble! Hope you liked your pressy... ########################################################################### Any Month --------------------------------------------------------------------------- Date Virus Message/Action 13th Archie Hehe ArchieVirus strikes again Friday 13th Link Message from LINK: Active since 30-Nov-91 Friday 13th BBCEconet It's Friday! Why are you working.... Friday 13th MyMod Hi there. It's me, with my latest addition... Friday 13th T2 Comiserations from T2... Friday >20thTraphandler Ignorance will be your undoing First MondayGarfield_I The Garfield Virus is here to stay First MondayGarfield_I Don't you just hate Mondays? First MondayGarfield_W The Garfield Virus is here to stay First MondayGarfield_W Don't you just hate Mondays? Any ThursdayVigay Screen wobbles up/down ########################################################################### Index --------------------------------------------------------------------------- Introduction Introduction Abstract Virus Index Index to known viruses Virus Detection Utilities Acknowledgements & Credits Contacting the authors Checklist Quick Checks Calendar Index of virus names and aliases: Archie Arcuebus BBCEconet Bigfoot Boot CeBIT Code DataDQM Extend Filer FF8 Funky Garfield_I Garfield_W Handler Icon Icon-A Illegal Image Increment IRQFix Link Mode87 Module ModVir MyMod NetManager NetStatus Newvirus Parasite Poison RISCOSExt Runopt Shakes Sicarius Silicon Herpes Sprite SpriteUtils T2 Terminator Thanatos Traphandler Valid Vigay