Commander Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM


    ------------------------
    Amiga Virus Encyclopedia    
    Commander Link Virus
    ------------------------

   
    Commander Linkvirus:
    
    KS 3.1: yes MC68040: yes
    KS 1.3: yes


    - increases filelength by 1664 bytes
    - Patched vectors:

     DosOpen(), DosRename(), DosLock(), DosExamine(), DosExNext(),
     DosLoadSeg(), DosSetcomment(), DosSetProt()

    No resetvectors will be changed by this virus !

    First appearence of this virus: Scandinavia
    The virus seems to be wide  spreaden in the scandinavian countries.
    I have heard several reports from Sweden and Denmark.

    Approximatly one month  after  the  first appearance in denmark the
    virus reached Germany and Switzerland, too.

    This virus goes  a similar way like the 'Dark Avenger viruses'.  It
    looks for a special longword in the first hunk and replaces it by a
    "JSR" command in its own code.  The own code  will be placed at the
    end of the first hunk.  The code is crypted with a simple eor-loop,
    which depends of the rasterbeam.

    Th e searched  longword  is  a BSR  or a  JSR command  and will  be
    recalculated in the virus.  VirusWorkshop  is able to refix all the
    patched things.  Special thanks at this point to Ingo Schmidt,  who
    really helped me a lot...

    @{b}The BSR.B commands will be not touched.@{ub}

    Special:  It looks for the task "DH0". If this task is existing, it
    will be tried to infect the file "dh0:c/loadwb".  The virus infects
    all files, which  will  be accessed  using  the  patched functions.
    Possible protections from DOS will be removed by the infected files

    The patchroutine is quite  complex (or complicated in other words).

    This virus is  quite similar in some routines to the Commander bomb
    on PC,I got this hint from one of the members of the VTC in Hamburg

    The following texts are double  crypted and can be found at the end
    of the virus:

    '-<( COMMANDER )>- by Bra!N BlaSTer in 1994'
    'DH0:C/LoadWB'
    'DH0'
    'dos.library'
    'reqtools.library reqtools 38.888' (don`t know what this is)


    Detection tested 03.10.1994.
    (Memoryremoval and fileremoval)


    Comment 4.1.1995:
    Only VT, VZ and VW (from the big viruskillers) remove the Commander
    virus correct.  Another english  speaking viruskiller  (last update
    31.12.1994) is not able to repair all the infected files.

    There  appeared  another  Commander  viruskiller, which carries the
    whole virus !

    Comment 03.10.1994:
    It already  exists another special  Commander Viruskiller, but this
    viruskiller is  not able to  recalculate the jsr commands ! (1.4 is
    actual at this special thing)

    Comment 19.10.1994:
    The repairroutine was a little bit buggy under special circumstances
    Now fixed. Sorry.

    Comment 24.11.1994:
    After a SHI member from Denmark wrote about the real Commander virus
    installer,  I got it 2 two later from  Jan Andersen (former SHI TEAM
    DK) This is the intro from RAGE and APEX. The original file is 64924
    bytes long (I got it in Germany) The "installer" is 71800 bytes long
    and contains some additional CLI textroutines, which hide the  virus
    This is  in my opinion  NEVER the original installer, but VW 4.4 and
    higher will recognize it....

    Comment 01.12.1994:
    A new  installer appeared  some days ago.  This time it is (again) a
    production from Duplo (like dpl-de99, which I urgently need!).
    This time it is a two disk AGA demo titled My mamy is a vampire. The
    virus can be found in the first file from disk 1, called Vampire.exe
    The virus is included in the file and I don`t know how it fiddled in
    the demo. Maybe some of the Duplo programmers can say this to me ?

    The infector is 875778 bytes long packed and somekind of OS enhancer
    was added before....

        
    Test by Markus Schmall


    HEX picture of Commander virus:
    

    
    
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk