Software 2000

home *** CD-ROM | disk | FTP | other *** search

/ Software 2000 / Software 2000 Volume 1 (Disc 1 of 2).iso / utilities / u552.dms / in.adf / Virus_Checker.doc < prev next >

Wrap

Text File | 1997-10-30 | 43.6 KB | 939 lines

Virus Checker ------------- This Program Virus_Checker is a freely distributable, copyrighted piece of software. You do not have to pay money to use it, and may upload it wherever you choose, but you are not allowed to sell Virus_Checker for profit, or include Virus_Checker on a disk which is sold for profit, without the author's (John Veldthuis) permission. Commodore have this permission already. MegaDisk also have this permission. Money is not solicited but would be welcome. I can be contacted at the address below. Please send me any more new viruses so I can update Virus_Checker But please don't send a letter asking for a copy without sending me at least a disk to send it back on. I just cannot afford to do this. John Veldthuis 21 Ngatai Street Manaia, Taranaki New Zealand Phone (0624) 8409 Email addresses: FIDO 3:771/400.0 USENET johnv@tower.actrix.gen.nz I have been asked to include the following: Virus_Checker can be kept up to date thanks to the energy and work put into a global anti-virus information bank founded by Erik Løvendahl Sørensen from Denmark. This group has over 120 international members now, among them some of the programmers of well known anti-virus programs like Steve Tibbet and Jonathan Potter. Among the activities of this group are: - Spreading information to anti-virus programmers as fast as possible. - Trying to get names and proof against virus programmers and giving the information to the justice department of his/her country to press charges. - Writing articles in popular magazines to inform new Amiga users about viruses and how to protect themselves. All this is volunteer work. If you want some more information about this organization or you want to sponsor our work, contact Erik at the following address: REWARD $ 1000: ------------- Do you know a virus programmer, you can get a reward $ 1000 for his name and address. The fact is that the law punish data crime very, very.. hard. (5 years in jail in most countries). We are an international group with 200 members, who have started a work to try stop virus spreading . Let me give you some examples: Erik Løvendahl Sørensen Snaphanevej 10 4720 Præstø Denmark - Europe Phone: 00 45 53 79 25 12 Fidonet 2:230/114.26 Notes for Enforcer Users ======================== If you run the program called Enforcer then you will get a few hits when Virus_Checker starts up as it looks for viruses. You will also get hits if you do the memory scan again. Nothing can be done about this as this is the only way to find some viruses. To use Virus_Checker , place in your startup-sequence the following line - Virus_Checker This will run virus_checker. Or from the CLI Type Virus_Checker and hit return. You can also double-click on Virus_Checker's icon from Workbench ****** Special Notice for Users of File Packers and Crunchers ****** If you use a program such as PowerPacker to make your files smaller then be aware to check these files before you crunch them. If the file is infected and you crunch them then VC will not find the virus in the file and each time you use that file it will infect your machine. VC will still detect the virus in memory and remove it okay. So if you get VC telling you your memory is infected but you cannot find it on any disks then start unpacking any of these files and check them UNPACKED. **New features** ---------------- New Features added to Virus_Checker are added to the command line. The syntax is Virus_Checker -l### -t### -w### -b -q -n -c -u dirname where ### is any decimal number -l### Tells Virus_Checker how far from the left edge of the screen to open the Virus_Checker window. -t### Tells Virus_Checker how far down from the top edge of the screen to open the Virus_Checker window. -w### Tells Virus_Checker how wide you want the window. It has a maximum size of 386 pixels and a minimum of 200. Any numbers out of this range are ignored. -b Tells Virus_Checker to send its window to the back of all the other open windows. -n Tells Virus_Checker not to open a window. It will check memory and disks inserted but you will have to use the ARexx port to get it to scan the whole disk for Link/File viruses. To stop VC, run VC again or use the ARexx port. Versions prior to 5.33 opened a 1x1 bit backdrop window but 5.33 on do not open any window except requester windows when needed. -q Virus_Checker will check all memory, files, and disks for viruses then exit. To check the dh0: partition and exit do the following - Virus_Checker -q dh0: This will check memory, disks, files, and dh0:, then exit. -c Disable loading of Config file. You get the defaults. -u Tempory Option for WB2 user untill other interface is done Bring up the User Interface before starting Virus_Checker. Only available under WB2. dirname is the directory/file you want checked for File Viruses on startup. An example to open the window at x/y position of 200/100 and check DH0: is Virus_Checker -l200 -t100 dh0: Any values outside the size of the WB screen are ignored and any non numerical values are ignored. There must be no spaces between the options and the numbers. Options may be given in any order. *** AREXX PORT added *** ------------------------- An Arexx port has been added to VC so you can make VC do things from an ARexx script. The port name is Virus_Checker. Be aware that case is important and ARexx will not find it if the name is not spelt right. Here is an example address 'Virus_Checker' /* Talk to Virus_Checker */ 'checkdrive\df0:' /* Make virus_Checker check df0: for viruses */ 'scanforsaddam\df0:' /* Make VC check df0: for Saddam virus damage 'quit' /* Make Virus_Checker shut down */ Notice the '\' between the command and the drive name in the middle examples. This must be put between all commands and their options. 'quit' does not take an option so does not need the '\' character there. Virus_Checker will understand the following commands checkdrive\drivename Check drive drivename for file viruses. scanforsaddam\drivename Check drive (DF0:-DF3) for Saddam damage. quit Make Virus_Checker shut down. Added for the configuration control ----------------------------------- (on\off) means enter one eg. resident\on *** These will change as well when new interface is done. resident\(on/off) If off VC will check then quit (affects startup) backdrop\(on/off) If on make VC window a backdrop window window\(on/off) If off VC will not open it's window saveconfig Save the configuration file to S:VCConfig openwindow Make User Interface screen open These next ones will change checkbb\df?: (on/off) Turn on/off checking of BootBlocks (? = 0-3) checkfile\df?: (on/off) Turn on/off checking of Files on floppies (? = 0-3) None of the ARexx commands returns results to Arexx. As from Version 5.27 -------------------- If Virus_Checker is already running and you give it a blank command line then it will ask you if you want to stop Virus_Checker. If you give it a directory/File name then it will be passed on to the running Checker and the scan will start straight away. If you select the VC window and press the s key this will bring up the disk scan requester and if you press the m key, VC will do another complete memory scan. Upon running Virus_Checker will first check your memory for viruses and tell you if any were detected. They will either be removed or disabled. Next all disks in the drives will be checked. Any disk put into any drive (df0: to df3:) will be checked. The rest is easy. Sometimes the machine may GURU when it disables the LAMER Exterminator virus in memory but if you reboot it should be gone. Keys Active when Virus_Checker window is active ----------------------------------------------- The Following keys will activate the following functions s - Will activate the Scan mode (Or Right-AMIGA S key) m - Will immediately do a complete memory scan (same as startup) f - Will activate the Saddam Disk Scan (used to fix Saddam virus damage) (or Right-AMIGA F key) 0 - 3 Will check the First File in startup-sequence and bootblock on disk in drive which matches number Right-AMIGA Q. Will shut down Virus_Checker Link/File virus check --------------------- If you want to check a disk for Link/File viruses then put the disk in any drive. Make sure the Virus_Checker window is active and use the right mouse button to bring up the Project Menu. Select the "Link/File Scan" and release the mouse button. An alternative way is to just press the 's' key on the keyboard. This will bring up a requester asking you which drive to check. Enter the drive name in the box, eg. DF0:, DH1:,RAD: etc. Under WB2.0 you can also use the "Use Requester" option It will then check all the files on that drive. You can also enter directories if you want to eg, c: df0:c, df0:libs etc When Virus_Checker is scanning the disk and you know that a directory is clear and don't want to check it press control-d in the window with the filenames and Virus_Checker will ignore that directory and go back up one level. If you want to stop the check completely press control-c in the window with the filenames and Virus_Checker will print a break message then stop scanning the disk and go back to normal scanning. If Virus_Checker brings a requester up that says a program just run has infected your memory with the Xeno Virus, it has already disabled it. You should immediately check all files on the disks that are in the drives at that time. This means that a program that you just ran or a program some other program just ran is infected with the virus and all files should be checked to find out which one it was. With viruses which use a RomTag I have decided to clear out all RomTags to make sure I remove the Viruses from the list. In doing this you will lose things like Recoverable ram disks such as RAD:, VD0: etc. If you have a virus make sure that you save anything in the ram disks that you want before rebooting. The ramdisks and others will disappear on a reboot. My policy is better safe than sorry. BRAINFILE ADDITION ------------------ I have added a BrainFile to Virus_Checker as of Version 5.13. When VC finds a Non-Standard bootblock it will bring up 4 gadgets. The new Gadget is Learn. Pressing this will allow VC to remember this BootBlock and not bother you again with it. To do this VC writes a file called VCBrainFile to the S: directory. If you have a single drive this will invoke a requester asking that Volume something be put in the drive. This will then save to the file. On Startup VC will check for the file in the S: directory and read it if it is there. If not it will carry on without it. If you get an error then VC will tell you about it and will happily write over the file next time. CONFIG FILE ADDITION -------------------- This is a tempory thing and will change with teh next release Use it at your own risk. Virus_Checker will now look in the S: directory for a file of VCConfig. This file can be used to turn on/off certain parts of Virus_Checker. It is intended to be changed with a User Interface under WB2. Under 1.3 you will have to use a Binary File Editor or use the AREXX interface to set things the way you like them and save the config file. Here is the layout. Offsets ---- 0-3 VCCF ;Text Chars to show VC it is a config file 4-5 Num ;Window Left Edge (Binary in range of 0-400) 6-7 Num ;Window Top Edge (Binary in range of 0-200) 8 0 or 1 ;1 = turn on checking of BootBlock in drive 0 9 0 or 1 ;1 = turn on checking of BootBlock in drive 1 10 0 or 1 ;1 = turn on checking of BootBlock in drive 2 11 0 or 1 ;1 = turn on checking of BootBlock in drive 3 12 0 or 1 ;1 = turn on checking of Files in drive 0 13 0 or 1 ;1 = turn on checking of Files in drive 1 14 0 or 1 ;1 = turn on checking of Files in drive 2 15 0 or 1 ;1 = turn on checking of Files in drive 3 16 0 or 1 ;0 = do checks and then stop Virus_Checker 17 0 or 1 ;1 = Open a window for Virus_Checker 18 0 or 1 ;1 = Virus_Checker uses a Backdrop window 19 0 ;Just a filer 20-139 Text ;Name of Virus_Checker brain File (S:VCBrain) All numbers except the VCCF and the Text of the BrainFile name are binary numbers. REMEMBER this will change so be warned. Versions -------- 1.0 - Was an arp.library version. 1.1 - Was an port to the normal libraries. 1.2 - Had the ByteBandit virus detection added into it. 1.3 - Had detection of the 3 Viruses in memory and removal of them. 1.4 - Added code to detect + remove the Byte Warrior Virus from memory and disk. 1.41 - Found a slight bug when using DSM to disassemble this. The program was testing low memory instead of a value when checking for the Revenge Virus. 1.42 - Changed code to be assembled by the CAPE 68K assembler. which is much faster than A68k or Assem. Now also uses base register addressing mode for data access. 1.43 - Changed code to cut down executable code. 2.0 - Added Pentagon, System Z, North Star, Obelisk and the new IRQ virus which lives in files and not in the Boot Block. 2.1 - Corrected a few little bugs in program. 3.0 - Did a listing of Source code and found many bugs. Did a major rewrite to clean it up and saved about 400 bytes. 3.0 - Now checks for these viruses - SCA, AEK, Byte Bandit, Byte Warrior, Revenge, Pentagon Circle System Z, North Star, Obelisk, Disk-Doktors and the latest IBM type virus the IRQ virus. 3.01 - Got a new virus, Lamer Exterminator. Added code to get rid of it. 3.02 - Got a second version of the Lamer Exterminator virus. 3.03 - After many requests decided to add checking of BootGirl BootBlocks which were being registered as Non-Standard. It now just ignores BootGirl BootBlocks. 4.00 - Updated to make better use of the Stack. Now store all variables on the stack for a saving of 124 bytes in the executable. 4.10 - TimeBomb virus added to code. 4.20 - Altered startup code to start a separate process to avoid doing a RunBack -2 Virus_Checker. 4.22 - Added Gadaffi virus to checker. 4.23 - Found a potentially Fatal Error in Code when accessing Unit Byte off the Stack. 4.24 - Added Graffiti, Ultra Fox, and Phantasmumble Viruses. 4.25 - Added BSG9 virus to code. 4.26 - Changed Error Checking on BSG9 virus a bit. 4.27 - Got the War Hawks virus and added it. Also added V3 of Lamer Exterminator virus. Changed checking for BSG9 virus. Now checks when disk is inserted into drive. 4.28 - Found I was losing the memory that was used by the program when it exited. This was caused by me not UnLoading the Segment used for the program. Fixed. 4.29 - Found program got into a continuous loop when there where no RomTags present in the system. Fixed. Also cut code size down a bit more by combining a few checks. 4.30 - Put further checking in for the BSG9 virus as sometimes the checker would not find the file on the disk depending on which directory it was in. Put VKill virus checking in. Also Ultra Fox and PVLProtector virus checking added. 4.40 - Put in DosSpeed virus and an Unknown virus. 4.41 - Stopped Requester that comes up after pulling disk out. 4.42 - Added JITR virus which was sent to me by Jonathan Potter (AUST). 4.43 - Added MicroSystems virus checking to code and BootBlock checking of the HCS II, Opapa, BackFlash, and Australian Parasite viruses. 4.44 - Changed code around a bit to get better use of tables and added Xeno virus check for Memory only. 5.00 - Changed user interface to give a new look and better messages. 5.01 - Major Bug repaired. V5.00 GURU'ed when checking disk. Worked with 68020 CPU but failed on standard Amigas due to a bad address. 5.02 - Was not checking startup-sequence properly when disk was put in 3 1/2" drive when a filename was given as C:SetCPU or something like that. Came up with a strange filename not being checked. Fixed. Added second version of Byte Bandit Virus, Someone hacked it. Added code to remove Xeno virus from files. 5.03 - Slight bug corrected in code. 5.04 - Have changed this from PD to Freely Redistributable after an offer from someone to sell Virus_Checker. I feel this still needs to be at minimal (copying charge) or no charge to be effective. Also cleaned up the code a bit. This may introduce new bugs so please tell me about them if you find them Added checking of IRQ virus when checking for Xeno files on disk. As the file is in the buffer already this adds very little extra time to the check. And better safe than sorry. 5.05 - Changed text when Xeno Virus found after a program has been run to warn that the program just run may be the culprit. 5.06 - Added 16 Bit crew Virus, New Alien Beat Virus, Digital Emotions virus, Graffiti Virus, two new versions of the Byte Bandit virus, ScarFace virus, Turk virus, Joshua virus. Also a little bug when used with NTSC machines. You could not display the Boot Block Sectors. Now Startup alters for which machine it is on. The Startup code is only used once and then the memory for it is freed. 5.07 - Added better Error messages when an error occurs with files. It will now say File protected from deletion when the file is protected instead of just saying could not open file. Added Butonic virus to checker. 5.08 - Added Centurions virus to checker. 5.09 - Got Aids virus but this is a mutant VKill virus and is found already. Added Coders nightmare virus to checker. Added Forpib, GX Team, Gremlins, and Kauki Virus. Added Centurions and Butonic virus check when scanning disk. 5.10 - Finally got IRQ virus and corrected a few bugs in its code. Added Target, Clist, Abraham, and FAST virus. This FAST virus is supposed to be from the Federation Against Software Theft. If it is, then they are just as big arseholes as the pirates themselves. Added Tick virus. Added control-c, control-d to multiscan pass so as to stop the scan if you got the wrong directory or drive. 5.11 - Slight bug in removing BSG9 virus if virus not in devs: directory. Also was picking up some game files as Butonic virus. 5.12 - Virus_Checker was finding WB2.0 reboot code as the HCS II virus. This code may not be in the final release but it is at the moment. Also SetPatch code moved a bit. Seems to be the same but different. 5.13 - Added a Brain File so that you can remember the BootBlocks that You want to. Games etc. 5.14 - Added a feature to allow checking for link viruses on startup eg. virus_checker dh0: will check dh0: before carrying on as usual. 5.15 - Slight bug found with brain file. 5.16 - ULDV8 virus added. Uses VertB int and RomTag. Very Tame virus. Also fixed up bugs when using Enforcer. Showed up some reads to non-existent memory. 5.17 - Added OP1 virus. Seemed to confuse VC into think it had a standard Boot block unless write protected. 5.18 - Had to add extra checking for IRQ virus as it found a program that matched IRQ and VC crashed trying to remove the IRQ virus which wasn't there. 5.19 - Added a much asked for feature so that you can tell VC where to put its window. 5.20 - Added a width parameter as well. Also added 1 new virus called the SADDAM virus. This virus lives as the Disk-Validator and can infect an Amiga simply by putting a disk in the drive. 5.21 - Added the CCCP virus to the checker. 5.22 - Added another version of the Joshua virus. Also fixed bug that occurred when checking for file viruses and a name was in the File Header. Added -q option to make VC check and then quit. 5.23 - Added ARexx port to Checker. Will Take commands via Arexx. See info above. Added Disaster Master Virus 2, another file type virus. 5.24 - Added checking memory for Australian Parasite virus, added BootBlock viruses:- BlowJob ,Butonic-Bahan, Byte Voyager I, Byte Voyager II, Destructor, DiskGuard, Fast1, ByteWarrior FastLoader (not really a virus), FICA, Mad II, Hilly, Changed OP1 virus to real name (Joshua), Changed Tick virus to real name (Julie), Another version of Lamer Exterminator, MegaMaster, Paradox, Saddam Hussein (Paradox copy), Termigator, SuperBoy, UltraFox, Vermin viruses. Another version of the BSG9 file virus was found so I changed the checking to find both versions. Added second version of Butonics File virus, added Hawnes file virus. Added another version of the BSG9 virus and Return Lamer File virus. Did a big rewrite of the checking for file viruses. Now reads file once and scans a table of data. Will do the same with Link viruses later. 5.25 - VC was finding BootMenu as the Destructor virus. Changed scanning of startup-sequence so disks with the cmd sys:c/command would have the sys: stripped off them. VC could not find these before. Fixed bug which sometimes screwed the virus name reported in the requester. 1 BB virus added. Changed name of DOSSPEED virus to its real name. Revenge Lamer Ext. 5.26 - Fixed bug that was shown when disk in df1: had a startup-sequence entry that said df0:filename. Tried to access df0: when no disk in drive. Added Turk Virus file carrier. This was a file that carried to Boot Block virus Turk. Added a logic bomb file virus. This would wipe out a floppy after the the file had been run so many times. Added about 10 new BootBlock viruses. 5.30 - Fixed bug that showed up as DF0:2has... and no learn gadget on display. Added -n option to make VC window 1x1 pixel/backdrop effectively no window. Also added keys to VC. Press 's' key to start Disk Scan (same as right mouse button), 'm' to do a memory check. Added a Lamer TimeBomb Virus, EMWurm logic bomb, and another version of the Travelling Jack virus. FixSaddam code added to Checker instead of a seperate program 5.31 - Small problem with startup from Workbench corrected. 5.32 - Fixes a major bug in the FixSaddam code. It Guru'ed under 68000 sometimes and never fixed the Checksums properly. 5.33 - Released 6 November 1991. WB2.0 BootBlock added to code. True no window option added for those users of WB2.0. Added liberator virus and fixed slight bug with Saddam virus,did not reset TD BeginIo Close vectors. 5.34 - Released 12 November 1991 Increased stack size to 4000 bytes as it was crashing when used with PowerPacker Patcher. Added Hackers Etic BB virus Little problem with the CTRL-C and CTRL-D when used in FixSaddam mode 5.35 - Released 21 November 1991 Added support for the asl.library FileRequester when running under WB2 When you select scan disk you can now select Use Requester gadget and this will bring up the asl FileRequester 5.36 - Released 23 November 1991 Added better handling of Proportional fonts. Requesters look much better now 5.37 - Released 22 December 1991 When scanning the disk for Saddam virus damage and the disk is unvalidated, VC will change the disk so that it looks validated. VC will not validate the disk but will make AmigaDOS think it is. VC will warn you when it does this so you can check the disk with a program such as FixDisk, Quarterbacktools or (God help me) DiskDoctor. Small bug in ARexx interface. If you used OPTIONS RESULTS then VC did not recognize the command. Added WB2.0 ExAll() code for Link/File scan. This fixes the bug with RAM: and deleting files while scanning. Only works with WB2. Using WB2 and ExAll() is alot faster than WB1.3. A test on my DH0: showed WB1.3 took 1 minute 28 seconds while WB2 took 1 minute. This was on 531 files in about 12 directories. Found furthur bug in Requester with Fonts in WB2.04. Window opens up with normal default font and not what was set. Now do a SetFont() so I know what I am getting. Real big fonts eg 24 point still seem to muck up placement of the gadgets but at least it stills readable. Added menus to VC window. This means right mouse button for Disk Scan will no longer work. Bug found in shutdown code. If you pressed the right mouse button after clicking on the close gadget then VC would GURU. 5.38 - Released 15 January 1992 Started adding options screen to VC under WB2.0. Configure file is added as S:VCConfig. Set using options screen under WB2 but under 1.3 you will have to edit by using a binary file editor or the AREXX commands. Added Exec DoIO and Trackdisk.device beginio to vector scan. If these change VC will warn you. Small bug, when you removed disk while scanning it. WB2 would recover but 1.3 started putting out rubbish. Added 2 versions of Byte Parasite File Virus, another Lamer Trojen, Freedom file virus, Added BootBlock viruses, Dotty, another Mad version, Fast Eddie, French - Kiss, NastyNasty, TriSector, Taipan, Many other new BootBlock viruses but these are all just mutants of other viruses (Messages changed) ************************************************************************ NON-STANDARD BOOT CODE - When Virus_Checker brings up a Requester that says the disk has non-standard boot code this means that the code in the boot block is not what should be there. This does not mean that it is a virus as many games use copy protection in their boot blocks. You should however be cautious if it is not a game. DO NOT REPLACE THEW BOOT BLOCK IF YOU ARE NOT SURE. If something strange happens then please send a copy of the disk to me so that I can check it out. Here is a way of checking non-standard boot code 1. Format a blank disk so you know it is clear. 3. Make sure all disks except the one just formatted are write protected 3. Boot from the disk that you suspect. 4. Place formatted disk in drive zero and then reboot. 5. Take disk out of drive zero and turn off computer for about 30 secs. 6. Run the Virus_Checker program. If the Virus_Checker finds non-standard boot code on the newly formatted disk you have found a new virus. Please send it to me. Viruses Dealt With: ------------------- SCA - The SCA is the simplest virus to deal with, as it's not actually DOING anything except hiding in memory, until you reboot. We just look at CoolCapture and fix it to get it out of RAM. AEK - This is a clone of the SCA virus and we get rid of it in the same manner. LSD - Another SCA clone and uses the same code. Byte Bandit (Now 4 versions) (Amiga Freak) - The Byte Bandit virus takes the DoIO() vector and re-directs it through itself. Thus, any attempt to read or write the boot block (ie, AmigaDOS trying to figure out what kind of disk it is) results in the BB writing itself onto that disk. We couldn't just rewrite the boot block, we have to get him out of RAM first. This virus also has an interrupt that crashes the machine every 5 minutes or so after it's infected a few of your disks. Ow. It stays in memory not via the Capture vectors, but by a Resident module. When machine looks crashed press these keys at the same time from left to right LAlt,LAmiga,Space,RAmiga,RAlt. This will restore things for another 5 minutes. Revenge - Basically, a Byte Bandit clone except it will bring up an obscene pointer a few minutes after you reboot. We treat it much like the byte bandit. Byte Warrior - Jumps right into 1.2 Kickstart. Won't work under 1.3. Hangs around via Resident struct, doesn't do any damage. North Star/ StarFire - Like SCA, hangs around via CoolCapture, killing CoolCapture kills the North Star. Obelisk Softworks Crew - Hangs around via CoolCapture, also watches reads of DoIO() (but doesn't infect EVERY disk - only ones you boot from). IRQ - This is the FIRST Non-Bootblock Virus. It copies itself from place to place via the first executable program found in your startup-sequence. It SetFunction's OldOpenLibrary(), has a KickTagPtr, and lives in the first hunk of an infected program. Pentagon Circle - This one looks at the DoIO vector, and has a CoolCapture vector. It will write itself over any virus inserted, but not onto anything else. No danger, easy to eliminate. Holding left button while booting with this one shows different screen colour, but doesn't get rid of it. HCS Virus - Hooks into the System Z protector - This is another virus protector that can write itself to disks. Anything that spreads itself, under any name, is a virus. Doesn't do anything except during a reboot, then examines disks and writes over viruses. Disk-Doktors - This is another virus which looks at the DoIO routine for the reading of any bootblocks. If it finds one it will rewrite a copy of its code to it if it can. This one also patches into the Vertical Blank interrupt and seems to format your disk after a certain number of interrupts (can't be sure though).The nasty bit is it also creates a task called clipboard.device which spends its life copying itself through memory fragmenting the memory into small blocks. Calls ROM CODE direct so won't work under V1.3. We restore the DoIO routine, the Vert Blank interrupt and RemTask the clipboard.device LAMER Exterminator - This virus was sent to me by Andrew Mercer of the Palmerston North group. His letter said that He noticed strange things on his disks. On disassembling the virus I found that most of it was encrypted and the data was encrypted randomly using the beam position of the screen. Thus it appears different each time. It patches the trackdisk.device to look at reads and writes, It patches the Sumkick vector in exec in case someone tries to get rid of it. When it detects a read or a write it will randomly select a sector on the disk and will check if it is a data block. If it is it will write LAMER! all over the sector and rewrite it. Some say this Virus will write to write protected disks. I have not had this happen to me and I can see no special code in the disassembly to accomplish this feat. TimeBomb Virus - This is a strange Virus. It does not insert itself into any vectors. However it will copy itself back to the disk it came from. When the count gets to 2 it will wipe out the Root Directory of the boot disk and display an alert. If the count is over 2 it will just display an alert. GADAFFI Virus - Inserts itself into the CoolCapture vector, Uses a RomTag structure and patches the DoIO vector. Jumps directly into the Kickstart so will only work under V1.2 Kickstart. After 13 copies it will step the heads of drives 0 and 1 in and out. We simply clear all vectors and Use the old V1.2 DoIO code entry point. BSG9 Virus - This is similar to the IRQ virus in that it does not live in the Boot Block. It operates differently. Inserts itself into the RomTag pointer. It then loads the program it replaced and executes it. On Reboot the RomTag is called. It patches the Intuition OpenWindow Routine to its code. It then returns. Once AmigaDos opens up the CLI window the virus code gets run. This gets the startup-sequence file and gets the first command that is run. It then checks if it is already here. If not, then it moves this program from its directory into the devs: directory and renames it a strange name.It then copies itself to replace the command it just moved. A give away is the file size. The Virus size is 2608 bytes and there will be a file with what looks like spaces for its name in the devs: directory. To get rid of it we copy the file in devs: back to the c: directory and rename it.Then delete the file in the devs: directory. In memory all we do is change the RT_INIT code which is run on reboot to do an immediate RTS. The memory for the program is still used but the Virus is disabled. It will display a screen of its own which says: A Computer Virus is a disease Terrorism is a Transgression Software Piracy is a crime This is the Cure BSG9 plus some other junk War Hawks - This Virus installs itself into the CoolCapture Vector. It copies itself to the disk when the computer is warm booted. After every four copies it displays a message. To get rid of it we simply clear the CoolCapture vector. VKill or Aids Virus - This is another virus hidden as a Virus protector. When booted it copies itself to the stack area that is not used. It then patches the CoolCapture vector to survive a reboot. It patches the PutMsg vector of ExecBase to watch for BootBlock reads and writes.When it finds one it checks it and tells you if a virus is present.If you want to get rid of it it will copy itself to the disk.To remove it we Clear the CoolCapture Vector and SetFunction the PutMsg vector Ultra Fox - This one lives in the CoolCapture vector. When you reboot it will change the DoIO vector and wait for a BootBlock read.When it finds one and the disk is not already infected it will write itself to the bootblock.After every 16 copies it will put a custom copper list which displays greetings. PVLProtector - This one is another bootblock protector.When it finds a virus it will write itself to the disk instead of a proper bootblock. All we do is set the RomTag to do a RTS. Revenge Lamer Exterminator (previously DOSSPEED) - This is another file virus. It is supposed to speed up disk operations by 800%. This was found on a BBS and when run patches itself into several places. It will read the s:startup-sequence file on reboot and will edit it so that it runs itself as the program. It sticks out because the first line in the startup-sequence will be blank.When the Checker finds it look in the Root directory and you will find what looks like a blank filename. Virus Checker will rename this virus for you. You can then delete the virus and alter your startup-sequence to get rid of the first blank line UnKnown - This is a virus that has no names anywhere and will only work under V1.2 Kickstart. Very easy to get rid of. JITR Virus - Very mild sort of virus this one. Only writes itself to the BootBlock. Does nothing else. Easily fixed by clearing the CoolCapture vector. MicroSystems - Haven't got this one yet so can't tell you much about it. Just have to restore a vector in the Exec.library and clear the Exec CoolCapture vector. Xeno Virus - This virus is a very nasty one in the way that it infects all programs that can be run. It does not need the program to be run but even someone doing a list or dir on a disk when the virus is present will infect all those other files on disk. It patches into the dos.library and takes over the OPEN,LOCK and LOADSEG calls in dos. This way it can intercept the files being looked at. It will copy itself to the start of every runnable program and alter the file so that it still works. There is also an encrypted message which says 'Greetings from the Xeno Virus' but I have not worked out when this appears yet. To get rid of it from memory we have to reset the changed vectors. To get rid of it from the file is very much harder. First the file has to have the virus removed from the code. Then the relocation data pointers have to be changed so that everything still works. 16 Bit Crew - This virus does not do much and only infects disks that you boot with. To get rid of it from memory we clear the CoolCapture Vector and restore the DoIO vector. New Alien Beat Virus - This one will only work under Version 1.2 Kickstart as it jumps into the ROM code directly. To fix in memory we have to manually patch the DoIO vector and FindResident Vector with the correct values for 1.2. and clear the Capture vectors. BlackFlash virus - This virus will display a message after a certain amount of copies of it have been made. It says that your computer is sick and has a virus. To remove it we just restore the DoIO vector and clear out the capture vectors. Digital Emotions virus - This is another tame virus. Only infects disks when it is rebooted. Clean out the Captures vectors and it is gone. ScarFace Virus - This takes over the BeginIO routine in the trackdisk.device to watch for reads and writes to the disk. When it finds one it will write itself to the disk. It also has a VertBlank interrupt which will do something after a while. I think it only reboots the machine. It also has a romtag which we have to clear out. Turk Virus - Another simple virus. Does not do very much. Simple to get rid of. Joshua Virus - Again, lives in the TrackDisk BeginIO and VertBlank Interrupt. Also has a RomTag to survive reboots. This one will display a sprite after so many interrupts. I am not sure what it looks like but maybe someone wants to wait until it is triggered. It counts interrupts. It will also infect every disk but in the drive that is not write protected. Data in it that says something is encoded. To remove we simply restore the BeginIO code and VertBlank Interrupt and wipe out the RomTag. Butonic Virus - This is another file type virus. It uses the DoIO vector to check for reads to the Root Block of a disk. It will then write the virus to the disk and add it to the startup-sequence as the first instruction. The filename of the virus and its comment make it invisible when doing a dir but shows up with a list. This will also bring up GURU messages and change the title of the active window to some german stuff. To get rid of it we clear the ROMTAG, restore the DoIO vector and delete the file off the disk. You will need to remove the blank line from the startup-sequence where the virus was. The second version of this infects the Level 2 Interrupt as well and uses different file names to hide itself in the startup-sequence. Centurions Virus - Another file type virus. It hooks into the Trackdisk BEGINIO vector and waits for reads to the boot block of a disk. It changes the SumKickData vector so that it will survive a checksum. To get rid of it in memory we simply kill the RomTag vector, restore the SumKickData vector and patch the trackdisk code it uses to skip over the virus. When it finds a read to the bootblock it will check the write protect. It will then find the startup-sequence and find the name of the first command. It then looks for the command in the root directory, then the c directory. Once found it adds itself to the front of the file and is run when the startup-sequence is run again. Signs of infection are that it adds 3916 bytes to the size of the file it infects. After every ten copies it will change the pointer to a smiley face and a message will scroll across it. Coders Nightmare Virus - A boot block virus. Fairly tame this one but it will wreck copy protected disks. It takes over the DoIO vector waiting for reads to track zero block 0 then it writes itself to the disk if it can. It has a level 2 interrupt which after a time will display a message and then reboot the machine. To remove we just reset the DoIO and Level 2 Interrupt vectors and clear out the RomTag. Forpib Virus - Another boot block virus. It takes over the Trackdisk BeginIO vector and waits for reads to block 0. Then it copies itself if it can. It also has a VertBlank Interrupt and after a certain time a message will appear. (I think). There is a bug in this in that it tries to use a color register but it has got the wrong value in there. To remove just restore both vectors and remove the RomTag. GX Team virus - Yet another bootblock virus. This just takes over the DoIO vector and after a certain number of copies it will bring up a requester then guru. To remove replace the DoIO vector and clear RomTag and Capture vectors. This virus will only work under version 1.2 kickstart. Gremlins virus - Yes another bb virus. Sickening isn't it. Don't know what this one does but very easy to remove. Just zero the Capture vectors, restore the SumKickData vector and DoIO vector and it's gone. Kauki virus - This boot block virus will only work under Version 1.2 kickstart. As I don't have it I can't tell you what is displayed but something is displayed. Easy to get rid of. Just clear the Capture vector and set the DoIO vector to $FC06DC just to make sure. Have given up Telling what BootBlock viruses do as they are mostly the same and all work the same way. From now on I will only give descriptions on File Type viruses. SADDAM virus - This is a file type file that hides itself as the Disk-Validator. The disk on which it came was unvalidated so AmigaDOS loaded it to try and validate the disk. This causes the virus to run and infect your machine. It does infect a lot of vectors that need fixing when it is found. I just wipe it off the disk and it is left to the user to put a new Disk-Validator on the disk. It will change the root block BitMap pointer so that if the virus is not running AmigaDOS will think the disk is UnValidated and load the virus. It will also change DATA blocks so DOS does not know them unless the virus is running. When the virus is triggered it will wipe out the whole disk and bring up a Requester telling you it is the SADDAm virus. CCCP virus - This a combination Bootblock and file virus. It changes itself so that it will write to the BootBlock and to random files on the disk. The only way to find it on disk is to scan the whole disk. Disaster Master 2 - This is a fairly simple File type virus. It will write to a disk after a warm boot and if there is enough room on the disk will make a file called cls in the c directory and add cls * as the first line in the startup-sequence. We just clear the RomTag and Capture vectors, check the DoIO vector and that's it for memory. Just wipe the file off the disk and warn the User about the startup-sequence. Hawnes virus - A simple file type virus. It infects the OpenLibrary vector waiting for an opening of intuition.library. It then patches OpenWindow to it's own routine. When a window opens it checks the startup-sequence and if not already present copies itself to the disk using DOS. It patched the VertB int and will display something after a while. It will Wipe out a disk after so many copies as well. Simple to remove and alter the first line in your startup-sequence which will hold in hex $C0A0E0A0C0. Return Lamer virus - Another file type virus which replaces the Disk-Validator.It uses a RomTag to stay in memory, infects vectors, VertBlank Int, TrackDisk.device BeginIO, and another vector in the trackdisk. When the RomTag is called it infects the OpenWindow vector. Just delete the Disk-Validator and replace it from a good disk. In memory, just restore the vectors and clear the RomTag out. Travelling Jack virus - A Link type virus this one installs itself into the internals of AmigaDOS taking over the BCPL inner workings. To check in memory we have to wind our way thru many vectors and then reinstall the original from the virus. To remove from file we just remove the first code hunk. Seems to copy itself to each file that has been read but not sure on this. Liberator virus - This is a file virus that says it will remove all viruses but is in fact a virus itself. It copies itself to the s/startup-sequence with a line that says memcheck s You will also find a file called .FastDir on the disk. After a certain count it will delete the entire s/startup-sequence and display a message, stop access to the floppy drives and DH0: It will also stop most virus checking programs by RemTask()ing them. Virus_Checker 5.30 and above is safe from the current version as the Task name has been changed. Easy to remove, we just delete the file. Byte Parasite - A simple virus. Does not infect memory, opens a window claiming to be VirusX checking df0:, if the file df0:c/virusx exists it will copy it to df1:c/virusx. Thats it. Byte Parasite II - This one calls itself Virus-Checker. This one will copy itself to memory and when it sees a disk change will copy itself onto the disk. After 7 copies it will try and wipe out the disk. Takes over the Level 3 interrupt and cool-capture vectors. Easy to remove from disk and memory Lamer Trojen - This file has a copy of the Lamer Exterminator BootBlock virus in it. Running it will infect your memory and then infect bootblocks as normal. Freedom - This one does not seem to infect memory or copy itself but says it is trying to check df0: for 126 viruses. If the disk is write protected it says sorry, otherwise it sounds like it is scanning the disk. It will say it has removed the smily cancer and saddam virus a few times. The disk afterward is usually corrupted.