Belgian Amiga Club - ADF Collection

home *** CD-ROM | disk | FTP | other *** search

/ Belgian Amiga Club - ADF Collection / BS1 part 47.7z / BS1 part 47 / Amiga plus 2 (1989)(Amiga Plus Magazine)[h QTX].7z / Amiga plus 2 (1989)(Amiga Plus Magazine)[h QTX].adf / Utility / virusx.docs < prev next >

Wrap

Text File | 1989-03-03 | 27.5 KB | 560 lines

VirusX 3.2 by Steve Tibbett VirusX 3.2 Release Note: 8 new viruses, and one new option - CHECK. If you say VirusX CHECK, VirusX will check RAM and installed disks, then quit. Great for including VirusX with release disks. Last Minute Bug Report: VirusX waits for a NEWSIZE message before doing anything after changing the size of a window. Now, the OS doesn't bother sending the NEWSIZE message if the window isn't currently selected. Sooo, if you tell VirusX to resize the window somehow (using the right mouse button, maybe), then you de-select the VirusX window, VirusX will lock up. I'll try and fix it next version. ...Steve Version Notes: -------------- Version Notes are now in the VirusX.C file, as is information on some of the viruses. Virus Notes: ------------ Information about each of the individual files is at the beginning of the C file (just because I spend more time looking at it than I do looking at this). NOTE: The AmigaPLUS disk does not contain the source files described in this file. The virus descriptions have been appended to these docs. Introduction: ------------- Amiga Viruses have been following us around for some time now, and I think it's about time we got rid of it for good. There are 2 classes of Viruses - There are the "Boot Block Viruses" and the rest of them. Boot Block Viruses are named such because they all share this one trait: They are always found in the Boot Block of a disk. You cannot get one of these simply by downloading a program, nor through any non-bootable disk (although a program could be written which would install the virus when run). Boot Block Viruses are very easy to get rid of - check any new disk with VirusX, and if it reports anything nonstandard, tread lightly. Non-bootblock viruses are a little tougher to find, and can be near impossible to find without the right tools. VirusX will be updated such that it finds any known virus, that's the best I can offer. Please, I encourage you to give this program to anybody who might have a virus. Including your local dealer - some of the dealers in this area have the virus all over their disks, which they allow customers to copy, and they don't do anything about it because they don't know how. VirusX makes it extremely simple. Installing in your Startup Sequence: ------------------------------------ You can put VirusX in your Startup-Sequence so that it is automatically run whenever you boot your system with whatever disk you install it on. Doing so is very simple - using any text editor, modify the "S:Startup-Sequence" file (Details on how to do this are available in many many books, and also in the manual that came with the system I believe), so that the Startup-Sequence contains simply "VirusX". When run, it will open a small window so you know it's there (and it will display the occasional message in it). Whenever a disk is inserted into any of the 3.5" drives, that disk is automagically checked for the SCA virus, and also checked to see if it's boot sector is "Standard". If the disk has a nonstandard boot sector, it is either a new form of virus which I don't know about yet, or it is a commercial program which uses the boot block for something constructive (like booting their game). If VirusX finds a boot block it is suspicious about, it will present the user with a requester either warning him that the disk has the SCA virus (or any other current viruse), or telling him that the boot code is nonstandard. In either case, he is given the option to either ignore it, or to Remove it. If the user selects Remove, after he says he's SURE he wants to rewrite the disk's boot sector (Remember: Never rewrite the boot sector of a commercial program unless you KNOW that program doesn't use it for something else. If the program gives you the AmigaDOS window before running, you know it is safe to repair that disk.). The boot code written back to the disk by VirusX is the same boot code that the AmigaDOS INSTALL command (and it's compatible counterpart on one of the fish disks) uses. If you click in the little "VirusX" window, and type a number from 0 to 3, (Corresponding to the drive # you would like to look at), VirusX will resize it's window to fit in the ASCII text of these two blocks, and allow you to view it. When you run across a "Nonstandard Boot Block", you can now check and see if the boot block is some sort of new Virus (Assuming that the author of the Virus left a string in it) as you will see something like "Revenge Virus 1.2G" or whatever string that identifies the virus. Note that not all viruses have text strings in them, so don't use this method alone to determine whether an unknown boot block is a virus or not. Also, you can check to see which strain of the SCA virus you have (VirusX will report "an SCA virus", but will not tell you if it is the "LSD" virus, or the "Zorro/Willow" virus or whatever new ones may appear). Generally, if boot code is capable of writing itself back to a different disk than the one it was loaded from, it is a virus. VirusX Options: --------------- Keystrokes: (Remember, the VirusX window must be active to type these) 0, 1, 2, 3: Show you the boot block of whatever drive you select (0 would be DF0:, say), I will show you the Info window. C: Cause VirusX to re-Check all inserted disks. Command Line Options: x,y : to change where the VirusX window appears, just put the numbers you want it at on the command line. For instance, to put it at 50,30, just say VirusX 50 30. Check: This will cause VirusX to check Memory and any inserted disks, then quit immediately without leaving the little window. Nut Alert: ---------- Of course, there are those of you who are thinking that I am some nut case trying to spread my own virus hidden under the guise of a virus checker. Well, just for you, I've included the C source code. Please, if you don't trust me, don't discard a useful utility as untrustworthy for no reason, CHECK THE SOURCE! Recompile it if you think I'm trying to slip a fast one on you. I just want to see viruses out of all of our lives. Distribution Notice: -------------------- This program is Copyrighted, but is freely redistributable (It's NOT Shareware). Do what you want with it, but Please don't use it for evil purposes. That's what I'm trying to prevent. (If your conscience is compelling you to send me something, send me an original game you're bored with... It won't cost you anything, and it'll keep me busy for a few hours (or more...). If you are not sure that this is the most current version of VirusX (and please, before sending me a "virus", check with your local BBS or user group for the latest version of VirusX to verify that it is indeed the latest), you will be able to get the latest version of VirusX though AmigaWorld soon, or so they tell me. 5 bucks, to cover shipping/handling - check the magazine for info. I write PD/Shareware software in my spare time, and work full time during the day. Since I don't do this as a business, I really can't answer all the mail I get - I barely have time to work on the program, let alone answering mail... I feel really badly about this, but there's not much I can do. I am trying to reply to anybody who asked for a reply... working on it... 8-) If you haven't heard from me, either I lost your letter (it's happened...), or you will hear from me soon. (Addendum: Sending me a self-addressed stamped envelope doesn't do me a whole lot of good because I live in Canada... Just thought I'd let you know, cuz some people have overlooked this). My address: Steve Tibbett 2710 Saratoga Pl. #1108 Gloucester, Ontario K1T 1Z2 My BBS: OMX BBS, 613-731-3419. I can be reached on BIX as "s.tibbett" and on People/Link as "SteveX". I'm also on Compuserve, but with their dumb numbering system, I can never remember who I am. --------------------------------------------------------------- VIRUS NOTES: ------------ Virus Notes used to be found here. They are now in the VirusX.C source file itself - just type the file. (If you're scared of 'C', just hit ^C when the comments are done). Notes on some notable viruses are still here. THE BYTE BANDIT VIRUS: ---------------------- What the Byte Bandit virus does is once it's in memory, it copies itself to just above the high memory pointer on the first hunk of RAM it can find (Which means it's not always in the same place), wedges itself into the Interrupt Server chain, into the Trackdisk.device's vectors, and creates itself a Resident structure so it can hang around after reboot. It watches EVERY disk inserted, and will write itself to ANY bootable disk that is inserted! Also, if you Install a disk while this virus is going, it will just copy itself back to the disk - which is why it has to be wiped it from memory. When VirusX finds this virus on a disk, it will also display a "Copy Count" which is the number of disks that have been infected by that "Branch" on the "Tree" that the virus is on - If you infect a disk with your copy, and your copy is number 300, then that copy will be #301. If he infects somebody, that will be #302, but on YOUR copy, two infectations down the line, there will be another #302... Anyways, the copy count on MY Byte Bandit virus is #879... Note that VirusX will check RAM for this virus as well as the disk. This was necessary as you can tell from the description above. Special thanks must go here to Dave Hewett, who, 2 days after I gave him a copy of the virus, gave me a printed, commented disassembly of the virus with meaningful labels and everything I needed to stomp it - Thanks Dave! Thanks must also go to Bruce Dawson of CygnusSoft Software, (author of that great program, CygnusEd), who went to the trouble of being the First person to send me this Virus. ------------------------------------------------------------------- The IRQ Virus: -------------- The IRQ Virus is the latest Amiga Virus (that I've seen anyway). This one stands out from the crowd, in that it is NOT found in the boot block. This Virus attaches itself to executable programs. It's prime target is the C:DIR command, but it will also look at your startup sequence and attach itself to the first executable program found in the startup sequence. A sample chain of events: - You download or otherwise acquire a new program. This program happens to be infected. - You execute this program. - The Virus then attaches itself to memory (by taking over the OldOpenLibrary() vector), and adds a KickTagPtr (for no apparent reason). - Now, you're on DF0: and you run a program that uses the OldOpenLibrary() vector (hard to predict which ones do...), the Virus will open your startup sequence and picks the first filename it sees in it, see if it's executable, and if so, it will write itself into that file. IF it's not executable, it will try and write to the DIR command on that disk. As you can see, the only files this virus will infect, will be whatever comes first in your startup sequence, and the DIR command. The only way this Virus could possibly spread via modem is through deliberate sabotage, (unless the guy actually DID have the program as the first thing in his startup sequence before sending it to you). WHAT IT DOES This Virus is mostly a harmless joke. It will not kill commercial programs (at least not any I've seen so far), it doesn't attack anything, doesn't do anything malicious. It's not nice to have around, but it's certainly better than a malicious virus! It changes the title bar of the Initial CLI window when you boot, and it will try to write to any disk inserted - thus bringing up the "Volume whatever is write protected" requester whenever you insert a write protected disk. It will write itself to any disk you execute a file off of, possibly to the DIR command, possibly to the first thing in the startup sequence, depending on the startup sequence. This virus will not work under Kickstart 1.3 - you will get Software Error requesters whenever you run an infected program. I'm not sure why, but this is probably good. HOW TO KNOW IF YOU HAVE THIS VIRUS You cannot identify a file that has this virus in it just by looking at it. The virus encrypts the text parts of itself, and encrypts it differently on each copy - so you can't learn to recognize it. You can tell your system is infected if you put in a write protected workbench disk (or any disk that has a startup sequence), and if the system brings up a "Volume whatever is write protected" requester, then this virus is in RAM attempting to infect this disk. Running VirusX 3.1 will tell you that this virus is in RAM, and VirusX will remove it from RAM. The other thing this Virus does is, when it first installs itself in your system upon reboot, it changes the title bar of the current window, (usually the initial CLI window, since it IS the first thing in your startup sequence), to say something like "AmigaDOS Presents: The IRQ Virus, V41.0". This is of course a dead giveaway. HOW TO GET RID OF THIS VIRUS To get the virus out of RAM, run VirusX 3.1 and it will tell you if it found it and that it removed it if it did. VirusX will check disks the same way that the Virus does - it will look at the startup sequence, determine if the first file found (or the DIR command) are infected, and give you the option of repairing them if they are infected. You can also get rid of this virus simply by deleting all infected programs and rebooting. This virus will not hang around after a reboot. Because this virus can hit a number of files, not all of which VirusX will find, also included is a small program by Dan James called KV, "KillVirus". This program will check a whole directory's worth of files for this specific virus. VirusX 3.0 will look in the same places the Virus does for possibly infected programs. If it finds one, it will pop up a window and show you where it found it, and ask if it's OK to remove it. HOW TO MAKE SURE YOU DON'T GET THIS VIRUS Keep VirusX 3.1 running when you test new programs. VirusX will alert you as soon as it sees this virus appear in memory - probably the last program you ran is infected if VirusX reports it found the virus. ========================================================================== Virus Notes: ------------ These are things that you probably should know, but may not about what can happen with Viruses. - If you are trying to format a disk, and you always get a message that Cylinder #0 of the disk is bad, it's quite possible you have a virus in RAM (or a bad disk). This is because when the Formatter writes to block 0, some viruses will prevent this (trying to save themselves). When the formatter reads the block back to verify, it's not the same and it panics. - Some commercial programs will not work with some viruses in RAM. - Not all computer failures are caused by viruses! If you are having problems, and you have checked your disks with VirusX (and it reports them as clean), try looking elsewhere for the problem. - There is at least one virus that can (more or less accidentally) hit hard disks. Some of the viruses use the DoIO() vector to watch for any read (or write) attempts at block 0. But not always making sure that it is block 0 of the Floppy drive - and if someone is writing to block 0 of the hard disk, and the virus intercepts this, it can write itself to the hard disk. The virus CANNOT load from hard disk - the hard disk's boot block is never executed. But if your hard disk is an FFS volume, then writing the virus to it will in effect change it back to an OFS volume - making what's on it unusable. You can fix this with DiskDoctor (I believe), or using DiskX. ========================================================================== I'd like to thank Lars Wilklund, Jason Allen Smith, Bruce Dawson, Robb Walton, Pete Foley, and all the others who have sent me disks whom I cannot remember. Mucho thanks also to Dan James, who's been helping me all along, and who did a lot of the finding out about the IRQ Virus. There are MORE viruses out there! Please, send them to me! ...Steve /************************************************************************/ /* */ /* Viruses Dealt With: */ /* ------------------- */ /* */ /* SCA - The SCA is the simplest virus to deal with, */ /* as it's not actually DOING anything except */ /* hiding in memory, until you reboot. */ /* We just look at CoolCapture and fix it to get */ /* it out of RAM. */ /* */ /* Byte Bandit - The Byte Bandit virus takes the DoIO() vector */ /* and redirects it through itself. Thus, any */ /* attempt to read or write the boot block (ie, */ /* AmigaDOS trying to figure out what kind of */ /* disk it is) results in the BB writing itself */ /* onto that disk. VirusX couldn't just rewrite */ /* the boot block, we have to get him out of RAM */ /* first. This virus also has an interrupt that */ /* crashes the machine every 5 minutes or so */ /* after it's infected a few of your disks. Ow. */ /* It stays in memory not via the Capture */ /* vectors, but by a Resident module. */ /* */ /* Revenge - Basically, a Byte Bandit clone except it will */ /* bring up an obscene pointer a few minutes */ /* after you reboot. We treat it much like the */ /* byte bandit. */ /* */ /* Byte Warrior - Jumps right into 1.2 Kickstart. Won't work */ /* under 1.3. Hangs around via Resident struct, */ /* doesn't do any damage. */ /* */ /* North Star - Like SCA, hangs around via CoolCapture, */ /* killing CoolCapture kills the North Star. */ /* */ /* Obelisk Softworks Crew */ /* - Hangs around via CoolCapture, also */ /* watches reads of DoIO() (but doesn't */ /* infect EVERY disk - onlyt ones you boot */ /* off of) */ /* */ /* IRQ - This is the FIRST Non-Bootblock Virus. */ /* It copies itself from place to place via the */ /* first executable program found in your */ /* startup-sequence. It SetFunction's */ /* OldOpenLibrary(), has a KickTagPtr, */ /* and lives in the first hunk of an */ /* infected program. */ /* THANKS! to Gary Duncan and Henrik Clausen for */ /* being the first to send this one to me! */ /* */ /* Pentagon Circle - This one looks at the DoIO vector, and has */ /* a CoolCapture vector. It will write itself */ /* over any virus inserted, but not onto */ /* anything else. (Neat idea!). No danger, */ /* easy to eliminate. Holding left button */ /* while booting with this one shows different */ /* screen colour, but doesn't get rid of it. */ /* Thanks to Bill at CMI (CMI*BILL on Plink) */ /* for sending me this one! */ /* */ /* SystemZ Virus Protector */ /* - I took this one out. It's not really a */ /* 'Virus' in that it won't overwrite a disk */ /* without asking you first. Besides, it seems */ /* a lot of people LIKE the SystemZ Virus */ /* Protector (though it isn't perfect). */ /* */ /* Lamer Exterminator - THIS one was a bugger. Yet another virus */ /* aimed at hurting people. Y'see, a Lamer */ /* is apparently the worst kind of pirate - */ /* one who doesn't crack software, doesn't */ /* write software, just collects names and */ /* addresses and collects and spreads software. */ /* Lamers don't do anybody any good - and the */ /* guy behind this Virus took it upon himself */ /* to make their (and our) lives miserabler. */ /* Anyway, this virus loads into RAM into a */ /* different location every time (using a */ /* random location). It is encrypted on the */ /* disk so you can't SEE the name of it, and */ /* it never actually SHOWS the name (but it's */ /* definately there). It changes the */ /* encryption key used each time it is written */ /* back to disk. It has a counter and will */ /* wait until the machine has been reset 2 times */ /* OR until 3 disks have been infected, and will */ /* then pick a DATA block (Only a DATA block - */ /* FFS disks are safe, I guess), randomly, and */ /* will write the word 'LAMER!' all through it. */ /* This is obviously not good, and will cause */ /* random disk errors. This is the worst kind */ /* of havoc to wreak on the new user - and this */ /* virus is EVERYWHERE! I've gotten it from 5 */ /* people in the last week alone (all from */ /* different countries! Ack!). Anyways, credit */ /* for being the first with this one is */ /* Christian Schneider. Thanks, Christian! */ /* Might as well break the margin convention here, eh? Anyways, */ /* something else I thought of about this virus: It introduces a NEW */ /* way for a Virus to stay in RAM. Y'see, if ExecBase is okay at */ /* reboot time (Exec keeps a checksum, among other things, and checks */ /* to see if anything has been corrupted quite carefully). Anyways, */ /* if Exec thinks ExecBase is okay, it doesn't bother rebuilding it. */ /* Sooo, this virus sets the SumKickData() vector to point at itself. */ /* Then at Reboot when this vector gets called after reset, the virus */ /* ReInstalls himself. At least this is what I think is happening. */ /* This virus sets up a Resident structure, but never sets the Match */ /* Word - either this means we don't need the MatchWord or it means */ /* his SumKickData() is doing the recovery job - either way, it's */ /* new! 3 points for originality. */ /* */ /* Graffiti - The first virus to come with rotating 3-d graphics! */ /* It's neat - you might want to trigger it (I'm not sure */ /* how) before nuking it. Anyway, this one just sets */ /* CoolCapture(), does something with DoIO() during the */ /* reboot but sets it back to normal before anybody gets */ /* to look at it. Lots of code is taken by the graphics */ /* stuff. I just clear the CoolCapture vector. [yawn] */ /* */ /* Old Northstar - Poof. */ /* */ /* 16 Bit Crew - Well, I didn't actually have to DO anything to get */ /* VirusX to recognize it... because it seems to operate */ /* like the Graffiti Virus. If the 16 bit crew is in */ /* RAM, VirusX will say it removed the Graffiti virus. */ /* Oh well. 8-) */ /* */ /* DiskDoktor - I spent more time on this one than on any other. */ /* Y'see, this virus does lots of things. The first one */ /* for some reason was quite funny to me. heh */ /* What it would do is after you have rebooted 5 times, */ /* each time you reboot after that, the virus would eat */ /* 10K times the total number of reboots - so after */ /* rebooting 10 times, you would be short about 100K. */ /* This virus also starts up another TASK. I'm not */ /* exactly sure when it happens, but another task named */ /* 'clipboard.device' will appear at a priority of -120, */ /* and will continually bash the Virus' vectors into the */ /* Coldcapture, Coolcapture, Warmcapture (which it sets */ /* to $ff000000 just to annoy), and the DoIO() vector. */ /* When I was working on this one, I figured I just had */ /* to restore the old values to the DoIO() vector, but as */ /* soon as I did so, the Virus restored them - and since */ /* I didn't disassemble the entire thing, I didn't realize*/ /* this until I wasted time looking for other faults. */ /* This one also allocates some memory, copies some code */ /* out of Exec into this memory, and executes it. I */ /* never bothered to figure out why - Once it's gone, it's*/ /* gone. */ /* */ /* Thanks also to Robb Walton for being the first to send one of the */ /* other ones, (but I can't remember which one anymore... 8-( ) */ /************************************************************************/