LSD Docs

home *** CD-ROM | disk | FTP | other *** search

/ LSD Docs / LSD Docs.iso / FILEZ / lsd08.dms / lsd08.adf / 103 / 103

Wrap

Text File | 1988-02-16 | 21KB | 420 lines

VIRUS X 4.4 - By Steve Tibbett Typed in by STEVE TIBBETT. Edited by PARASITE. OVERVIEW Viruses are a nasty fact of life for computer users, and Amiga users are not immune. VirusX was created to give Amiga owners a simple and effective defense against these creatures. Viruses fall into two categories: boot-block and other. Boot-block viruses are so named because they live on the first two sectors of a disk, the boot-block. When a disk is bootable (like Workbench), these sectors tell the operating system where to go to load AmigaDOS code. A boot-block virus, however, points to its own code. It makes sure that the virus is activated before the AmigaDOS code is loaded. Even if this code is not malicious, this type of virus can still do damage. Many game programs use the boot-block for their own code. If a virus happens to over-write this code, the game will no longer work. Most of the viruses found so far have been of the boot-block variety. The "other" viruses are relatively new, and are tricky to find. These kinds of viruses attach themselves to programs, in some cases replacing them, and wedge their way into the system. VirusX is the best defense against these creatures. I encourage you to give VirusX to anyone who might need it. In particular, dealers and user groups should use VirusX. These folks, with the amount of disk copying they do, are particularly vulnerable to viruses. HOW TO USE VIRUSX VirusX should be run as part of the Startup-Sequence. To do this, simply use a text editor to modify your startup-sequence. Add a line that simply says "VirusX", and make sure that VirusX is in your c: directory. VirusX will open a small window to let you know it is there, and will automatically check any disk inserted into one of the 3.5" drives. (The startup-sequence is found in the S: directory of any AmigaDOS-standard boot disk, like Workbench. If you don't know how to edit this file, refer to your Amiga manual, the AmigaDOS manual, or Rob Peck's book "The Amiga Companion.") If VirusX finds something suspicious, it will post a requestor warning the user of either a specific virus or a non-standard boot-block. The user will be given the option to Remove or Ignore the potential virus. WARNING: A NON-STANDARD BOOT-BLOCK MAY NOT BE A VIRUS! This may either be a virus that VirusX doesn't know about, or it may be a custom boot-block for a commercial program. Make SURE that you know that the program is not using the boot-block for its own purposes before you re-write it. VirusX will ask you if you are sure before it does anything. (Programs which give you an AmigaDOS window are always safe to repair.) VIRUSX OPTIONS: COMMAND LINE OPTIONS When you first run VirusX, you have the following command-line options: -a Make virusx window active when run -c Don't check the CoolCapture vectors -k Enable KickTagPtr checking -q Check all floppies, then quit immediately -r Use this if you've 1 meg Chip RAM and using SetPatch -r -x## Set window X position -y## Set window Y position These commands are all given as arguments. For example: VIRUSX -a -x100 -y100 These commands would run VirusX, make the window active, and put it at position 100,100 (on the left-and side, halfway down) of the Workbench screen. ACTIVE WINDOW OPTIONS While VirusX is running, you may click on its titlebar with the left mouse-button and type the following commands: I Open the Info Window C Check all mounted floppies for viruses ESC Quit VirusX # Show bootblock in drive # (ie, 0 shows DF0:, 1 DF1: etc) Example: Click in the VirusX window and type the number "1" - VirusX will examine the disk in DF1: and will display the contents of the boot- block. This is not very useful any more, since most viruses do not contain any unencrypted text. Repeating the command, changing the disk in the drive just checked, or clicking in the window with the right mouse-button will cause VirusX to shrink back to "titlebar" size. You can get VirusX to display information about how many disks it has checked and what it has found by clicking on the VirusX titlebar with the right mouse-button. Clicking again will close the window. GENERAL NOTES MAIL The best way to contact me is through the electronic network services listed below. I've gotten far more VirusX-related mail than I thought possible, making it impossible for me to respond to "regular" mail. NUT ALERT There will be people who are thinking that I am some nut case trying to spread my own virus hidden under the guise of a virus checker. Well, just for you, I've included the C source code. Please, if you don't trust me, don't brand a useful utility as untrustworthy for no reason, CHECK THE SOURCE! Recompile it if you think I'm trying to slip a fast one by you. I just want to see viruses out of all our lives. DISTRIBUTION NOTICE This program is Copyrighted, but is freely redistributable (It's NOT Shareware). Do what you want with it, but Please don't use it for evil purposes. That's what I'm trying to prevent. If you are not sure that this is the most current version of VirusX, you should check with the following sources: The AmigaZone (American People/Link Network), BIX, Compuserve, and/or AmigaWorld. The latest version of VirusX is available for downloading from the aforementioned networks, or from AmigaWorld for the price of $5.00, for shipping and handling. I can be reached on BIX as "s.tibbett" and on People/Link as "SteveX". I'm also on Compuserve, but with their dumb numbering system, I can never remember who I am. A TALE OF TWO VIRUSES THE BYTE BANDIT VIRUS The Byte Bandit virus, once in memory, copies itself to a point just above the high memory pointer on the first hunk of RAM it can find. This means that it's not always in the same place. It then wedges itself into the Interrupt Server chain, into the vectors of Trackdisk.device, and creates a Resident structure for itself so it can hang around after reboot. It watches EVERY disk inserted, and will write itself to ANY bootable disk that is inserted! Also, if you Install a disk while this virus is active, it will copy itself back to the disk. This is why it has to be wiped out from memory. When VirusX finds this virus on a disk, it will also display a "Copy Count." This represents the number of disks which have been infected by that "Branch" on the "Tree" that the virus is on. If you infect a disk with your copy, and your copy is number 300, then that copy will be #301. If that copy infects somebody, that will be #302, but on YOUR copy, two infections down the line, there will be another #302. The copy count on MY Byte Bandit virus was #879. Note that VirusX will check RAM for this virus as well as the disk. This was necessary, as you can tell from the description above. Special thanks must go here to Dave Hewett, who, 2 days after I gave him a copy of the virus, gave me a printed, commented disassembly of the virus with meaningful labels and everything I needed to stomp it - Thanks Dave! Thanks must also go to Bruce Dawson of CygnusSoft Software, (author of that great program, CygnusEd), who went to the trouble of being the First person to send me this Virus. THE IRQ VIRUS The IRQ Virus is a recent Amiga Virus. This one stands out from the crowd: it is NOT found in the boot block. This Virus attaches itself to executable programs. It's prime target is the C:DIR command, but it will also look at your startup sequence and attach itself to the first executable program found in the startup- sequence. A sample chain of events: - You download or otherwise acquire a new program. This program happens to be infected. - You execute this program. - The Virus then attaches itself to memory (by taking over the OldOpenLibrary() vector) and adds a KickTagPtr (for no apparent reason). - Now, you're on DF0: and you run a program that uses the OldOpenLibrary() vector (hard to predict which ones do...). The Virus will open your startup sequence and pick the first filename it sees. If this file is executable it will write itself into that file. IF it's not executable, it will try to write to the DIR command on that disk. As you can see, this virus will only effect the first file mentioned in the startup sequence or the DIR command. The only way this Virus could possibly spread via modem is through deliberate sabotage, unless the uploader actually DID have the program as the first thing in his startup sequence before sending it to you. WHAT IT DOES This Virus is mostly a harmless joke. It does not appear to kill commercial programs or do anything malicious. It's not nice to have around, but it's certainly better than a malicious virus! It changes the title bar of the Initial CLI window when you boot, and it will try to write to any disk inserted - thus bringing up the "Volume whatever is write protected" requester whenever you insert a write protected disk. It will write itself to any disk from which you execute a file, overwriting either the DIR command or the first thing in the startup sequence. When this virus first installs itself (after reboot), it changes the title bar of the current window (usually the initial CLI window, since it IS the first thing in your startup sequence) to say something like "AmigaDOS Presents: The IRQ Virus, V41.0". This is a dead giveaway. This virus will not work under Kickstart 1.3 - you will get Software Error requesters whenever you run an infected program. I'm not sure why, but this is probably good. HOW TO KNOW IF YOU HAVE THIS VIRUS You cannot identify a file that has this virus in it just by looking at it. The virus encrypts the text parts of itself, and encrypts it differently on each copy, making it impossible to recognize. You can tell your system is infected if you put in a write protected workbench disk (or any disk that has a startup sequence), and the system brings up a "Volume <whatever> is write protected" requester. This indicates that this virus is in RAM attempting to infect your disk. Running VirusX 4.4 will tell you if this virus is in RAM, and VirusX will remove it from RAM. HOW TO GET RID OF THIS VIRUS To get the virus out of RAM, run VirusX 4.4. It will tell you if it found it, and that it removed it if it did. VirusX will check disks the same way that the Virus does - it will look at the startup sequence, determine if the first file found (or the DIR command) is infected, and give you the option of repairing the the damage. You can also get rid of this virus simply by deleting all infected programs and rebooting. This virus will not hang around after a reboot. Because this virus can hit a number of files, not all of which VirusX will find, I have included a small program by Dan James called KV - "KillVirus." This program will check an entire directory's worth of files for this specific virus. VirusX 4.4 will look in the same places as the Virus for infected programs. If it finds one, it will pop up a window, tell you where it found it, and ask if it's OK to remove it. HOW TO MAKE SURE YOU DON'T GET THIS VIRUS Keep VirusX 4.4 running when you test new programs. VirusX will alert you as soon as it sees this virus appear in memory. If VirusX finds this virus, it probably came from the last program you ran. TECHNICAL AND DEVELOPMENTAL NOTES SCA - The SCA is the simplest virus to deal with, as it's not actually DOING anything except hiding in memory until you reboot. We just look at CoolCapture and fix it to get it out of RAM. BYTE BANDIT - The Byte Bandit virus takes the DoIO() vector and redirects it through itself. Thus, any attempt to read or write the boot block (ie, AmigaDOS trying to figure out what kind of disk it is) results in Byte Bandit writing itself onto that disk. VirusX couldn't just rewrite the boot block; it has to get Byte Bandit out of RAM first. This virus also has an interrupt that crashes the machine every 5 minutes or so after it's infected a few of your disks. Ow. It stays in memory not via the Capture vectors, but by a Resident module. REVENGE - Basically, this is a Byte Bandit clone which brings up an obscene pointer a few minutes after you reboot. We treat it much like the byte bandit. BYTE WARRIOR - Jumps right into 1.2 Kickstart. Won't work under 1.3. Hangs around via Resident struct, and doesn't do any damage. NORTH STAR - Like SCA, hangs around via CoolCapture. Killing CoolCapture kills the North Star. OBELISK SOFTWORKS CREW - Hangs around via CoolCapture, also watches reads of DoIO(). It doesn't infect EVERY disk - only the ones you boot from. IRQ - This is the FIRST Non-Bootblock Virus. It copies itself from place to place via the first executable program found in your startup-sequence. It SetFunction's OldOpenLibrary(), has a KickTagPtr, and lives in the first hunk of an infected program. Thanks go to Gary Duncan and Henrik Clausen for being the first to send this one to me! PENTAGON CIRCLE - This one looks at the DoIO vector, and has a CoolCapture vector. It will write itself over any virus inserted, but not onto anything else. (Neat idea!). No danger, easy to eliminate. Holding left button while booting with this one shows different screen colour, but doesn't get rid of it. Thanks go to Bill Seymour (CMIBILL on Plink) for sending me this one! SYSTEMZ VIRUS PROTECTOR - I took this one out. It's not really a 'Virus', in that it won't overwrite a disk without asking you first. Besides, it seems a lot of people LIKE the SystemZ Virus Protector (though it isn't perfect). LAMER EXTERMINATOR - THIS one was a bugger. Yet another virus aimed at hurting people. Y'see, a Lamer is apparently the worst kind of pirate - one who doesn't crack software, doesn't write software, just collects names and addresses and collects and spreads software. Lamers don't do anybody any good, and the guy behind this Virus took it upon himself to make their (and our) lives miserable. This virus loads into RAM at a random location each time. It is encrypted on the disk so you can't SEE the name of it, and it never actually SHOWS the name, but it's definitely there. It changes the encryption key used each time it is written back to disk. It has a counter and will wait until the machine has been reset 2 times OR until 3 disks have been infected, and will then pick a DATA block (Only a DATA block - FFS disks are safe, I guess), randomly, and will write the word 'LAMER!' all through it. This is obviously not good, and will cause random disk errors. This is the worst kind of havoc to wreak on the new user - and this virus is EVERYWHERE! I've gotten it from 5 people in the last week alone (all from different countries! Ack!). Anyway, credit for being the first with this one goes to Christian Schneider. Thanks, Christian! This virus sets up a Resident structure, but never sets the Match Word. Either this means we don't need the MatchWord or it means his SumKickData() is doing the recovery job - either way, it's new! 3 points for originality. GRAFFITI - The first virus to come with rotating 3-d graphics! It's neat - you might want to trigger it, though I'm not sure how, before nuking it. This one just sets CoolCapture(), does something with DoIO() during the reboot, and sets it back to normal before anybody gets to look at it. Lots of code is taken by the graphics stuff. I just clear the CoolCapture vector. [yawn] OLD NORTHSTAR - Poof. 16 BIT CREW - Well, I didn't actually have to DO anything to get VirusX to recognize it, because it seems to operate like the Graffiti Virus. If the 16 bit crew is in RAM, VirusX will say it removed the Graffiti virus. DISKDOKTOR - I spent more time on this one than on any other. Y'see, this virus does lots of things. The first one, for some reason, was quite funny to me. It waits until you have rebooted 5 times. Each time you reboot after that, the virus eats 10K times the total number of reboots. After rebooting 10 times, you would be short about 100K. This virus also starts up another TASK. I'm not exactly sure when it happens, but another task named 'clipboard.device' will appear at a priority of -120, and will continually bash the Virus' vectors into the Coldcapture, Coolcapture, Warmcapture (which it sets to $ff000000 just to annoy), and the DoIO() vector. When I was working on this one, I figured I just had to restore the old values to the DoIO() vector, but as soon as I did so, the Virus restored them. Since I hadn't disassembled the entire thing, I didn't realize this until I wasted time looking for other faults. This one also allocates some memory, copies some code out of Exec into this memory, and executes it. I never bothered to figure out why - Once it's gone, it's gone. AUSTRALIAN PARASITE - Hey - I like this one! It says it will not destroy game bootsectors or corrupt disks, but it's still a Virus. What makes this one unique is the way it lets itself be known. After so many disk accesses (something like 600 blocks read off of a floppy), it turns your screen Upside Down! Nifty. You can still USE the screen upside down - it just looks a bit weird. It uses the DoIO() vector, the TD Read vector, starts at SysStkLower, and that's about it. It stays around via CoolCapture. Thanks to Martyn at 17Bit Software in England for being the first to send this to me. GENERC 64 - This virus is not really a worrie but just a hassel, It opens up with doing stuff like "Formating the BootBlock", "Erasing your Dos.Library", and "Trying to find and erase this program, but is weak in the attempt". Just use Ye Old' VirusX 4.4 and leave your problems behind. Thanks to Jim O'Donald for sending in the puppie. XENO - The Xeno virus does no damage that I can see. It has the word 'fastfilesystem' embedded in it, but as far as I can tell, this is only to make sure that it does NOT infect that file, so your hard disk will remain safe. It will also not infect any file which contains any non-alphabetical character (ie, it will infect 'Hello' but not 'Hello.exe'). LSD - This is a modified version of SCA, done by LSD. Harmless but irritating (fame at last!!) Thanks also to Robb Walton for being the first to send one of the other ones. VIRUS NOTES These are things that you probably should know, but may not, about what can happen with Viruses. - If you are trying to format a disk, and you always get a message that Cylinder #0 of the disk is bad, it's quite possible you have a virus in RAM (or a bad disk). This is because when the Formatter writes to block 0, some viruses will prevent this (trying to save themselves). When the formatter reads the block back to verify, it's not the same and it panics. - Some commercial programs will not work with some viruses in RAM. - Not all computer failures are caused by viruses! If you are having problems, and you have checked your disks with VirusX (and it reports them as clean), try looking elsewhere for the problem. - There is at least one virus that can (more or less accidentally) hit hard disks. Some of the viruses use the DoIO() vector to watch for any read (or write) attempts at block 0. Unfortunately, they do not always make sure that it is block 0 of the Floppy drive. If someone is writing to block 0 of the hard disk, and the virus intercepts this, it can write itself to the hard disk. The virus CANNOT load from hard disk - the hard disk's boot block is never executed. However, if your hard disk is an FFS volume, then writing the virus to it will have the effect of changing it to an OFS volume, making what's on it unusable. You can fix this with DiskDoctor (I believe), or using DiskX. - VirusX may NOT find some viruses if you run it after the virus is already loaded. In some cases - like the Lamer Exterminator virus - VirusX is sees what the virus wants it to see, not what's really there. Run VirusX BEFORE you run anything else, or BEFORE you load any suspicious disks. End.