OFFLINE version of english documentation to program
Safe
written by

Zbigniew `Zeeball` Trzcionkowski

Read all, please!

Safe is FREEWARE program
(c)1998-2001 by Zbigniew `Zeeball` Trzcionkowski

[Description][Requirements][How it works][Parameters][Author]

DESCRIPTION

Safe is small CLI command to detect [linkviruses] in Your system. It checks memory and itself only when running and does NOT reside anywhere in memory.
The only resident part is TCP patch - see TCPPATCH/S
Safe allows You to remove MOST patches from (New)LoadSeg - see VECS/S

All You have to do is run my installer script or copy the Safe icon to any HD partition and run it when You need to... (after using any new software etc.). Don`t forget that running Safe multiple times = a safer system, so you can also add Safe to the buttons of DOpus, Diskmaster etc. Safe with Diskmaster Example:
AddCmd Parent, 10, Parent ; StdIO "CON:0/12/640/100/Alert!/AUTO"; Extern Safe;StdIO CLOSE

Don`t rename the Safe file if You want to run it from an icon!
Don Not try to crunch the Safe executable file!
Update to the latest version of xvs.library. (To get version numbers of current xvs.librry and Safe type `safe VER` in a Shell). Safe can only discover new viruses when it`s file is placed in a write- enabled device with some free space. The RAM: device cannot be used since it`s always 100% full, and most viruses can`t infect files placed in RAM:

If Safe works - you will not see anything. If a virus is found you have to run a viruskiller ie.. VirusChecker to remove it.
If a new/unknown virus is discovered send it to author of your antivirus or to VHT-DK. You can send me file too.

REQUIREMENTS

AmigaOS 2.0 or newer.

For recognition and memory removal of known viruses, You need the xvs.library by Georg Hormann and Alex van Niel.

To write a report with REP parameter and to write from memory with SAVEMEM or DIS You need asl.library v38+

DIS option requires also disassembler.library by Thomas Richter.

To install the TCP patch You the `resident` command must be in C:
Other problems should be sent to:
zeeball@interia.pl

HOW IT WORKS


The file is written in special format for known [linkviruses] to provocate infection. I think that 90% of [linkviruses] will attack this file, so it be detected. Also [TCP: trojan/viruse] activity can be detected with the installed TCP patch (the most stupid ones).

PARAMETERS

Safe offers from CLI/Shell template:

REBOOT/S,RENRAM/S,TCPPATCH/S,VER/S,REP/S,WBLOCK/S,VECS/S,OWNOUT/S, SAVEMEM/S,MOUNTSIZE/N

REBOOT
Causes a standard reboot WITH clearing the reset vectors, as of Safe Version 13.7 the TC register of MMU is cleared. This helps to reboot to the end with mapped ROM (on my strange config he,he).
RENRAM
Renames Ram disk: to Ram: This helps with some programs
TCPPATCH
Installs a patch to detect TCP: trojans/viruses
VER
Shows the version number of Safe and xvs.library
REP
opens filerequester to save Safe`s report to file
WBLOCK
Performs LockPubScreen(NULL) to prevent the WB closing especially for some system unfriendly games (e.g. UFO Enemy Unknown)!
VECS
Shows some system vectors, and also shows the special result of simple heuristic check.
Most of the tested viruses resulted in Suspicity=50+, but don`t forget that this is only suspecting, so legal patches could cause big numbers too!
It allows You to remove any patches from LoadSeg and NewLoadSeg!You will be asked, whether to remove the patch or not.
CLRVBR
Sets VBR to 0
OWNOUT
Forces use of new CON: window to talk with user
SAVEMEM
Saves memory to file. You will be asked for start addy, end addy, and then to choose a filename from asl requester.
For a file size >100kB You must confirm.
You must know, some areas cannot be accessed e.g. $dffxxx!
MOUNTSIZE
If you enter length (decimal) it will be compared to length of C:mount. This is useful to detect those stupid TCP: hackers.
DIS
Almost same as SAVEMEM/S, but saved block is disassembled. This option requires disassembler.library by Thomas Richter.

AUTHOR

Zbigniew Trzcionkowski
Astrow 7
43 250 Pawlowice
Poland

Send me bug reports, ideas and infected files.

100% responce to all disksenders

e-mail: [zeeball@interia.pl]


You can download Safe from VHT-DK page: [www.vht-dk.dk]
Look for newest versions in Aminet - util/virus!

Special thanks to:

ADDITIONAL INFO

hunk
In AmigaDos executable file means a part of it. When You run a program the system function LoadSeg will load different hunks of the file to different places in memory.
The most popular hunks (called in assembler - sections) are:


linkvirus
means a real virus. Classic Amiga linkvirus adds it`s code to executable files to be spread with them. When a user successfully runs as infected file the virus code is executed and adds it`s code to one of system functions (LoadSeg, Write, Open etc.) When the function is used the virus tries to infect another file. On Amiga are two main ways of file infection:

[first hunk increasing]

[hunk adding]


first [hunk] increasing
adding virus code at the end of first hunk (if [code hunk]) and replacing one of MC680x0 instructions with jump to virus code. Most popular instructions to be replaced are: RTS, BSR, JSR, MOVE.L 4.W,A6.
Safe from 11.0 can display some changed instructions.


[hunk] adding
adding to file [hunk(s)] with code of virus. This is NOT so easy to make good hunk adder, so there are more first hunk increasers. The other comparable methods are adding new [hunk header] etc.


TCP viruses/trojans
Normal viruses or trojans (faked libraries, programs) that opens remote net door by making a secret shell in TCP: device.

Example of shell names
To detect this kind of illegal activity I have added to Safe parameter `TCPPATCH` which show a message when something tries to create a shell in TCP: in the known attacks from Fungus or Vaginitis.
TCP e-mail senders are not supported because I don`t know how to recognize them.