Documentation of AntiCicloVir V2.4a: 14.03.1995 ==================================== ========== Table of Contents: 1. Copyright 2. How to use AntiCicloVir 3. Scan memory for viruses 4. Scan directories for viruses 5. How to handle with packers 6. Scan bootsectors for viruses 7. Scan disk-validators for viruses 8. Description of some well-known viruses: - SCA - BGS9 - Bret Hawnes - Disaster-Master - IRQ - Golden Rider - SADDAM 9. Mail Copyright AntiCicloVir is now Public Domain Software and that means, you can use this viruskiller for personal or commercial work ! You can use this program for scanning in your own system for viruses, or you can install it on your own Public Domain disks, or sell it to anyone to any prices. You may read the assembly-language source code, put some routines out from it into your own program, or change some parts of or add new parts to the source code. If you`re programming in assembly-language, then you will see, that it is very simple, to update the viruskiller, so that he will detect new viruses in memory, files and on disk ! You may use the source code of AntiCicloVir as base for a new own viruskiller ! But there are some limits !!!!!! You may not spread such a changed program by using the name `AntiCicloVir`, because I will write more (& better) versions of AntiCicloVir in the future, and I think, it won`t be useful, if there exists more than one program using the same name !!!!!! Further it is not allowed, to change any part of this documentation or of the file VIRUSLIST.DOC !!! Well, I hope there doesn`t exist any serious, nasty ugly bugs in the assembly- language source code of AntiCicloVir, but I think, it doesn`t exist any program without any bug, so that I can`t give any guarantee for the error-free work of the viruskiller AntiCicloVir ... I can`t take the responsibility for any damage, directly or indirectly caused by the correctly or uncorrectly use of AntiCicloVir ! That means for example too, if your hardware or software were damaged by a virus, which AntiCicloVir didn`t detect, I will not take the responsibility for that ! But I hope, that something like the above mentioned will not happen. And now a message from our sponsors: --------------------------------------------------------------------------- ABOUT SAFE HEX INTERNATIONAL If you know a virus programmer you can get a reward of $ 1000 for supplying his name and address. The fact is that the law punishes data crime very severely. (5 years in jail in most countries). We are an international group with more than 500 members who have started trying to stop the spread of virus. Let me give you some example: 1. Our motto is: "Safe Hex", who dares do anything else today?". 2. A virus bank containing more than 1800 Amiga and PC viruses for supporting good shareware antivirus programs. 3. We help people to get money back lost by virus infection. 4. We write articles about virus problems for about 20 computer magazines worldwide. 5. We release the newest and the best virus killers around from about 25 wellknown programmers worldwide. 6. We have more than 35 PC and Amiga "Virus Centers" worldwide where you can get free virus help by phoning our "Hotline", and the newest killers translated in your own language at very little cost. For more information contact: SAFE HEX INTERNATIONAL (Please send 2 "Coupon-Response Erik Loevendahl Soerensen International" and a self addres- Snaphanevej 10 sed envelope, if you want infor- DK-4720 Praestoe mation about SHI by letter). Denmark Phone: + 45 55 99 25 12 Fax : + 45 55 99 34 98 --------------------------------------------------------------------------- How to use AntiCicloVir AntiCicloVir is a small but smart viruskiller, who shall be simple to use like VirusX. It isn`t hard to deal with AntiCicloVir. Today there appears more and more superviruskillers, but more and more novices have problems, to use this killers efficiencly, because with the time they became so complicate, so that you at first have, to read Gigabytes of DOC-files, if you want to know, how to use this superviruskiller most efficiencly ... If you want to use AntiCicloVir, you have only, to read this small DOC-file and, to know some things: AntiCicloVir is more a virushunter than a viruskiller ! It can detect viruses in memory, but it won`t remove them from memory, because it doesn`t change any vectors ! Today I have not the ROM addresses of all vectors from all ROM versions, because I have not so many money like some antivirus-freaks, to buy all AMIGA models selled by Commodore ... In some cases it will be enough, if you let restore some reset-vectors by AntiCicloVir, to remove a virus from memory !!! After that it`s better, to cause a reset, so that the whole virus will be removed from system, if it doesn`t can survive the reset !!! Because the small length of AntiCicloVir (27 kB) it will be useful, to call it up from your startup-sequence. Copy AntiCicloVir into your subdirectory c and call it up from your startup- sequence by using the option `-c` for fast memory-check ! Now, while you reboot from this disk, AntiCicloVir will be started and shows the addresses of some important ROM vectors to you and checks the memory for all known viruses. If AntiCicloVir has found any virus in memory, then order the viruskiller, to restore the reset-vector and cause a reset by yourself ! After one reboot from a clean disk run AntiCicloVir again, to see, if the virus is still standing in memory ! To scan bootsectors of disk for viruses, please start AntiCicloVir by using the option `-m` from the Shell or calling it from the Workbench. AntiCicloVir will check every disk in all connected floppydrives, if you have insert one !. AntiCicloVir will not only check the bootsectors of every disk, but the disk- validator of the inserted disk, too. If you want to scan your disks for file- and linkviruses, please use AntiCicloVir from the Shell: Enter the name of AntiCicloVir and add the pathname of the directory, you want to scan for viruses ! You see, it is very simple, to use AntiCicloVir !!! But that`s not all about AntiCicloVir ... The viruskiller will be much stronger, if you use the antivirus.libraries from Safe Hex International with him ! These libraries aren`t necessary to get AntiCicloVir started, but they will modify AntiCicloVir in some important points ! Before you can use these libraries, you have to install them ! You will find all needed libraries in the subdirectory libs from the subdirectory, which is including AntiCicloVir. Please copy the contents from this libs-directory into the libs-directory onto your Workbench Disk ! After that, you have to copy the contents from the subdirectory l, which is standing too in the same subdirectory like AntiCicloVir, to the subdirectory l from your Workbench Disk ! These libraries will support AntiCicloVir in the following points: - The Bootblock.library will support the bootsector-scan, so that AntiCicloVir now can find more bootblock viruses than `only` the 188, it knows by itself ! Now, it`ll find additional all bootblock viruses, the Bootblock.library knows ! A lot of thanks for this excellent work has to go to: Johan Eliasson Baeckgatan 6 60358 Norrkoeping Sweden - The removelink.library will support the directory- and memory-scan, so that AntiCicloVir now can find more file-, link-, diskvalidator-viruses, trojan horses and bombs than `only` the 78, it knows by itself ! Now, it`ll find additional all file-, link-, diskvalidator-viruses, trojan horses and bombs, the removelink.library knows ! A lot of thanks for this excellent work has to go to: Johan Oehman Matematikgrand 13B 90733 Umea Sweden - The unpack.library now makes it possible, that AntiCicloVir can decrunch packed files, to find file-, link-, diskvalidator-viruses, trojan horses or bombs, hidden to it !!! NOTE: If you don`t use the unpack.library, AntiCicloVir will only recognize some archives, crunchers and packers, but not decrunch these files ... A lot of thanks for this excellent work has to go to: Thomas Neumann Kongensgade 78 3550 Slangerup Denmark Now, it`s possible, to update AntiCicloVir by yourself ... ... you only have to get the newest versions of the Bootblock.library, removelink.library and the unpack.library from Safe Hex International, and your version of AntiCicloVir will find more viruses and decrunch more new archives, crunched and packed files than before !!! A lot of mega-thanks also has to go to Safe Hex International !!! Scan Memory for viruses If you run AntiCicloVir by using the option `-m` or calling it up from the Workbench, the viruskiller at first will display you the addresses of some important system-vectors. If one of the reset-vectors ColdCapture, CoolCapture or KickTagPtr isn`t pointing to zero, AntiCicloVir will bring up a requester, to ask you, if it shall restore this changed vector. The other reset-vectors WarmCapture, KickMemPtr and KickCheckSum can`t be used alone without the above mentioned vectors by a virus ! AntiCicloVir does not check the addresses of the ROM vectors and can not reset them to their orign addresses ! But every virus is hanging around by one of the above mentioned reset-vectors, to survive the reset, and that`s the point, where AntiCicloVir will detect every new unknown virus ! AntiCicloVir shows you the addresses from some important vectors of the Exec- Base-structure, the exec.library, the dos.library, the intuition.library, the trackdisk. & keyboard.device. If you have started AntiCicloVir by using the option `-c`, AntiCicloVir will run a fast memory-check. If AntiCicloVir has found one known virus in memory, it will bring up a requester, to warn you. But it can`t remove a virus from memory, because AntiCicloVir doesn`t reset any origin ROM addresses !!! Please restore the reset-vectors by using AntiCicloVir, and cause a reset, to wipe out one virus from memory, or turn off your AMIGA ! If you have restored the reset-vectors and caused a reset, please reboot from a clean disk, and check the memory again with AntiCicloVir, if the virus is or is not still standing in memory ... Please use the removelink.library, to support the memory-scan ! Scan Directories for viruses If you wish to scan the main- or some sub-directories of your disks, you have at first, to change into the Shell, to start AntiCicloVir by its name followed by the pathname of the directory, you wish to scan. But, if you want, you can scan only one file, if you add the pathname of one file to the filename of AntiCicloVir. AntiCicloVir displays all filenames of one subdirectory, the setting of their Protection-Bits, the filelength and, if available, one comment to this file. Further it can check the contents of the files for executable code, code of archives, crunchers and packers and code of file-,link-, Disk-Validator-viruses and Bombs & Trojan Horses ! If one of this above mentioned nasty dump was found in a file, AntiCicloVir will add a message to the filename and bring up a Requester, to give you the choice, to kill this virus or not. If you add the option `-all` to the pathname of the directory, you want to scan, then AntiCicloVir scans all subdirectories including in this directory ! Please note the following two examples: 1. AntiCicloVir df0: -all (scans all directories & subdirectories from df0:) 2. AntiCicloVir "Workbench Disk:"-all (scans all directories & subdirectories from "Workbench Disk") AntiCicloVir can not remove invisible commands from the startup-sequence ! If you have removed one filevirus by using AntiCicloVir, please look in your startup-sequence by using a file-monitor or for example the Shell command Type for invisible signs, which fileviruses use, to callup themselves ... You have to delete this invisible signs by using the backspace-key or you will get the error unknown command, every time, you boot from this disk ! Further AntiCicloVir will scan in every called directory every filename for invisible signs, so that it will detect complete new fileviruses, which it didn`t know at this time !!! This is very useful ... Please send every new invisible file to my address ! Thanx ! Please use removelink.library & unpack.library, to support the directory-scan ! NOTE: If you don`t use the unpack.library, AntiCicloVir only will recognize some archives, crunchers and packers, it knows by itself, but not decrunch these files, to look for hidden viruses in them !!! How to handle with packers Today, there appears more and more new archives, crunchers and packers for the AMIGA, to get more stuff on one disk than without them ... But the worst fact of these utilities is, that many worsis have no problems, to hide their file- or linkviruses, trojan horses or bombs to such archives, crunched or packed files, to camouflage them for any viruskiller ... If one viruskiller checks such a crunched file, which includes a linkvirus, then he doesn`t recognize it, except he knows this one cruncher and can decrunch the file ... Well, I`m sorry about that AntiCicloVir can`t decrunch files, but only display some archives, crunchers and packers ... But, if you use the unpack.library by Thomas Neumann with AntiCicloVir, which is including in the subdirectory libs, which is including in the same sub- directory like AntiCicloVir, then AntiCicloVir will recognize a lot of archives, crunched and packed files and decrunch them before checking them of file-, linkviruses, trojan horses and bombs !!! Scan Bootsectors for viruses To scan the bootsectors of your disks for bootblock-viruses, you have to start AntiCicloVir by given the option `-m` to the Shell name or by running it up from the workbench. After showing to you the system-vectors and some important ROM addresses and passing the memory-check, AntiCicloVir will install an Intuition Window ledge at the top of the current screen and waits now for every new inserted disk ! AntiCicloVir can check the bootsectors of every disks in all connected floppydrives !!! If AntiCicloVir had found a known bootblock-virus, it will create a requester and ask you, if it shall install a new bootblock, to kill this virus ... Please use the Bootblock.library, to support the bootsector-scan ! Scan Disk-Validator for viruses To scan the disk-validator of your disks for disk-validator-viruses, you have to start AntiCicloVir by given the option `-m` to the Shell name or running it up from the workbench. After showing to you the system-vectors and some important ROM addresses and passing the memory-check, AntiCicloVir will install an Intuition Window ledge at the top of the current screen and waits now for every disk, you inserts into the current drive. If any disk-validator-virus was found on this disk, it will create a requester and give to you the choice, to kill this disk-validator-virus or not. Description of some well-known viruses: - SCA: This was the first virus on the AMIGA !!! It stays in the first two sectors of a disk in track 0, called the bootblock. Every time you boot from such an infected disk, the SCA virus will copy itself to an absolute memory-position in CHIP-RAM at $7EC00. After that it checks if the dos.library is resident and stops the program, until the dos.library is really resident. The SCA virus sets the CoolCapture vector to its own address at $7EC3E and sleeps as long as you reboot your machine ... Further it calculates a new CheckSum for the ExecBase structure. Now, if you reboot your computer, the virus will remove the address of the ROM vector DoIO () and set its own address into this vector. If the AMIGA tries, to start his own IORequest by using the ROM-routine DoIO (), to boot from one disk, the SCA virus will be active and change the IORequest for its own use, to write the code from the memory- position $7EC00 to the first two sectors of track 0, called the boot- block ... After that it sets the orign ROM address into the vector of DoIO (). The SCA virus causes no damage, but displays a message like that: `Something wonderful has happened. Your AMIGA is alive !!! and, even better ...` some of your disks are infected by a VIRUS Another masterpiece of The Mega-Mighty SCA !!` Viruses like SCA, we do call bootblock viruses ! - BGS 9 I+II This filevirus possibly is a mutation of the filevirus Terrorists. This one stands upside the crowd, because all other fileviruses uses another mechanism, to spread itself ... The BGS9 virus looks for the first executable program from your startup- sequence and writes it from his real place to the subdirectory `DEVS:` or if it can`t find this subdirectory to the main-directory and gives him an invisible name, which is called in hexadecimal $A0A0A0202020A0202020A0 ! After executing the first program from the startup-sequence of an infected disk, which is the BGS9 virus, the virus installs itself in memory and executes the original program, which stands invisible in `DEVS:` ! In memory the BGS9 virus uses the residents, to turn on itself after a reset ! It sets KickMemPtr , KickTagPtr & KickCheckSum. While every reset it sets the vector OpenWindow () from the intuition.library to its own address. After every using of OpenWindow () the virus tries, to copy itself, like the above mentioned mechanism, onto the next disk or shows you after four resets the following message: A COMPUTER VIRUS IS A DISEASE TERRORISM IS A TRANSGRESSION SOFTWARE PIRACY IS A CRIME THIS IS THE CURE BBBBBB GGGGGG SSSSSS 999999 B B G S 9 9 B B G S 9 9 Bundesgrenzschutz Sektion 9 B B G S 999999 Sonderkommando "EDV" BBBBBB G GGG SSS 9 B B G G SS 9 B B G G SS 9 B B G G S 9 BBBBBB GGGGGG SSSSSSS 99999 The BGS9 virus sets the OpenWindow ()-vector to its ROM-address, while the first using of this routine ! This virus is very harmless and causes no damage ! It works from KickStart 1.2 to OS3.01 ! The BGS9 virus II works in all points like the old BGS9 virus. It differs from the old one in a new coding of one ASCII-sign and in a new invisible name : $A0E0A0202020A0202020A0 - Bret Hawnes This one is a classical form of a filevirus ! It`s very easy to deal with that 2608 bytes long program. On infected disks you could find it as invisible file in the root-directory: $C0A0E0A0C0 ! But it isn`t very invisible ! Indeed you can`t see it in the startup-sequence, but if you list up the root- directory of an infected disk, you can see some irregulare signs ... The Bret Hawnes virus also copies itself as invisible file on every disk and writes its name in the startup-sequence. After every running of the startup-sequence the Bret Hawnes virus will be activate ! It stands every time at $7F000 in memory and sets the pointer KickTagPtr & KickCheckSum & $6c (interrupt). At every time you causes a reset, the Bret Hawnes virus will be activated by the Kick-pointer ! It sets the OpenLibrary ()-vector to its own address and waits for the right time, when it can set the OpenWindow ()-vector. After that it sets OpenLibrary () to its ROM address. Bret Hawnes now, tries about the first calling for OpenWindow (), to get a chance, to copy itself from memory to disk ! After that it sets the OpenWindow ()-vector to its ROM address, too. Instead the tenth increasing the virus destroys some tracks of your disks ... After twenty minutes it shows the following message to you: GUESS WHO`S BACK ??? VEP. BRET HAWNES BLOPS YOUR SCREEN I`VE TAKEN THE CONTROL OVER YOUR AMIGA!!! THERE`S ONLY ONE CURE: POWER OFF AND REBOOT ! To find the right time-point for this message, the Bret Hawnes virus uses the interrupt at $6c, to calculate the twenty minutes ... - DISASTER-MASTER V2 This 1740 bytes long filevirus camouflaged itself as clear screen command in the subdirectory :c. Every time if you start it, it`ll clear your screen and set the cursor on the top of the new screen. But that`s not all ... It copies itself into AMIGA`s memory and sets the resident-pointer KickTagPtr & KickCheckSum to an own resident-routine. After every reboot it`ll set the vector DoIO () to its own address and waits as long as the intuition.library is available. From the intuition.library now, the virus will patch the vector of the routine OpenWindow () to its own address and reset DoIO () to the ROM address. If any task tries to use OpenWindow (), the DISASTER MASTER virus tries, to copy itself on disk by the name `cls` in subdirectory `:c`. Then it writes its name into the startup-sequence with one option: cls * The option causes, that the virus, every time it`ll called from this startup- sequence, doesn`t clear the screen, therefore it can`t betray itself ... After one using of OpenWindow () DISASTER-MASTER sets this vector on its ROM address, again ! This filevirus can close the AmigaDOS window and create a screen, like we know it from the workbench or it let disappear the AmigaDOS title or so on ... Be careful ! This virus has a counter and will destroy your disks, after you have ressetted x times ... - IRQ This famous old linkvirus was the first one on the AMIGA ! It looks in the startup-sequence for an executable file and tries, to infect it. If it can`t find the startup-sequence, it looks for the command DIR in the subdirectory :c and tries, to infect it. IRQ extented a file to 1096 bytes. The linkvirus writes its own hunk at the first position into that file. Then it calculates all worths for a new hunk-header and the reloc-worths. If you start an infected program, IRQ copies itself into memory and uses the residents by setting KickTagPtr & KickCheckSum. Further the virus sets the vector OldOpenLibrary () to its own address. Everytime, when one program starts the routine OldOpenLibrary (), the IRQ virus tries, to infect the next disk. It`s harmless, but disturbing, because it prints the following text: `AmigaDOS presents a new virus by the IRQ-Team V41.0` This old linkvirus works only with KickStart V1.2 ! It makes no damges. - Golden Rider This one represents a new generation of linkviruses. Because it does not copy itself as own hunk into an infected file, like old linkviruses did it, but it looks for the first hunk of an executable program and adds itself to it. Golden Rider changes the last command of this hunk ( mostly $4E75 = `rts` ) to $4E71 ( `nop` ), which causes, that the processor thinks, if he runs this code, that the first hunk of the program doesn`t end at this position. Behind this position Golden Rider can write his virus-code. Now, Golden Rider have, to add its own length to the two length worths in the hunk-header, and the link is complete ! Every time you start one so infected program, the linkvirus can install itself in memory. But in not every case must that work ! If Golden Rider hangs on a routine in the first hunk, which only will be called from the main-program, if an error was caused, then Golden Rider will probably never activated ... Golden Rider stands every time at $7C000 in memory and sets the vectors CoolCapture , DoIO () & Open () to its own address. After you reboots, Golden Rider will waked up by jumping in CoolCapture ! Now it sets DoIO () to its own address and waits so long, if it can open the dos.library and set Open () to its own address. If you insert a new disk, Golden Rider tries, to copy itself from memory into one file of this disk. If any program uses Open (), Golden Rider tries, to infect new files, too. Golden Rider causes no damages and displays no alerts or so ... - SADDAM This one is called a Disk-Validator virus, because it uses the routine of a Disk-Validator for its own increase. SADDAM copies itself onto every disk, you insert or boot from and overwrites the original Disk-Validator in subdirectory :L ! If those disk doesn`t contain this subdirectory, SADDAM creates by itself this subdirectory ! It can infect every disk ! After that it sets the BitMap-pointer in the Root-Block to a senseless address, which will cause a Disk Validating Error ! This will force in later times AmigaDOS, to startup the new Disk-Validator, which is in realety the SADDAM virus ! Only, to insert an infected disk reaches, to get this virus in memory. It is resident via ColdCapture. That means, that it`ll work with KickStart 1.3 too, if you make a reset without installing SetPatch r ! Because KickStart 1.3 has a bug in its system, will all other viruses wiped out from memory after a reset - not so the SADDAM virus !!! The virus sets the vectors BeginIO () & Close () from the trackdisk.device and comes so every time in action, if you insert a disk in your drive or if you boot from a disk or if you use in any other cases the trackdisk.device ! Further the virus sets the vector of the Raster-Beam-interrupt on its own address ! Now, it can control permanent the right address of ColdCapture and sets the vector again, if any other program had cleared it ! Only in the resetphase it patches the vectors InitCode () & OpenWindow () for virus internal works ... The SADDAM virus is very malignant and causes different damages !!! After a time it startes, to look for some OFS or FFS data blocks, gives them the name IRAK and coded the contents with a worth ! The programs, standing in those data blocks, won`t longer work and the disk gets read/write errors ! But, if the SADDAM virus stands in memory, it`ll decode such a datablock, if AmigaDOS loads him and so can prevent a read/write error message ! Another damage has likeness with the virus Return of the Lamer Exterminator ! After a few time the virus startes, to format disks in all connected drives ! This disks are completely destroyed !!! And shows you an alert: SADDAM Virus AntiCicloVir can kill the SADDAM virus on disk, but not repair the damages ! At first you have, to correct the Disk Validating Error ! Please boot from one disk, which contains the original Disk-Validator and insert after that the disk with the Disk-Validating Error ! The original Disk-Validator creates a provisional BitMap in memory, so that AmigaDOS can work with those disk. To get a valid BitMap, you have to write/delete anything to/from this disk ! Another possibility is, to use a diskmonitor, to look for the original BitMap of that disk and, to set the BitMap-Pointer from the Rootblock to the position of the original BitMap-Block ! If you want to health a disk with SADDAM damage, please use an universal virus- killer, which can check the blocks of a disk, too ! You must uncode the coded data blocks, to get rid of the read/write errors ! But you can`t health disks, which the virus has formated ! I got this new virus from Gregory Sapsford, Fohlenkamp 33, W-4600 Dortmund 13, Germany. Mail If you have got new viruses, bootblocks, packers or resident programs, please send this stuff to my address ! I`m interested in every bug report of AntiCicloVir !!! If you have some questions or suggestions about the assembly language source- code of AntiCicloVir, please write to my address ... ... or also, if you`re being an assembly language programmer and want to swap source-codes with me ... Please excuse my bad anglian grammar, but my german also isn`t better ! Matthias Gutt (Member of SHI) Kantstr. 16 21335 Lueneburg Germany