VIRUS HELP TEAM



    ------------------------
    Amiga Virus Encyclopedia
    Liberator v3.0
    ------------------------

              
    Liberator 3.0 Virus:
    
    Filelength: 10712

    This virus patches the startupsequence and writes itself in
    it.

    Original end of the startup:

    (40.42 Startup-Sequence)

    Resident Execute REMOVE
    Resident Assign REMOVE
    C:LoadWB -debug
    EndCLI >NIL:

    Modified end of the startup:

    (40.42 Startup-Sequence)

    Resident Execute REMOVE
    Resident Assign REMOVE
    C:LoadWB -debug
    cv >NIL:
    EndCLI >NIL:


    The tests were performed with 3 drives (SYQ= Syquest 105 MB,
    DF0 and DF2 as normal diskdrives).

    On @{b}all@{ub} 3 devices the Startup-Sequence was changed in one
    step. If a .fastdir file, which will be created by the virus,
    will reach a special value (99) , then the following text
    will be shown:

        ' Congratulations your hard disk has been'
        '     liberated of virus protection!!    '
        '   Hello from the Liberator virus v3.0  '
        '         - Digital Deviant              '
        '   The anti-anti-virus is here again !  '
        '     Lets play trash the hard disk      '
        '        and ram the disk heads          '
        '   Only hardcore belgi an rave can      '
        '      truely liberate the mind!         '
        '              The liberator 15/01/92    '

    ...


    The .fastdir  was  not  created  on  DF2, but  on  the  other
    devices. Startvalue from this 2 byte long file is: $310a. The
    virus itself was not copied, but due to the filename "cv" and
    the  startupmessage  I  think  that  the  real name is Check-
    Vectors:

        'Check Vectors rev 5.1 '
        'All Rights Reserved '
        'more TUPperware  by Mike Hansel'
        'Reset vectors ok, Nothing resident'
        ', Trackdisk.device not intercepted, ',0
        'DoIO ok, VBlank ok, dos.library not inte'
        'rcepted.'
        'System appears to be free of viruses and'
        ' trojans!'


    Test By Markus Schmall         Detection retested 16.07.1994.


    

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk