/************************************************************************/ /* */ /* Viruses Dealt With: */ /* ------------------- */ /* */ /* SCA - The SCA is the simplest virus to deal with, */ /* as it's not actually DOING anything except */ /* hiding in memory, until you reboot. */ /* We just look at CoolCapture and fix it to get */ /* it out of RAM. */ /* */ /* Byte Bandit - The Byte Bandit virus takes the DoIO() vector */ /* and redirects it through itself. Thus, any */ /* attempt to read or write the boot block (ie, */ /* AmigaDOS trying to figure out what kind of */ /* disk it is) results in the BB writing itself */ /* onto that disk. VirusX couldn't just rewrite */ /* the boot block, we have to get him out of RAM */ /* first. This virus also has an interrupt that */ /* crashes the machine every 5 minutes or so */ /* after it's infected a few of your disks. Ow. */ /* It stays in memory not via the Capture */ /* vectors, but by a Resident module. */ /* */ /* Revenge - Basically, a Byte Bandit clone except it will */ /* bring up an obscene pointer a few minutes */ /* after you reboot. We treat it much like the */ /* byte bandit. */ /* */ /* Byte Warrior - Jumps right into 1.2 Kickstart. Won't work */ /* under 1.3. Hangs around via Resident struct, */ /* doesn't do any damage. */ /* */ /* North Star - Like SCA, hangs around via CoolCapture, */ /* killing CoolCapture kills the North Star. */ /* */ /* Obelisk Softworks Crew */ /* - Hangs around via CoolCapture, also */ /* watches reads of DoIO() (but doesn't */ /* infect EVERY disk - onlyt ones you boot */ /* off of) */ /* */ /* IRQ - This is the FIRST Non-Bootblock Virus. */ /* It copies itself from place to place via the */ /* first executable program found in your */ /* startup-sequence. It SetFunction's */ /* OldOpenLibrary(), has a KickTagPtr, */ /* and lives in the first hunk of an */ /* infected program. */ /* THANKS! to Gary Duncan and Henrik Clausen for */ /* being the first to send this one to me! */ /* */ /* Pentagon Circle - This one looks at the DoIO vector, and has */ /* a CoolCapture vector. It will write itself */ /* over any virus inserted, but not onto */ /* anything else. (Neat idea!). No danger, */ /* easy to eliminate. Holding left button */ /* while booting with this one shows different */ /* screen colour, but doesn't get rid of it. */ /* Thanks to Bill at CMI (CMI*BILL on Plink) */ /* for sending me this one! */ /* */ /* SystemZ Virus Protector */ /* - I took this one out. It's not really a */ /* 'Virus' in that it won't overwrite a disk */ /* without asking you first. Besides, it seems */ /* a lot of people LIKE the SystemZ Virus */ /* Protector (though it isn't perfect). */ /* */ /* Lamer Exterminator - THIS one was a bugger. Yet another virus */ /* aimed at hurting people. Y'see, a Lamer */ /* is apparently the worst kind of pirate - */ /* one who doesn't crack software, doesn't */ /* write software, just collects names and */ /* addresses and collects and spreads software. */ /* Lamers don't do anybody any good - and the */ /* guy behind this Virus took it upon himself */ /* to make their (and our) lives miserabler. */ /* Anyway, this virus loads into RAM into a */ /* different location every time (using a */ /* random location). It is encrypted on the */ /* disk so you can't SEE the name of it, and */ /* it never actually SHOWS the name (but it's */ /* definately there). It changes the */ /* encryption key used each time it is written */ /* back to disk. It has a counter and will */ /* wait until the machine has been reset 2 times */ /* OR until 3 disks have been infected, and will */ /* then pick a DATA block (Only a DATA block - */ /* FFS disks are safe, I guess), randomly, and */ /* will write the word 'LAMER!' all through it. */ /* This is obviously not good, and will cause */ /* random disk errors. This is the worst kind */ /* of havoc to wreak on the new user - and this */ /* virus is EVERYWHERE! I've gotten it from 5 */ /* people in the last week alone (all from */ /* different countries! Ack!). Anyways, credit */ /* for being the first with this one is */ /* Christian Schneider. Thanks, Christian! */ /* Might as well break the margin convention here, eh? Anyways, */ /* something else I thought of about this virus: It introduces a NEW */ /* way for a Virus to stay in RAM. Y'see, if ExecBase is okay at */ /* reboot time (Exec keeps a checksum, among other things, and checks */ /* to see if anything has been corrupted quite carefully). Anyways, */ /* if Exec thinks ExecBase is okay, it doesn't bother rebuilding it. */ /* Sooo, this virus sets the SumKickData() vector to point at itself. */ /* Then at Reboot when this vector gets called after reset, the virus */ /* ReInstalls himself. At least this is what I think is happening. */ /* This virus sets up a Resident structure, but never sets the Match */ /* Word - either this means we don't need the MatchWord or it means */ /* his SumKickData() is doing the recovery job - either way, it's */ /* new! 3 points for originality. */ /* */ /* Graffiti - The first virus to come with rotating 3-d graphics! */ /* It's neat - you might want to trigger it (I'm not sure */ /* how) before nuking it. Anyway, this one just sets */ /* CoolCapture(), does something with DoIO() during the */ /* reboot but sets it back to normal before anybody gets */ /* to look at it. Lots of code is taken by the graphics */ /* stuff. I just clear the CoolCapture vector. [yawn] */ /* */ /* Old Northstar - Poof. */ /* */ /* 16 Bit Crew - Well, I didn't actually have to DO anything to get */ /* VirusX to recognize it... because it seems to operate */ /* like the Graffiti Virus. If the 16 bit crew is in */ /* RAM, VirusX will say it removed the Graffiti virus. */ /* Oh well. 8-) */ /* */ /* DiskDoktor - I spent more time on this one than on any other. */ /* Y'see, this virus does lots of things. The first one */ /* for some reason was quite funny to me. heh */ /* What it would do is after you have rebooted 5 times, */ /* each time you reboot after that, the virus would eat */ /* 10K times the total number of reboots - so after */ /* rebooting 10 times, you would be short about 100K. */ /* This virus also starts up another TASK. I'm not */ /* exactly sure when it happens, but another task named */ /* 'clipboard.device' will appear at a priority of -120, */ /* and will continually bash the Virus' vectors into the */ /* Coldcapture, Coolcapture, Warmcapture (which it sets */ /* to $ff000000 just to annoy), and the DoIO() vector. */ /* When I was working on this one, I figured I just had */ /* to restore the old values to the DoIO() vector, but as */ /* soon as I did so, the Virus restored them - and since */ /* I didn't disassemble the entire thing, I didn't realize*/ /* this until I wasted time looking for other faults. */ /* This one also allocates some memory, copies some code */ /* out of Exec into this memory, and executes it. I */ /* never bothered to figure out why - Once it's gone, it's*/ /* gone. */ /* */ /* Thanks also to Robb Walton for being the first to send one of the */ /* other ones, (but I can't remember which one anymore... 8-( ) */ /************************************************************************/ /* */ /* Notes on making VirusX yourself: The source is included mainly */ /* for your perusal, not so that you can modify it and redistribute */ /* it. I've modified Manx's _main.c module to make the detach */ /* from the initial CLI work properly. I can't redistribute this */ /* module since it's copyright manx, so here's VirusX without it. */ /* It will compile and run, but if you run it from WB, it won't quit. */ /* The version I've supplied should do everything just fine. */ /* */ /* VirusX */ /* */ /* by Steve Tibbett */ /* */ /* Please - if you find a new virus, Send me a copy! */ /* (And warn me it's on the disk!). I want to keep */ /* this program current. (Feel free to put something */ /* neat on the disk also!) */ /* */ /* This version of VirusX is done with the Lattice 5.0 */ /* compiler. The Lattice compiler, with the help of John Toebes, */ /* gave me an executable almost 4K smaller than the best I could */ /* get out of Manx. Reason enough for me to switch! */ /* */ /* The Makefile included in the "source.zoo" file you should have */ /* gotten in the VirusX.Zoo file this came from, is set up for the */ /* MANX Make Utility. Switching to Lattice's LMK should be easy, */ /* but I've had no reason to. The important thing is the command */ /* line switches and the BLINK command line. */ /* */ /* Thanks to John Toebes for a lot of help getting it going, and */ /* thanks to Dan James for providing the routine down at the bottom */ /* that actually takes the IRQ Virus out of executable files. */ /* */ /************************************************************************/ /* End of Text */