Copy Link
Add to Bookmark
Report

All the viruses of the Amiga computer

DrWatson's profile picture
Published in 
Amiga hacking
 · 2 years ago

THE SCA VIRUS: The original. The one that started all this craziness. It hides in memory, attaching itself to ANY disk you boot off of. Prints the infamous "Something wonderful has happened...", etc., etc. Install all disks that have it and then reboot from a cold start or from a warm start HOLDING down the LEFT mouse button. This puts it to death. The SCA is the simplest virus to deal with, as it's not actually DOING anything except hiding in memory, until you reboot.


BYTE BANDIT VIRUS: What the Byte Bandit virus does is once it's in memory, it copies itself to just above the high memory pointer on the first hunk of RAM it can find (Which means it's not always in the same place), wedges itself into the Interrupt Server chain, into the Trackdisk device's vectors, and creates itself a Resident structure so it can hang around after reboot. It watches EVERY disk inserted, and will write itself to ANY bootable disk that is inserted! This one can spread like wildfire - every disk you insert into your external drive during a session with this Virus loaded will result in all those disks being infected. Ouch. Also, if you Install a disk while this virus is going, it will just copy itself back to the disk - which is why it has to be wiped from memory to be destroyed.

The Byte Bandit virus takes the DoIO() vector and redirects it through itself. Thus, any attempt to read or write the boot block (ie, AmigaDOS trying to figure out what kind of disk it is) results in the BB writing itself onto that disk. VirusX couldn't just rewrite the boot block, we have to get him out of RAM first. This virus also has an interrupt that crashes the machine every 5 minutes or so after it's infected a few of your disks. Ow. It stays in memory not via the Capture vectors, but by a Resident module.


The REVENGE VIRUS: This virus is not yet common in North America (I think Steve Tibbett is the first person here to have a copy of it), but it is apparently making the rounds in Sweden and Germany.What this virus does, is everything that the Byte Bandit virus does,PLUS, after infecting a disk, it will wait one minute after every reboot, and change your mouse pointer into an image of a certain part of the Male anatomy. 8-) I think the reason this virus is called the "Revenge" virus is because it looks specifically for the Byte Bandit and for the SCA Virus. If it finds either of these, it Rigs THAT virus so that it will CRASH the machine unless THIS virus is loaded first. Note that I might be wrong about this - that's the way it looks from the disassembly,- but be warned, in case it pops up later or something. He stays in RAM via changing the CoolCapture vector to point to his own code. He then intercepts the DoIO() call and watches for any attempts to rewrite or to read the boot block and acts accordingly.He also has an interrupt around counting VBlanks until it's time to bring up his sicko pointer. To get this virus out of memory is Simple - Hold down the Joystick button (Plug a joystick into port 2, and hold down the button while you are rebooting), and the screen will briefly turn RED during the boot, and it's out of memory. (If you hold down Joystick button AND mouse button, it will half-remove himself from RAM and turn the screen Blue).

Basically, a Byte Bandit clone except it will bring up an obscene pointer a few minutes after you reboot. We treat it much like the byte bandit.


THE BYTE WARRIOR VIRUS: The Byte Warrior Virus is a lot like the Byte Bandit virus, except it is not designed to hurt anything - it will start an "Alarm" sound if it sees another virus (or at least I think it does - it hasn't for me), but other than that, it will write itself to any disk inserted. There is also a hidden message in it, asking us to spread it around and not to erase it. Ya, right.

Jumps right into 1.2 Kickstart. Won't work under 1.3. Hangs around via Resident struct, doesn't do any damage.


THE NORTH STAR AntiVIRUS: This virus alerts you to the presence of other viruses.I think this sort of idea is stupid because it can do just as much damage as the rest of them.

Like SCA, hangs around via CoolCapture, killing CoolCapture kills the North Star.


THE OBELISK SOFTWARE CREW VIRUS: Hangs around via CoolCapture, also watches reads of DoIO() (but doesn't infect EVERY disk - onlyt ones you boot off of)


THE PENTAGON CIRCLE VIRUS: This one looks at the DoIO vector, and has a CoolCapture vector. It will write itself over any virus inserted, but not onto anything else. (Neat idea!). No danger, easy to eliminate. Holding left button while booting with this one shows different screen colour, but doesn't get rid of it. Thanks to Bill at CMI (CMI*BILL on Plink) for sending me this one!


THE SYSTEMZ VIRUS: More of the same.


THE SYSTEMZ VIRUS PROTECTOR: I took this one out. It's not really a 'Virus' in that it won't overwrite a disk without asking you first. Besides, it seems a lot of people LIKE the SystemZ Virus Protector (though it isn't perfect).


THE IRQ VIRUS: The FIRST non boot-block virus! This one is murder! Since it does not attach itself to the boot block it is not a simple think to find. This baby attacks the FIRST executable file in your startup-sequence or,if it can't get at that file, it will attack the DIR command in your C directory! Get and read the fine writeup of this virus by S.Tibbett included with his VIRUSX utility.

This is the FIRST Non-Bootblock Virus. It copies itself from place to place via the first executable program found in your startup-sequence. It SetFunction's OldOpenLibrary(), has a KickTagPtr, and lives in the first hunk of an infected program. THANKS! to Gary Duncan and Henrik Clausen for being the first to send this one to me!


LAMER EXTERMINATOR: THIS one was a bugger. Yet another virus aimed at hurting people. Y'see, a Lamer is apparently the worst kind of pirate - one who doesn't crack software, doesn't write software, just collects names and addresses and collects and spreads software. Lamers don't do anybody any good - and the guy behind this Virus took it upon himself to make their (and our) lives miserabler. Anyway, this virus loads into RAM into a different location every time (using a random location). It is encrypted on the disk so you can't SEE the name of it, and it never actually SHOWS the name (but it's definately there). It changes the encryption key used each time it is written back to disk. It has a counter and will wait until the machine has been reset 2 times OR until 3 disks have been infected, and will then pick a DATA block (Only a DATA block - FFS disks are safe, I guess), randomly, and will write the word 'LAMER!' all through it. This is obviously not good, and will cause random disk errors. This is the worst kind of havoc to wreak on the new user - and this virus is EVERYWHERE! I've gotten it from 5 people in the last week alone (all from different countries! Ack!). Anyways, credit for being the first with this one is Christian Schneider. Thanks, Christian!

Might as well break the margin convention here, eh? Anyways, something else I thought of about this virus: It introduces a NEW way for a Virus to stay in RAM. Y'see, if ExecBase is okay at reboot time (Exec keeps a checksum, among other things, and checks to see if anything has been corrupted quite carefully). Anyways, if Exec thinks ExecBase is okay, it doesn't bother rebuilding it. Sooo, this virus sets the SumKickData() vector to point at itself. Then at Reboot when this vector gets called after reset, the virus ReInstalls himself. At least this is what I think is happening. This virus sets up a Resident structure, but never sets the Match Word - either this means we don't need the MatchWord or it means his SumKickData() is doing the recovery job - either way, it's new! 3 points for originality.


OLD NORTHSTAR: Poof.


16 Bit CREW: Well, I didn't actually have to DO anything to get VirusX to recognize it... because it seems to operate like the Graffiti Virus. If the 16 bit crew is in RAM, VirusX will say it removed the Graffiti virus. Oh well. 8-)


DISKDOKTOR: I spent more time on this one than on any other. Y'see, this virus does lots of things. The first one for some reason was quite funny to me. heh What it would do is after you have rebooted 5 times, each time you reboot after that, the virus would eat 10K times the total number of reboots - so after rebooting 10 times, you would be short about 100K. This virus also starts up another TASK. I'm not exactly sure when it happens, but another task named 'clipboard.device' will appear at a priority of -120, and will continually bash the Virus' vectors into the Coldcapture, Coolcapture, Warmcapture (which it sets to $ff000000 just to annoy), and the DoIO() vector. When I was working on this one, I figured I just had to restore the old values to the DoIO() vector, but as soon as I did so, the Virus restored them - and since I didn't disassemble the entire thing, I didn't realize this until I wasted time looking for other faults. This one also allocates some memory, copies some code out of Exec into this memory, and executes it. I never bothered to figure out why - Once it's gone, it's gone.

Anyway....the saga continues......
I highly recommend that you get a copy of Steve Tibbett's excellent utility, VIRUSX (the current version as of 9/16/89 is VIRUSX3.20 ). This fine utility detects all 16 known viruses and kills them on the disk and in RAM. The built-in sector-viewer allows you to see the virus on the disk and to also observe any unusual boot block code.

← previous
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT