VIRUS HELP TEAM


    ------------------------
    Amiga Virus Encyclopedia    
    Commander Link Virus
    ------------------------

   
    Commander Linkvirus:
    
    KS 3.1: yes MC68040: yes
    KS 1.3: yes


    - increases filelength by 1664 bytes
    - Patched vectors:

     DosOpen(), DosRename(), DosLock(), DosExamine(), DosExNext(),
     DosLoadSeg(), DosSetcomment(), DosSetProt()

    No resetvectors will be changed by this virus !

    First appearence of this virus: Scandinavia
    The virus  seems  to  be  wide  spreaden  in  the  scandinavian
    countries.  I  have  heard  several  reports  from  Sweden  and
    Denmark.

    Approximatly 1 month after the first appearance in denmark, the
    virus reached Germany and Switzerland, too.

    This virus goes a similar way like the Dark Avenger viruses. It
    looks for a special longword in the first hunk and replaces  it
    by a "JSR" command in its own code. The own code will be placed
    at the end of the first hunk. The code is crypted with a simple
    eor-loop, which depends of the rasterbeam.

    The searched longword is a BSR  or a  JSR command  and will  be
    recalculated in the virus. VirusWorkshop is  able to refix  all
    the patched  things. Special  thanks  at  this  point  to  Ingo
    Schmidt, who really helped me a lot...

    @{b}The BSR.B commands will be not touched.@{ub}

    Special: It looks for the task "DH0". If this task is existing,
    it  will be tried to infect the  file "dh0:c/loadwb". The virus
    infects all files, which  will be accessed  using  the  patched
    functions. Possible protections from DOS will be removed by the
    infected files.

    The patchroutine is  quite  complex (or  complicated  in  other
    words).

    This virus is  quite similar  in some routines to the Commander
    bomb on PC. I got this hint from one of the members of the  VTC
    in Hamburg.

    The following texts are double crypted and can be found at the
    end of the virus:

    '-<( COMMANDER )>- by Bra!N BlaSTer in 1994'
    'DH0:C/LoadWB'
    'DH0'
    'dos.library'
    'reqtools.library reqtools 38.888' (don`t know what this is)


    Detection tested 03.10.1994.
    (Memoryremoval and fileremoval)


    Comment 4.1.1995: Only VT, VZ and VW (from the big viruskillers)
    remove the  Commander  virus  correct. Another  english speaking
    viruskiller  (last update 31.12.1994) is  not able to repair all
    the infected files.

    There appeared another Commander viruskiller, which carries the
    whole virus !

    Comment 03.10.1994: It already exists another special
    Commander Viruskiller, but this viruskiller is not able
    to recalculate the jsr commands ! (1.4 is actual at this
    special thing)

    Comment 19.10.1994: The repairroutine was a little bit
    buggy under special circumstances. Now fixed. Sorry.

    Comment 24.11.1994: After a SHI member from DK wrote about
    the real Commander virus installer, I got it 2 two later from
    Jan Andersen (former SHI TEAM DK). This is the intro from
    RAGE and APEX. The original file is 64924 bytes long (I got
    it in Germany). The "installer" is 71800 bytes long and
    contains some additional CLI textroutines, which hide the
    virus. This is in my opinion NEVER the original installer,
    but VW 4.4 and higher will recognize it....

    Comment 01.12.1994: A new installer appeared some days ago. This time
    it is (again) a production from Duplo (like dpl-de99, which I urgently
    need!).
    This time it is a two disk AGA demo titled My mamy is a vampire. The
    virus can be found in the first file from disk 1, called Vampire.exe.
    The virus is included in the file and I don`t know how it fiddled in
    the demo. Maybe some of the Duplo programmers can say this to me ?

    The infector is 875778 bytes long, packed and somekind of OS enhancer
    was added before....

        
    Test by Markus Schmall


    

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk