Amiga Plus 1995 #1

home *** CD-ROM | disk | FTP | other *** search

/ Amiga Plus 1995 #1 / Amiga Plus 1995 #1.iso / fish-disketten / fish_841-850 / d842 / anticiclovir / anticiclovir.doc < prev next >

Wrap

Text File | 1994-12-13 | 49KB | 1,442 lines

AntiCicloVir V1.8-Documentation @ 1992/1993 by Matthias Gutt Kantstr. 16 W-2120 Lüneburg Germany Table of Contents: 1.0 Copyright 2.0 How to use AntiCicloVir 2.1 Checking memory by AntiCicloVir 2.2 Reset-Routine of AntiCicloVir 2.3 Checking disks by AntiCicloVir 3.0 Documentation of some AMIGA viruses - BGS 9 I+II - Bret Hawnes - CCCP - Color ( TURK V1.3 ) - COMPUPhagozyte I.1+I.2 - COMPUPhagozyte II or COMPUPhagozyte 3 - COMPUPhagozyte III A-C or COMPUPhagozyte 4-4b - COMPUPhagozyte IV or COMPUPhagozyte 4c - D-Structure - DAG Creator - DISASTER-MASTER V2 - Disktroyer V1.0 - Golden Rider - Gotcha Lamer - IRQ - JEFF Butonic V1.31 - JEFF Butonic V3.00 - LAMER LoadWb - LAMER VirusX - NANO - PP-BOMB - Return of the Lamer Exterminator - Revenge Of The LAMER Exterminator - SADDAM - Smily Cancer I+II - Terrorists - T.F.C. Revenge LoadWb - Traveling Jack - Xeno 1.0 Copyright The program `AntiCicloVir V1.8` is called PD-software, because I defined it so in the first time ! But now, I think I, must define it as Freeware, because I don`t want that everyone can change some parts of my program like in former times ... `AntiCicloVir V1.7a` is a linkviruskiller, which checks your disk & memory for linkviruses. It can detect known bootblock-viruses in memory, too. `AntiCicloVir V1.8` can check some addresses in memory, install a reset-routine and some things more ... It is a small & simple to use program to fight against AMIGA viruses - mainly linkviruses ! You can copy everyone this program and use it whenever you want ! You can spread this program with or without documentation on every disk. It is allowed, to install `AntiCicloVir V1.8` as utility on PD-disks. Not allowed is, the changing of a part of `AntiCicloVir V1.7c` or his documentation !I can`t take the responsibility for this program, but I`m interested in every bug report or new computerviruses !!! The following PD-series has got `AntiCicloVir V1.7a` from me: `AmigaLibraryDisks`, `TIME_PD`, `FRANZ_PD`, `Kick_PD`, `Exec_PD`, `Amiga Corner`, `Amiga Szene` & `GFS_PD`. and `GPD` ! Many thanks must go to Michael Petrikowksi ( Amiga-Szene PD ) for his help, while I was debugging AntiCicloVir ... You can get the newest version of AntiCicloVir from Daniel Lars Reuß, Eschen- weg 10, W-6470 Büdingen-Lorbach, Germany or from the TPDS ( Jürgen Dieterich, Rehhaldenweg 10, W-7060 Schorndorf, Germany ). Feel free to spread it ! 2.0 How to use AntiCicloVir `AntiCicloVir` is a small linkviruskiller, which can detect 30 linkviruses in this version ! It can detect 124 bootblock-viruses in memory, too ! It can be started from Workbench or from AmigaDOS. In the main-function it shows you in the system-vectors-table your KickStart- Version and the addresses of 26 important vectors. `AntiCicloVir` can check all files of a choosed directory for some linkviruses and remove them. The linkviruskiller installs, after every call, a little resident program in memory, which can check your AMIGA after a reset. You could use AntiCicloVir to check your system, if you copy it into the sub- directory :c of your Workbench-disk and if you write the following call in your `:s/startup-sequence`: AntiCicloVir -m The option `-m` is very important to use AntiCicloVir in the main-function !!! So AntiCicloVir can check your system every time, when you boot from your Workbench-disk and warn you if it found one known virus in memory. Unknown viruses could be detected by correct interpreting the system-vectors- table by the user hisself ! Another help is the resident routine of AntiCicloVir, which started her action after every reset and so could prevent a new virus-infection of memory ! 2.1 Checking memory by AntiCicloVir It exists two posibilities to check the memory ! The simplest posibility is to start AntiCicloVir by choosing his icon from the Workbench. In this case, the main-function of AntiCicloVir will be used. The other posibility is to call AntiCicloVir from the AmigaDOS or CLI. But in this case you MUST use any of the three options, because if you do this not AntiCicloVir tries to check the disk !!! The following three options are allowed: `-m`, `-n`, `-c` The most important & used option will be `-m` ! Enter: AntiCicloVir -m Now, AntiCicloVir will be started and greets you with a simple color-cycling. Then it shows you the system-vectors-table. It shows you your own KickStart-version in the title of the new window. The KickStart-version is mainly for AntiCicloVir important, because it must know the right ROM addresses, if it will wipe out a virus from your AMIGA`s memory ! If AntiCicloVir can`t recognize your KickStart-version, while detecting a virus in memory, it`ll try to reset the Capture-vectors or Kick-pointer and inform`s you, why it can`t kill this virus. In the system-vectors-table you will see seven important vectors from the ExecBase-structure: ColdCapture *, CoolCapture *, WarmCapture *, KickMemPtr *, KickTagPtr *, KickCheckSum * and RasterBeam ! From the exec.library you will see the vectors of Alert (), AllocMem (), FreeMem () PutMsg (), OldOpenLibrary (), OpenDevice (), DoIO (), OpenLibrary () & SumKickData () ! From the `intuition.library` you can recognize the vectors OpenWindow () & DisplayAlert (). From the trackdisk.device you can see the vectors BeginIO () & Close (). The vectors Open (), Write (), Lock () & LoadSeg () from the dos.library will be shown, too. And last but not least the BeginIO ()-vector of the `keyboard.device` ! After this AntiCicloVir check`s your memory for all known linkviruses & warn`s you with a little text in AmigaDOS & tries to kill the virus. Now the linkviruskiller check`s once more the memory, but now he looks for all types of known viruses - for example bootblock-viruses ! At last, after closing the intuition window AntiCicloVir installs a little resident program in memory from $7E000 ! He set`s the vectors CoolCapture * and SumKickData () on it`s address ! If you choose for option `-n` the same things happens like above mentioned, but only the color-cycling does not appear. By typing `-c` as option happens the same things like above mentioned, but without creating intuition window & installing reset-routine. 2.2 Reset-Routine of AntiCicloVir The Reset-Routine from AntiCicloVir stays every time at $7E000 in memory. It will be activat by jumping in CoolCapture * or SumKickData (). While starting about CoolCapture * the routine will be activated after a reset. The same simple color-cycling greets you ... She chechs the pointers ColdCapture *, CoolCapture *, WarmCapture * KickMemPtr * KickTagPtr * & KickCheckSum * and will clear them if she will find an unknown resident program. The routine clears the pointers not, if she found a known useful resident program. If you press the left mousebutton, while rebooting your AMIGA, the reset-routine makes `Harakiri` on herself ... Jumping into SumKickData () activates the routine, too. Then it`ll check the CoolCapture *-vector and set it on her own address, if he was cleared ! 2.3 Checking disks by AntiCicloVir To check one disk by AntiCicloVir you have not more to do, then to call AntiCicloVir by his name in AmigaDOS ( you can check disks only in AmigaDOS by AntiCicloVir ) and to name a path after the name ! The pathname stands for a main-directory or for a device. Example: AntiCicloVir Df0: ... will check all files from a disk in drive Df0: ! The linkviruskiller lists every filename on the screen and add the message `OK` to him, if he didn`t found a virus ! If he found a virus, he will add the message: `... contains NAME-virus !!!` heck with AntiCicloVir ! AntiCicloVir writes a short message in your startup-sequence after deleting the virus from disk. This could prevent some problems in AmigaDOS, if the virus has written his name for calling up in your startup-sequence ... 3.0 Documentation of some AMIGA viruses In the following annotation you will learn something about a few AMIGA viruses. Presupposition is only a small knowledge about ASSEMBLER-programming & the Amiga DOS: BGS 9 I+II This filevirus possibly is a mutation of the filevirus Terrorists. This one stands upside the crowd, because all other fileviruses use another mechanism to spread itself ... The BGS9 virus looks for the first executable program from your startup- sequence and copies it from his real place to the subdirectory `DEVS:` or if it can`t find this subdirectory to the main-directory and gives him an invisible name, which is called in hexadecimal $A0A0A0202020A0202020A0 ! After executing the first program from the startup-sequence of an infected disk, which is the BGS9 virus, the virus installs itself in memory and executes the original program, which stands invisible in `DEVS:` ! In memory the BGS9 virus uses the residents to turn on itself after a reset ! It sets KickMemPtr *, KickTagPtr * & KickCheckSum *. While every reset, it sets the vector OpenWindow () from the intuition.library to it`s own address. After every using of OpenWindow () the virus tries to copy itself like the above mentioned mechanism onto the next disk or shows you after four resets the following message: A COMPUTER VIRUS IS A DISEASE TERRORISM IS A TRANSGRESSION SOFTWARE PIRACY IS A CRIME THIS IS THE CURE BBBBBB GGGGGG SSSSSS 999999 B B G S 9 9 B B G S 9 9 Bundesgrenzschutz Sektion 9 B B G S 999999 Sonderkommando "EDV" BBBBBB G GGG SSS 9 B B G G SS 9 B B G G SS 9 B B G G S 9 BBBBBB GGGGGG SSSSSSS 9 The BGS9 virus set`s the OpenWindow ()-vector to it`s ROM-address, while the first using of this routine ! This virus is very harmless and causes no damage ! It shall work with KickStart 2.04, too ! To wipe it out of memory AntiCicloVir only had to clear the three Kick-Pointer. On disk it will find the virus and delete it. The BGS9 virus II works in all points like the old BGS9 virus. It differ from the old one in a new coding of one ASCII-sign and in a new invisible name : $A0E0A0202020A0202020A0 Bret Hawnes This one is a classical form of a filevirus ! It`s very easy to deal with that 2608 bytes long program. On infected disks you could find it as invisible file in the root-directory: $C0A0E0A0C0 ! But it isn`t very invisible ! Indeed you can`t see it in the startup-sequence, but if you list the root- directory of an infected disk you can see some irregulare signs ... The Bret Hawnes virus also copies itself as invisible file on every disk and writes it`s name in the startup-sequence. After every running of the startup-sequence the Bret Hawnes virus will be activate ! It stands every time at $7F000 in memory and sets the pointer KickTagPtr * & KickCheckSum *, further $6c ( interrupt ) and SumKickData (). At every time you cause a reset the Bret Hawnes virus will be activated by the Kick-pointer ! It sets OpenLibrary ()-vector on it`s own address and waits for the right time, when it can set the OpenWindow ()-vector. After that it sets OpenLibrary () to it`s ROM address. Bret Hawnes now, tries about the first calling for OpenWindow () to get a chance to copy itself from memory to disk ! After that it sets the OpenWindow ()-vector to it`s ROM address, too. Instead the tenth increasing the virus destroys some tracks of your disks ... After twenty minutes it shows the following message to you: GUESS WHO`S BACK ??? VEP. BRET HAWNES BLOPS YOUR SCREEN I`VE TAKEN THE CONTROL OVER YOUR AMIGA!!! THERE`S ONLY ONE CURE: POWER OFF AND REBOOT ! To find the right time-point for this message the Bret Hawnes virus uses the interrupt at $6c, to calculate the twenty minutes ... If some program tries to use the routine SumKickData () the Bret Hawnes virus will be activated and reinstalls itself in memory, if a former program has cleared the Kick-pointer ! To wipe out the virus from memory AntiCicloVir cleares the Kick-pointer and sets the vectors $6c & SumKickData () on it`s ROM addresses. AntiCicloVir too can find this filevirus on disk ! The Bret Hawnes virus destroys disks for the tenth increasing !!! CCCP The CCCP virus was the first one, which can copy itself as bootblock-virus and as linkvirus ! This virus also can stand in the bootblock and in any programs, which it had infected ... CCCP copies itself as an own hunk into every executable program and calculates the new hunk-header ( relocs etc ... ). You could recognized an infected file by the text `CCCP.VIRUS`, which you can find in every infected file ! If you boot from an infected disk or if you start an infected program the virus copies itself in memory and sets the vector CoolCapture * and $6c on it`s own address ! 50 times per second will AmigaDOS run a routine, on which is $6c pointing. That means, that CCCP have 50 times per second the chance to control CoolCapture * !!! You can`t clear CoolCapture * without setting $6c on it`s ROM address ! If you make a reset CCCP will became very lively per CoolCapture * and set`s the vectors DoIO () & OpenLibrary () to it`s own address. If you reboot from a non-write-protected disk CCCP at first tries to copy itself onto the bootblock ... After that it set`s DoIO () on it`s ROM address. Now it waits per OpenLibrary () for the right time to set OpenWindow () on it`s own address and OpenLibrary () on it`s ROM address ! As soon as AmigaDOS opens the CLI-Window CCCP tries to infect one file from your disks and sets OpenWindow () on it`s ROM address ! The CCCP virus is relative harmless, because it makes no damage, but it is very troublesome because the links ... If AntiCicloVir finds it in memory it sets $6c on it`s ROM address and cleares the vector CoolCapture * Now, this version can find it on disk ! Color ( TURK V1.3 ) This 2196 bytes long program is not really a virus, it`s a Trojan Horse ! It simulates a simple Color-demo, to deceive the user. If you start this program a little graphic demo will be shown to you. But careful ! This Trojan Horse contains the bootblock-virus TURK V1.3. Color is another form of Trojan Horses than the most of them, because it is very active participated in installing the TURK virus. It does not only install the virus TURK V1.3 in memory - No, it copies itself at $70000 into memory and copies the including bootblock-virus to $7F000 into memory ! Then it sets the vector DoIO () on it`s own address and CoolCapture * on a senseless address ! Every time you insert a disk into your drive Color tries to copy TURK V1.3 from $7F000 in memory to the bootblock of this disk. If you make a reset the senseless address in CoolCapture * crashes down your machine and you can nothing further do than to turn the power off ... AntiCicloVir can find and kill this virus in memory and on disk ! COMPUPHagozyte I.1/I.2 This two programs could we define as a mix of filevirus and a Trojan Horse ! Because this two programs camouflaged itself as viruskiller !!! COMPUPhagozyte I.1 is 1492 bytes long and simulates `Virus-Checker V4.0`. COMPUPhagozyte I.2 is 1148 bytes long and simulates `VirusX 5.00`. ( But I`d never heard anything about `VirusX 5.00`. I think the last version was 4.01 or so ... ) This both programs are not very professian ... They work only if they stand as `VirusX` oder `Virus-Checker` in the subdirectory `c` of a disk, from that you`re booting. They try to copy itself to $7C000 into memory, but they does not change any vectors - thats good. The COMPUPhagozyte fileviruses create an intuition window, which have likeness with `Virus-Checker` or `VirusX`. They wait for every inserted disk and copies themselfes from memory to subdirectory :c of that disk or they wait therefore that you close the window. I think this fileviruses can destroy disks ... AntiCicloVir have not to kill this viruses in memory, because they never stand in memory, but it can warn you if it founds some bytes of them at $7C000 ! On disk AntiCicloVir kill both fileviruses ! COMPUPhagozyte II/3 This 568 bytes long program could we call a bomb ! It simulates the clear screen command by clearing the window. But that does it not by a using ROM-routine, but by 30 return codes ... I think it was camouflaged as `cls` on every disk. After using this command it copies a reset-routine to $7C000, which does nothing more , than clearing ColdCapture *, WarmCapture *, KickMemPtr *, KickTagPtr* and KickCheckSum * after every reboot. That could cause, that another resident program will wiped out of memory while rebooting. This bomb is also very very harmless. AntiCicloVir can it kill in memory and on disk. Another viruskiller names this bomb COMPUPhagozyte 3 ! COMPUPhagozyte III A-C This group of fileviruses is a very strange form and stand upside the crowd ! All three types of this virus works with the same mechanism. They stand as invisible file in the root-directory, which is named in hexadecimal $A0A0A0A0 ! If you start those viruses, they try to copy the invisible file from the root- directory to $7C000 into memory, to install a reset-routine at $7C600, to install routine for increasing at $7E000, to set CoolCapture * on reset-routine and to set OldOpenLibrary () on routine for increasing. Every time one program uses the routine OldOpenLibrary () those viruses will wake up and try to copy the file from $7C000 to the root-directory of the next disk as invisible file, again. After that they overwrite the first four bytes of your startup-sequence with their name. If any program was called up at this place, which name was longer than four bytes, you will get an error-code at the next time you run your startup-sequence, because irregulare signs were left. But the fileviruses has copies theirself into memory before you get this error-code ! But because this error-code those fileviruses will betray theirself ... This three fileviruses will cause no damage and display no message. The following types exists: COMPUPhagozyte III A / 4 = 916 bytes COMPUPhagozyte III B / 4a = 892 bytes COMPUPhagozyte III C / 4b 0 900 bytes There is no differ between type B & C but many differs to type A: Type A can copy itself only onto a disk in drive df0: Type A needs KickStart 1.2 to work ! Type A causes in much cases GURU`s after it has increases ( program errors ) ! Type A contains the ASCII-text not in the head of the file like type B & C. AntiCicloVir have only to clear CoolCapture * and to reset OldOpenLibrary () to kill those fileviruses in memory. AntiCicloVir can kill those fileviruses on disk, too. COMPUPhagozyte IV/4c This 1008 bytes long filevirus stands as invisible name in the root-directory: $A0A0A0A0 It stands at every time at $7C000 in memory and uses CoolCapture *, OldOpenLibrary (), SumKickData (). If one program uses the routine OldOpenLibrary (), the virus comes in action and copies itself from memory onto that new disk as invisible file. Then it writes its name in the startup-sequence. After that it checks the vectors CoolCapture * & SumKickData () for it`s right addresses. If some program uses the routine SumKickData (), COMPUPhagozyte IV checks the vectors CoolCapture * & OldOpenLibrary () for it`s own address. This virus makes no damage. But it is very inconspicuous, so that you can`t recognize it for a long time ... AntiCicloVir have to clear CoolCapture * and to reset OldOpenLibrary () and SumKickData () to kill this virus in memory. COMPUPhagozyte IV will be detect on disk, too. Another viruskiller names it COMPUPhagozyte 4c ! D-Structure This 464 bytes short program is a malignant structure, which can increase like a filevirus. It can stand under every name on disk ! That`s new by fileviruses ... If you start it, it copies itself at $7C000 and sets OldOpenLibrary () to its own address. D-Structure isn`t resident. If any program use OldOpenLibrary () to open a library, D-Structure tries to find out which library shall be opened and if it is the dos.library, it opens this one by herself. Then it get the Dosbase-address and set`s OldOpenLibrary () to it`s ROM address. After that it sets Write () on it`s own address and installs a copy counter. After every five Write Processes, D-Structure tries to copy herself from memory to the new destination. It makes not more, than changing the rigster D2 for the buffer address on it`s own address and the register D3 for the length on it`s own length ... If one other program want to write a file on disk, now instead this file D-Structure will be written on disk ! This means: This structure can be everywhere ... She can stand as executable file on disk, as part of a datafile on disk, as block on disk etc. D-Structure could copy herself per modem or per printer ... That makes no sense, but so D-Structure can disturb some processes ... This is a new form of virus programming, I think. Because D-Structure causes her increasing not active but passive by changing some registers. She doesn`t contain a routine to open any library, to create a file or to write datas from memory to disk ... this one changes only a few registers ! The damages caused by D-Structure can be very multiple ! AntiCicloVir have to set OldOpenLibrary () or Write () to it`s ROM address to kill D-Structure in memory like on disk. DAG Creator This 7000 bytes long program is not a virus, but a virusmaker ! It creates a very simple mutation of the bootblock-virus SCA named DAG on every disk in drive DF1:, if you want that. But if you don`t have drive DF1: it causes a GURU !!! This program is very harmless, but very unuseful too. So that I think it`s right, if AntiCicloVir will wipe out it of your disk ... DISASTER-MASTER V2 This 1740 bytes long filevirus camouflaged itself as clear screen command in the subdirectory :c. Every time if you start it, it`ll clear your screen and set the cursor on the top of the new screen. But that`s not all ... It copies itself into AMIGA`s memory and sets the resident-pointer KickTagPtr * & KickCheckSum * to an own resident-routine. After every reboot it`ll set the vector DoIO () to it`s own address and try to copy itself onto the next disk into the subdirectory :c ! Then it writes it`s name into the startup-sequence with one option: cls * The option causes, that the virus, every time it`ll called from this startup- sequence, doesn`t clear the screen, therefore it can`t betray itself ... After one using of DoIO () DISASTER-MASTER sets this vector on it`s ROM address, again ! This filevirus can close the AmigaDOS window and create a screen like we know it from the workbench or it let disappear the AmigaDOS title or so on ... I don`t think, that it`ll destroy disks, but I`m not sure ... After some time it displays an alert and gives you the choice to kill the virus ... better use a viruskiller for killing it ! Because I think, it could mean with `self-destruction` your own disks ... AntiCicloVir can kill that filevirus in memory and on disk ! Disktroyer V1.0 This 804 bytes long bomb camouflaged herself as clear screen command like DISASTER MASTER V2, but it`s very dangerous ... Whenever you start this program it`ll clear the screen and set the cursor on the top of them. But it sets the AllocMem ()-vector on it`s own address in memory and installs a copy counter ! If the copy counter reached the worth 150 Disktroyer V1.0 destroys all disks in your connected drives and displays an alert ! AntiCicloVir can`t detected this one in memory, but it can detect and kill it on disk ! Disktroyer V1.0 is not resident. Golden Rider This one represents a new generation of linkviruses. Because it does not copy itself as own hunk into an infected file like old linkviruses did it, but it looks for the first hunk of an executable program and adds itself on it. Golden Rider changes the last command of this hunk ( mostly $4E75 = `rts` ) to $4E71 ( `nop` ), which causes, that the processor thinks, if he run`s this code, that the first hunk of the program doesn`t end at this position. Behind this position can Golden Rider write his virus-code. Now, Golden Rider have to add it`s own length to the two length worths in the hunk-header and the link is complete ! Every time you start an so infected program the linkvirus can install itself in memory. But in not every cases must that work ! If Golden Rider hangs on a routine in the first hunk, which only will be called from the main-program, if an error was caused, then Golden Rider will probably never activated ... Golden Rider stands every time at $7C000 in memory and sets the vectors CoolCapture *, DoIO () & Open () to it`s own address. After you reboot, Golden Rider will waked up by jumping in CoolCapture * ! Now it sets DoIO () to it`s own address and waits so long, if it can open the dos.library and set Open () to it`s own address. If you insert a new disk Golden Rider tries to copy itself from memory into one file of this disk. If any program use Open () Golden Rider tries to infect new files, too. Golden Rider causes no damages and displays no alerts or so ... AntiCicloVir only can detect and kill this linkvirus in memory ! Gotcha Lamer This one is a 372 bytes long bomb, which will be installed by a program named MINIDEMO.EXE, which links Gotcha Lamer into the following commands on dh0: c/dir, c/run, c/cd, c/execute The bomb itself copies it into memory and sets DoIO () to it`s own address. After some time it destroys your disks and displays an alert ( ` HAHAHE ... Gotcha LAMER !!!` ) ! AntiCicloVir can kill this bomb in memory but I`m not sure, if it can kill it on hard-disk ... Therefore it can detect and kill the creater of Gotcha Lamer MINIDEMO.EXE ! IRQ This famous old linkvirus was the first one on the AMIGA ! It looks in the startup-sequence for an executable file and tries to infect it. If it can`t find the startup-sequence it looks for the command DIR in the subdirectory :c and tries to infect it. IRQ extented a file to 1096 bytes. The linkvirus writes it`s own hunk at the first position into that file. Then it calculates all worths for a new hunk-header and the reloc-worths. If you start an infected program IRQ copies itself into memory and uses the residents by setting KickTagPtr * & KickCheckSum *. Further the virus sets the vector OldOpenLibrary () to it`s own address. Everytime when one program starts the routine OldOpenLibrary () the IRQ virus tries to infect the next disk. It`s harmless, but disturbing, because it prints the following text: `AmigaDOS presents a new virus by the IRQ-Team V41.0` This old linkvirus works only with KickStart V1.2 ! It makes no damges. AntiCicloVir can detect it on disk and in memory and kills it. JEFF Butonic V1.31 This filevirus stands every time as executable file on disk and will be called up from the `Startup-Sequence`. It copies itself into one place in CHIP-RAM and survives the reset via the residents by using KickTagPtr * & KickCheckSum *. Further the virus sets the vectors of DoIO () & $68 (Interrupt). This filevirus contains an illegal command, which never will be reached ! It cleares the vectors ColdCapture * & CoolCapture * and calculates a new ChkSum for ExecBase. After a reset, it can dislplay the following message about an Alert: `Einen wunderschoenen guten Tag I am JEFF - the new virus generation on Amiga * (w) by the genious BUTONIC dHV 1.31 /05.01.88 - Generation Nr. 00011 Greetings to Hackmack*,* Atlantic*, Wolfram, Frank, ... Miguel, Alex, Gerlach, and the whole Physik - LK from MPG !!` About DoIO () this virus can spread itself. It will infect every non-write-protected disk, which contains a `Startup-Sequence` ! It uses twelve different filenamenes to camouflage itself on disk ! The following entries we can find in the `Startup-Sequence`: - `AddBuffers 20` - `Add21K` - `Fault 106` - `break 1 D` - `changetaskpri 5` - `wait` - `Arthus` - `Helmar` - `Aloisius` - $A0A0A020 - $A020 - $2020 The filevirus can`t spread itself by using the filename $2020, because the AmigaDOS won`t start a file from `Startup-Sequence`, which name contains spaces ! If this JEFF virus has finished it`s spreading, it will jump to an absolute KickStart 1.2 ROM address from DoIO () ! That`s it, because it only works with KickStart 1.2 and causes under all higher systems Guru`s ! The virus checks the right address of it`s Kick pointer via using this vector, too. About the interrupt vector $68 it can show your some messages about the CLI title: - `Ich brauch jetzt`n Bier !` - `Stau auf Datenbus 128 bei Speicherkilometer 128 !` - `Mehr Buszyklen fuer den Prozessor !` - `Ein dreifach MITLEID fuer Atari ST !` - `BUTONIC !` - `Schon die Steinzeitmenschen benutzten MS-DOS ... einige sogar heut noch !` - `Schon mal den Sound von PS/2 gehoert ???` - `PC/XT - AT: Spendenkonto 004` - `Unabhaengigkeit & Selbstbestimmung fuer den Tastaturprozessor !` - `Paula meint, Agnus sei zu dick.` - `IBM PC/XT: Ein Fall fuer den Antiquitaetenhaendler ...` - `Sag mir, ob du Assembler kannst und ich sage dir wer du bist ...` Well, it jumps back from this routine to an absolut KS1.2 ROM address, too. It stands every time coded on disk, but it`s harmless, because it will make no damages. AntiCicloVir has to restore DoIO () & $68 and to clear the Kick pointer, to wipe it out from memory ... It can kill it on disk, too. JEFF Butonic V3.00 This 2916 bytes long filevirus stands as insible file with a name, which is called in hexadecimal $A0A0A0, in the root-directory of an infected disk. JEFF Butonic V3.00 writes his name in the startup-sequence. Whenever you run the startup-sequence the filevirus will be startetd and infects the memory of your AMIGA ! It uses the residents to survive the reset by setting KickTagPtr * & KickCheckSum *. The virus sets the vector DoIO () on it`s own address. Every time you boot or insert an non-write protected disk the filevirus copies itself from memory to the root-directory of that disk. JEFF Butonic V3.00 causes no damage, but prints some textes about the screen title ... About DoIO () the virus checks permanent the addresses of the Kick-pointers. A program named *JEFF* VIRUSKILLER creates this filevirus. AntiCicloVir can detect and kill this filevirus on disk and in memory. Lamer LoadWb This 4172 bytes long LoadWB command is a Trojan Horse, because it contains the old bootblock-virus LAMER Exterminator ! If you call this program, it installs the bootblock-virus in memory and then executes the LoadWb command ! The virus-oode of LAMER Exterminator stands uncoded in this Trojan Horse. AntiCicloVir detects Lamer LoadWB on disk and kills it. My linkviruskiller can recognize the bootblock-virus LAMER Exterminator in memory, too. Lamer VirusX This program with a lenght from 13192 bytes is a simulation of Steve Tibbett`s VirusX ! This Trojan Horse camouflages itself with the name VirusX 3.10. But it is not coded like the original VirusX and uses senseless devicename like `DF6:` oder `DF9:` ... This program can detect the following bootblock-viruses: Obelisk, North Star, SCA, Byte Bandit, Byte Warrior, Revenge, Pentagon-Slayer. Further it can detect the linkvirus IRQ. This is the one side ... But the other side is, that this program installs the bootblock-virus LAMER Exterminator X in memory. AntiCicloVir detects this Trojan Horse and kills it. It detect the bootblock-virus LAMER Exterminator X in memory, too. NANO This program with a length from 1444 bytes is a classical filevirus ... It stands by the name $A0A0A0A0 invisible in the root-directory of an infected disk and has written it`s name in the startup-sequence. Whenever you run the startup-sequence NANO will run, too. It copies itself to $7C000 into memory and sets the vectors CoolCapture *, OldOpenLibrary () & SumKickData (). After six resets the filevirus draws the flag of the german federal republic. If any program uses OldOpenLibrary () NANO tries to copy itself from memory onto the new disk. After six copies NANO displays the following alert: ... another masterpiece by N A N O !!! GREETINGS TO: Byte Bandit, Byte Warrior, DEF JAM, DiskDoktors, FANTASY, Foundation For The Extermination Of Lamers, I.R.Q. Team, Obelisk Softworks Crew, S.C.A., UNIT A ... Every time a program tries to use SumKickData () NANO can check the vectors CoolCapture * & OldOpenLibrary () to set them again on the virus addresses, if someone had cleared them. NANO is harmless and causes no damages. AntiCicloVir have to reset OldOpenLibrary () & SumKickData () and to clear CoolCapture *. AntiCicloVir can kill NANO on disk, too. PP-BOMB This 71308 bytes long file is the orign version 3.0b of the `powerpacker. library` by Nico Francios. But a group called QUARTEX, I think has added a routine, which could be danger for your hard disk ! Because the PP-BOMB looks in dh0: & dh1: for the file `why`, tries to set it on zero, looks for AmiExpress & tries to patch it and looks for some other files ... PP-BOMB cannot copy itself onto another disk, is not resident in memory and sets no vectors. We needn`t to look in the memory after this bomb ! Check your sub-directory `LIBS` with AntiCicloVir for this bomb !!! Return of the Lamer Exterminator This one is a complete new form of AMIGA virus. It`s called Disk-Validator virus, because it is using the mechanism of the Disk-Validator routine to increase ! This virus copies itself after every reboot over the original Disk-Validator in the subdirectory :L. Then it sets the BitMap-Pointer from the Root-Block to a senseless address on disk and causes so a Disk Validating Error. The Disk Validating Error will force AmigaDOS permanent to startup the Disk- Validator to create a provisional BitMap in memory, so that AmigaDOS can work with that disk. But that means, that every time you insert an infected disk, the Return of the Lamer Exterminator virus will automatic activate and can install itself in memory ... It`s resident in memory via KickTagPtr * & KickCheckSum * ! It sets many vectors ... BeginIO () from the trackdisk.device & I think, BeginIO () from the keyboard.device, too ! Because that, AntiCicloVir can only recognize that virus in memory, but not kill it ... On disk AntiCicloVir can recognize that virus, but must rename it ! It can`t kill it, because every time you insert an infected disk, Return of the Lamer Exterminator stands in memory. And even then, if this virus stands in memory, it opened the file Disk- Validator or uses a Write Lock on him. That means you can`t delete this file ! But if you rename :L/Disk-Validator to :L/LAMER-Virus - for example - it will not again started from AmigaDOS and can`t infect your memory ! After that your disk have a Disk Validating Error. That was the work of the virus ... To get rid of the Disk-Validating Error, you must boot from a disk, which contains the original Disk-Validator and then insert the disk with the Disk-Validating Error. Now the disk will be validate ... To get a valid BitMap you have to write or delete anything to/from this disk. Now the disk is health ! This virus is very malignant, because it can destroy your disks ! After some time it begins to look for some OFS or FFS data blocks on your disks & fills them with the word `LAMER!`. This destroys some of your files and causes read/write errors. But that`s not all ! The virus can destroy disks in all connected drives, whilst format them root- blocks !!! This disks are completely destroyed !!! Then it displays an alert: Return of the Lamer Exterminator You can health disks with read/write errors by using the command DISKDOCTOR. This virus will only work with KickStart V1.2/1.3. Revenge Of The LAMER Exterminator This filevirus exists in two variants: Revenge Of The LAMER Exterminator I & Revenge Of The LAMER Exterminator II From variant I exitsts two types ! I will mainly explain type 1 of variant I. The variants I+II stands as invisible file with the name $A0A0A0A0A0 in the root- directory. Type 2 of variant I camouflages itself as command DosSpeed ! But back to type 1 of variant I ! This virus writes it`s invisible name in the startup-sequence and will so every time you run the startup-sequence be started. To survive the reset it uses the residents and sets KickTagPtr * & KickCheckSum* But this virus sets a lot of other vectors more ... I don`t know them all and that`s the reason, why AntiCicloVir can`t kill it completely in memory ! AntiCicloVir offers you, that it had recognized this virus and cleared the Kick-pointer. If you really wont get rid of it, you have to make a reset !!! This virus is very malignant like Return of the Lamer Exterminator ! But I think, it have some errors. If it`ll started via startup-sequence, you get some problems with irregulare signs in the AmigaDOS window. It could happen, that you can`t find some subdirectorys on your disk, while working with the workbench and so on ... After eight minutes or four resets, begins the virus to destroy your disks. It formats the complete disk and displays a three page long alert: Revenge Of The LAMER Exterminator RED ALERT: It has come to my attention that the person using this computer is a LAMER (+) we the people , who are responsible for the "Revenge Of The LAMER Exterminator` Virus, believe that only intelligent folk are fit to use the AMIGA Personal Computer. Since you were apparently not smart enough to prevent infection of your computer and software by this virus ( You should have used a condom ), we must assume that you are a LAMER ( a.k.a. LOSER ) and therefore we had no alternative but to erase your floppy disk(s) in order to get your attention. - Press Any Mousebutton - We are eagerly looking forward to the first Amiga magazine that explains the inner workings of this brilliant ( at least we think so ) virus. However, we are not very confident, since the three versions of the original LAMER Exterminator virus have never really been analysed in any Amiga magazine. we have made this virus a little bit more aggressive so that more people will recognize it and hopefully will learn something as to overcome the dreadful disease of LAMERism By the way, the A in LAMER is pronounced like the A in DAY ( LAMER peolpe do not know proper English in our experience ) - Press Any Mousebutton - Signed Foundation for the Extermination of LAMERS. (++) (+) You can recognize a LAMER or LOSER as someone who can only use the Ctrl - Amiga - Amiga keys on his Amiga, and might even know how to load X-Copy ... (++) Due to the primitive and violent nature of some LAMERS, we have decided against revealing our real identies, so as to prevent unnecessary visits to the local hospital on our part ! Coming sonn to a theatre near you: +++ The Lamer Exterminator - A new Beginning +++ Rated PG - Press any Mousebutton to Continue Being a LAMER - AntiCicloVir can`t detect this virus on disk, if it stands in memory, because it manipulates the contens of some registers so, that no viruskiller will find this invisible file in the root-directory ! If you list the startup-sequence or if you list the root-directory, you will nowhere find the invisible $A0A0A0A0A0 because the virus in memory. Make also a reset and check your disks after removing Revenge Of The LAMER Exterminator from memory. SADDAM This one is called a Disk-Validator virus, because it uses the routine of a Disk-Validator for it`s own increase. SADDAM copies itself onto every disk you inserted or boot from and overwrites the original Disk-Validator in subdirectory :L ! If that disk doesn`t contain this SADDAM subdirectory creats it by itself this subdirectory ! It can infect every disk ! After that it sets the BitMap-pointer in the Root-Block to a senseless address, which will cause a Disk Validating Error ! This will force in later times AmigaDOS to startup the new Disk-Validator, which is in real the SADDAM virus ! Only to insert an infected disk reaches to get this virus in memory. It is resident via ColdCapture *. That means, that it`ll work with KickStart 1.3 too, if you make a reset without installing SetPatch r ! Because KickStart 1.3 has a bug in it`s system, will all other viruses wiped out from memory after a reset - not so the SADDAM virus !!! The virus sets the vectors BeginIO () & Close () from the trackdisk. device and comes so every time in action, if you insert a disk in your drive or if you boot from a disk or if you use in any other case the trackdisk.device ! Further the virus sets the vector of the Raster-Beam-interrupt on it`s own address ! Now, it can control permanent the right address of ColdCapture * and sets the vector again, if any other program had cleared it ! The SADDAM virus is very malignant and causes different damages !!! After a time it startes to look for some OFS or FFS data blocks gives them the name IRAK and coded the contents with a worth ! The programs standing in those data blocks won`t longer work and the disk get`s read/write errors ! Another damage has likeness with the virus Return of the Lamer Exterminator ! After a few time the virus startes to format disks in all connected drives ! This disks are completely destroyed !!! And shows you an alert: SADDAM Virus If AntiCicloVir finds the SADDAM virus in memory it sets the vectors Raster- Beam-interrupt, BeginIO () & Close () from the trackdisk.device on it`s ROM addresses and cleares ColdCapture * ! AntiCicloVir can kill the SADDAM virus on disk, but not repair the damages ! At first you have to correct the Disk Validating Error ! Please boot from one disk which contains the original Disk-Validator and insert after that the disk, with the Disk-Validating Error ! The original Disk-Validator creates a provisional BitMap in memory, so that AmigaDOS can work with those disk. To get a valid BitMap you have to write/delete anything to/from this disk ! If you want health a disk with SADDAM damage please use an universal virus- killer, which can check the blocks of a disk, too ! You must uncode the coded data blocks to get rid of the read/write errors ! But you can`t health disks, which the virus has formated ! Smily Cancer I + II The Smily Cancer virus is a 3916 bytes long linkvirus. It infects the first executable program it finds in the startup-sequence ! Smily Cancer works like all old linkviruses ( IRQ, CCCP and so on ... ). It copies itself as first hunk into the infected file and calculates a new hunk-header for the reloc worths for memory position correction and something more ... Every time you run the startup-sequence or an infected program, the linkvirus jumps at an absolut position into memory. Smily Cancer is resident via using KickTagPtr * & KickCheckSum * ! For increasing it sets BeginIO () from the trackdisk.device on it`s own address. Further it set`s SumKickData () on it`s own address, to check the Kick-pointer, if any other program uses this routine and set them again on the virus address, if it had cleared them ! After twenty increasings becams the Mousepointer a yellow head and the following text will be offered to you: Hi There !!! A New Age In Virus Making Has Begun THANK TO US ... THANK TO: --- CENTURIONS --- AND WE HAVE THE PLEASURE TO INFORM YOU THAT SOME OF YOUR DISKS ARE INFECTED BY OUR FIRST MASTERPIECE CALLED: `THE SMILY CANCER` HAVE FUN LOOKING FOR IT ... AND STAY TUNED FOR OUR NEXT PRODUCTIONS. CENTURIONS: THE FUTURE IS NEAR ! The Smily Cancer linkvirus causes no damges. AntiCicloVir can detect & kill this virus in memory, and on disk in this version. But it can`t get them out of an infected file !!! Don`t use this file !!! Smily Cancer II is called a 4676 bytes long Trojan Horse, which camouflages itself as LoadWB command on disk. If you run this program it installs the linkvirus Smily Cancer in memory and executes after that the LoadWB routine ! AntiCicloVir can detect & kill this Trojan Horse ! Terrorists The Terrorists virus has a length from 1612 bytes and works like the BGS9 virus. This filevirus looks for the first executable program in the startup-sequence and copies it from it`s original place on disk to an invisible file in the root-directory, which is called in hexadecimal $A0202020A02020A020A0A0 ! Itself copies itself at the old position of the original program. If you now run the startup-sequence at first the Terrorists virus will be started and copies itself into memory and later the virus executes the invisible file, which is the original program. Terrorists uses the residents to survive the reset via KickMemPtr *, KickTagPtr * & KickCheckSum *. After every reset it sets the vector OpenWindow () to it`s own address in memory and tries to copy itself from memory to disk, if AmigaDOS startes the routine OpenWindow () to create the AmigaDOS window ! After that it sets the vector OpenWindow () to it`s ROM address ! After four resets it offers you the following message: THE NAME HAVE BEEN CHANGED TO PROTECT THE INNONCENT ... THE TERRORISTS HAVE YOU UNDER CONTROL EVERYTHING IS DESTROYED YOUR SYSTEM IS INFECTED THERE IS NO HOPE FOR BETTER TIMES THE FIRST TERRORISTS VIRUS !!! The Terrorists virus is very harmless and destroys nothing ! AntiCicloVir have to clear the Kick-pointer to wipe it out of memory. It can detect it on disk, too. T.F.C. Revenge LoadWb This one is a 2804 bytes long Trojan Horse, which is camouflaged as LoadWB command on every disk, it was installed. If you run it, it`ll install the bootblock-virus T.F.C. Revenge in memory, at two positions: $7F800 & $FF800 The T.F.C. Revenge virus is a mutation of the EXTREME virus ! After that it executes the LoadWB routine ! AntiCicloVir kills this Trojan Horse & the bootblock-virus in memory ! Traveling Jack This little linkvirus differs in some points from the most other linkviruses. If it infect one file it can use two different hunk-length to deceive viruskiller ! But this linkvirus can create an own file on disk too, which have the name: VIRUS.xy The variables x & y stands for hexadecimal ciphers, which will determined via $BFE001. This file hast a length from 198 bytes and contains the following text: The Traveling Jack ... I`m traveling from town to town looking for respect, and all the girls I could lay down make me go erect. - Jack, 21st of Semptember 1990 This linkvirus uses only one vector from the Dosbase-structure and is not resident ! It uses dl_A5 ( Offset $2E ), which contains datas from the addressregister A5 to buffer them. The Traveling Jack linkvirus causes no damage ! But AntiCicloVir can only detect & kill it in memory - not on disk ! Xeno This linkvirus has a length from 1124 bytes. It infects the first executable program, it finds in the startup-sequence. But it doesn`t infect every program. It looks only for programs, which have the following signs in it`s filename: 0-9, a-z, A-Z It doesn`t infect programs with special signs ! This linkvirus don`t increases the hunk-number ! Xeno isn`t resident and uses only three vectors from the dos.library: Open (), LoadSeg () & Lock () Every time you or a program open a file, you or the AmigaDOS loads a file to run it or you or AmigaDOS sets a Lock for a directory, the Xeno virus becomes lively and tries to infect a file. The Xeno virus can display the following message: Greetings Amiga user from the Xeno virus ! The Xeno virus makes no damage. If AntiCicloVir finds it in memory, it`ll set the vectors Open (), LoadSeg () & Lock () to their ROM addresses. In this version now, AntiCicloVir can find the `Xeno`-Linkvirus on disk, too ! Have a nice day !!! Matthias Gutt Kantstr. 16 W-2120 Lüneburg Germany