FA58B1EF Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM


     ------------------------
     Amiga Virus Encyclopedia
     FA58B1EF Link Virus
     ------------------------
     
     
     -  FA58B1EF-LVirus Link
         File extension: # 2440 bytes
         Bent vectors: LoadSeg, NewLoadSeg
         Bent vectors sometimes: BeginIo from scsi.device
         Reason for name: see below
         KS1.3: no
        
        Memory Integration:
         About LoadSeg and NewLoadSeg
         The long word $ FA58B1EF (see above) is used to check whether
         the part is already active in the memory.
         Link to a file:
         Medium valid
         Executable file (3F3)
         File length at least # 30000 bytes
         $ 4AFC is not found (e.g. libs)
         File not yet contaminated (test with FA58B1EF)
         Overflows 3e8-, 3F1-Hunks etc.
         The part links as a new 1.Hunk before the original 1.Hunk.
         Therefore, the part must also relocate the following hunks.
         to change.
         VT tries to expand the part and also reloc hunks back
         enforce.
         VT should find the part in memory and turn it off.
         Schaden1:
         - Goes through the device list ($ 15e) and often (not
           always) the nonsense addq.b # 1 (a0) + off.
        
        Read out with VT List before:
         Address Ver Rev NegOff PosOff Pri # OCnt Name Number: 12 Date
         $ 0800d514 37 12 36 338 0 1 gameport.device (3.5.91)
         $ 0800d6ac 39 4 68 380 0 24 timer.device (7/29/92)
          ; etc ...
        
        List read with VT after:
         Address Ver Rev NegOff PosOff Pri # OCnt Name Number: 6 Date
         $ 0900d514 55355535 65535 65535 - 1 5535
         $ ffffffff 07523498 26112 63498 0 2288
          ; etc ...
         There is nothing left to save !!!! Carry out a reset.
         Or damage2:
         - Search for scsi.device and bend from BeginIo
           for scsi.device every letter in the virus part is lower in 1
           filed, so rbrh-cduhbd. Hence probably the
           add bullshit see above , Waiting for a write request.
        
        Read out with VT block beforehand:
          0180: 00000000 00000000 00000000 00000000 ................
                   ; ....
          01e0: 00000000 00000000 00000000 00000000 ................
        
        Read out with VT block afterwards:
          0180: 00000000 00000000 0000ff00 000000ff ................
                   ; .... ^^ ^^
          01e0: 00000000 0000ff00 00000000 00000000 ................
                             ^^
         Of course, I chose an empty block for the test.
         Such a destroyed block cannot be found by VT.
         If the block belongs to a file, so is the file
         lost.
         So it would be reasonable after VT this virus part in
         Found memory from a clean antivirus disc
         to reboot.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     

     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk