DiskMAG Volume 1 Number 2 (Nov 1988) : UTILITIES / VirusX.Docs

                  -VirusX-

              by Steve Tibbett


   - The Complete Virus Removal System! -

VirusX - Fourth in a growing line of "X-Utilities".

REMEMBER: STUFF NEW TO THE LATEST VERSION IS AT THE _END_ OF THIS
FILE!

Version Notes:
--------------
V1.01: V1.01 is just 1.0 with a bug fixed.  Also cleaned up the source
a tad (one less Goto).

V1.2: V1.2 is the same as 1.01 but also adds detection of the Byte
Bandit virus both in RAM and on Disk.

V1.21: V1.21 is just 1.2 cleaned up a little bit, V1.2 shouldn't have
been released the way it was (Just one printf where it shouldn't have
been).

V1.3: V1.3 is V1.21 but cleaned up a bunch, and is now less than 7K! 
Even more reason to make it resident.

V1.4: New version, to handle the REVENGE virus.

V1.5: Done specifically for the Byte Warrior virus. 

V1.7: Mistake.

V1.71 : Cleaned up again, made smaller, and a new virus.

V2.00 : Wow, the big jump!  V2.00 notes are at the end of this file.


Somewhere along the way, I rigged VirusX so it would notice any of the
4 current viruses in RAM and remove it.  Thus, if you've got VirusX in
your startup sequence, there's NO way a virus can be around (unless
it's one I haven't seen yet).

 -> READ V1.2 Byte Bandit Virus notes at the <-
           -> end of this file! <-
   -> And the new Revenge Virus notes <-
  -> AND the new Northstar Virus Notes <-

NOTE!  TO RUN VIRUSX IN YOUR STARTUP SEQUENCE, YOU MUST USE "RUNBACK
VIRUSX" AND NOT "RUN VIRUSX" OR THE INITIAL CLI WILL NEVER CLOSE.  A
LOT of people asked me about this- Runback is in this archive - Copy
it onto your boot disk and use it to run VirusX (Arp users can use
ARun).

The SCA Virus is something that's been following us around for a
couple of months now, and I think it's about time we got rid of it for
good.

There are a number of CLI-based Virus Checkers out there, which do
their job just fine, but if you're not into using CLI, what do you do?
You use VirusX!

Please, I encourage you to give this program to anybody who might
have the virus.  Including your local dealer - some of the dealers in
this area have the virus all over their disks, which they allow
customers to copy, and they don't do anything about it because they
don't know how.  VirusX makes it extremely simple.

You can put VirusX in your Startup-Sequence.  When run, it will open a
small window so you know it's there (and it will display the
occasional message in it).  Whenever a disk is inserted into any of
the 3.5" drives, that disk is automagically checked for the SCA virus,
and also checked to see if it's boot sector is "Standard".  If the
disk has a nonstandard boot sector, it is either a new form of virus
which I don't know about yet, or it is a commercial program which uses
the boot block for  something constructive (like booting their game).

If VirusX finds a boot block it is suspicious about, it will present
the user with a requester either warning him that the disk has the SCA
virus, or telling him that the boot code is nonstandard.  In either
case, he is given the option to either ignore it, or to Remove it.

If the user selects Remove, after he says he's SURE he wants to
rewrite the disk's boot sector (Remember: Never rewrite the boot
sector of a commercial program unless you KNOW that program doesn't
use it for something else.  If the program gives you the AmigaDOS
window before running, you know it is safe to repair that disk.).  
The boot code written back to the disk by VirusX is the same boot code
that the AmigaDOS INSTALL command (and it's compatible counterpart on
one of the fish disks) uses.  

If you run across a strain of the virus, or any other virus that
VirusX doesn't specifically warn of, PLEASE send me a copy of a disk
with that virus on it!  I want to keep VirusX current, and to do so, I
need the viruses.   I have heard tell of two other viruses besides
SCA, but I don't know much about them - yet.

Of course, there are those of you who are thinking that I am some nut
case trying to spread my own virus hidden under the guise of a virus
checker.  Well, just for you, I've included the C source code. 
Please, if you don't trust me, don't discard a useful utility as
untrustworthy for no reason, CHECK THE SOURCE!  Recompile it if you
think I'm trying to slip a fast one on you.  I just want to see the
virus out of all of our lives.

I want feedback on this!  Send me a letter!  This program is
Copyrighted, but is freely redistributable (It's NOT Shareware).  Do
what you want with it, but  Please don't use it for evil purposes. 
That's what I'm trying to prevent.

My address:

	Steve Tibbett
	2710 Saratoga Pl. #1108
	Gloucester, Ontario
	K1T 1Z2

	My BBS: OMX BBS, 613-731-3419.

	I can be reached on BIX as "s.tibbett" and on People/Link
	as "SteveX".


---------------------------------------------------------------

Note:

 - When VirusX finds and removes the Byte Bandit Virus in RAM
   on a German A2000, the machine will sometimes crash.  I
   don't know why this happens, but it works perfectly on the
   B2000 and the 500 and 1000...


BYTE BANDIT VIRUS:

The Byte Bandit virus is the main reason for this release of
VirusX.  What the Byte Bandit virus does is once it's in
memory, it copies itself to just above the high memory
pointer on the first hunk of RAM it can find (Which means
it's not always in the same place), wedges itself into the
Interrupt Server chain, into the Trackdisk.device's vectors,
and creates itself a Resident structure so it can hang
around after reboot.

It watches EVERY disk inserted, and will write itself to ANY
bootable disk that is inserted!  This one can spread like
wildfire - every disk you insert into your external drive during
a session with this Virus loaded will result in all those disks
being infected.  Ouch.

Also, if you Install a disk while this virus is going, it will 
just copy itself back to the disk - which is why I had to wipe
it from memory in VirusX 1.2...

When VirusX finds this virus on a disk, it will also display a "Copy
Count" which is the number of disks that have been infected by that
"Branch" on the "Tree" that the virus is on -  If you infect a disk
with your copy, and your copy is number 300, then that copy will be
#301.  If he infects somebody,  that will be #302, but on YOUR copy,
two infectations down the line, there will be another #302... Anyways,
the copy count on MY Byte Bandit virus is #879... 

Note that VirusX will check RAM for this virus as well as the disk. 
This was necessary as you can tell from the description above.

Special thanks must go here to Dave Hewett, who, 2 days after I gave
him a copy of the virus, gave me a printed, commented disassembly of
the virus with meaningful labels and everything I needed to stomp it -
Thanks Dave!

Thanks must also go to Bruce Dawson of CygnusSoft Software, who  went
to the trouble of being the First person to send me this Virus.  (As
of yet, he's also the ONLY person - Geez, folks, I need YOUR help to
do this too, eh?)

---------------------------------------------------------------

VirusX 1.4 Notes:

   New to this version of VirusX:

    1: Seek-out-and-destroy the new 'Revenge' virus.

    2: Allow viewing of the ASCII stuff in the boot block

    3: Notify the user and remove the SCA virus from RAM.


1: "The Revenge Virus"
----------------------
This version of VirusX was released mainly to deal with the  "Revenge"
Virus.  This virus is not yet common in North America (I think I'm the
first person here to have a copy of it), but it is apparently making
the rounds in Sweden and Germany, so that's who this version of VirusX
is more or less directed to.  (I'm sure we'll get that virus over here
soon enough!)

What this virus does, is everything that the Byte Bandit virus does,
PLUS, after infecting a disk, it will wait one  minute after every
reboot, and change your mouse pointer  into an image of a certain part
of the Male anatomy. 8-)

I think the reason this virus is called the "Revenge" virus is because
it looks specifically for the Byte Bandit and for the SCA Virus.  If
it finds either of these, it Rigs THAT virus so that it will CRASH the
machine unless THIS virus is loaded first.  Note that I might be wrong
about this - that's the way it looks from the disassembly, but I don't
have an SCA virus here to  test it with.   I tried it with the Byte
Bandit, and it didn't seem to do anything like this - but be warned,
in case it pops up later or something.

He stays in RAM via changing the CoolCapture vector to point to his
own code.  He then intercepts the DoIO() call and watches for any
attempts to rewrite or to read the boot block and acts accordingly. 
He also has an interrupt around counting VBlanks until it's time to
bring up his sicko pointer.

To get this virus out of memory is Simple - Hold down the Joystick
button (Plug a joystick into port 2, and hold down the button while
you are rebooting), and the screen will briefly turn RED during the
boot, and it's out of memory. (If you hold down Joystick button AND
mouse button, it will half-remove himself from RAM and turn the screen
Blue)

VirusX will alert you if the virus is present in RAM and will render
it helpless in RAM before telling you about  it.  It will also report
it's presence on disk.  

2: Allow viewing of ASCII text in Boot Blocks
---------------------------------------------
If you click in the little "VirusX" window, and type a number from 0
to 3, (Corresponding to the drive # you would like to look at), VirusX
will resize it's window to fit in the ASCII text of these two blocks,
and allow you to view it.  When you run across a "Nonstandard Boot
Block", you can now check and see if the boot block is some sort of
new Virus (Assuming that the author of the Virus left a string in it)
as you will see something like "Revenge Virus 1.2G" or whatever string
that identifies the virus.  

Also, you can check to see which strain of the SCA virus you have
(VirusX will report "an SCA virus", but will not tell you if it is the
"LSD" virus, or the "Zorro/Willow" virus or whatever new ones may
appear).


3: Find the SCA in RAM and Remove it.
-------------------------------------
This version of VirusX also notices the SCA virus in RAM and Disables
it, giving you a notice of that.  I should have done this long ago,
but anyways, here it is.

I'd like to thank Lasse Wilkund for being the first (And only so far)
person to send me this virus on disk.  Lasse is part of a Swedish users
group with over 700 members!

--------------------------------------------------------------

V1.5 Notes:

	This version of VirusX adds the new Byte Warrior virus to
it's list of viruses.  

The Byte Warrior Virus is a lot like the Byte Bandit virus, except
it is not designed to hurt anything - it will start an "Alarm"
sound if it sees another virus (or at least I think it does - 
it hasn't for me), but other than that, it will write itself to
any disk inserted.  There is also a hidden message in it, asking us
to spread it around and not to erase it.  Ya, right.

Also, V1.5 is smaller than V1.4 (I don't know how THAT happened...)

--------------------------------------------------------------

V1.6 Notes:

The only new thing here is support for the North Star
'AntiVirus'.  it's a virus itself that alerts you to other ones - 
I think this sort of idea is stupid because it can do just as 
much damage as the rest of them.

Oh, and VirusX doesn't eat a bunch of memory whenever you insert
a disk any more.  (Ha ha ha ha nobody noticed)

Also, this is the first release where I didn't include the Source
for VirusX.  Seeing how far this file gets, and seeing how little
the source is actually used (Not at all, I hope), and hoping that
you all trust me now, I don't feel it's necessary to include the
source.  If you WANT the source, send me a disk and a SASE.

----------------------------------------------------------------

V1.7 Notes:

One new virus showed up for this version, the "Obelisk Softworks
Crew" virus.  It was sent to me by Jason Allen Smith.  Thanks, 
Jason!

Other changes this version - it's now a bunch smaller (again!) thanks
to a bit of a rewrite in assembler, and some reorganization.

New feature:  Hitting "C" while the VirusX window is selected will
cause it to re-check all the disks.  What this is good for, is when
you get a "Nonstandard boot block", and you want to take a look at
the disk. Previously, you had to cancel the requester, click in the
VirusX window, hit "0" to have it show you the boot block, then
remove the disk and re-insert it if you indeed want to kill
whatever's nonstandard about it.  Now, just hit C.

Also, the source is back, by VERY POPULAR demand!

-------------------------------------------------------------------

V2.00 NOTES:

I was running out of V1.x numbers, so I had to make a 2.0.  I figured
I should probably do SOMETHING to make the jump seem significant, so
here are the features new to this version:

  - VirusX no longer needs to be "RunBack"-ed to get it to go from
    the startup-sequence.  Just stick a line in your startup
    sequence saying "VirusX", (not even Run VirusX), and it will
    pop open it's window, and the rest of your startup sequence
    will finish and the CLI window will close.

  - This version will now check the "CoolCapture", "WarmCapture",
    and "ColdCapture" vectors when first run, and will alert you 
    if it sees anything abnormal.  Since all of the viruses so far
    (I think) use this, it will probably be a good way to spot
    future viruses.  Why am I not checking the KickTagPtr list, 
    you ask?  Because the Commodore RRD uses it, I say, and it
    would be darn annoying forcing a requester on everybody who
    uses it.

  - If you click in the VirusX window, and hit "I", you will see
    Stats!  (Information, actually).  This replaces the text that
    was hidden on the title bar in previous versions.  Also, 
    VirusX is still active while these stats are visible, so if you
    are checking a number of disks, you might as well leave this
    open.

Unfortunately, it grew a bit for this version.  It's 2K bigger, I
think - hope you don't mind too much.

-------------------------------------------------------------------

There are MORE viruses out there!  Please, send them to me!

	...Steve