Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!bloom-beacon!eru!luth!sunic!tut!utacs!ahonen
From: ahonen@utacs.UTA.FI (Anssi Ahonen)
Newsgroups: comp.sys.amiga
Subject: Xeno - Another bad virus?
Message-ID: <765@utacs.UTA.FI>
Date: 24 Oct 89 11:21:03 GMT
Reply-To: ahonen@utacs.uta.fi (Anssi Ahonen)
Organization: University of Tampere, Department of Computer Science, Finland
Lines: 23



  Does anyone have information about virus called 'xeno'? This little beast
is living on my hard disk (30 meg Supra, A500) and after many
unsuccesful tries I still haven't find it. It first showed up a few days
ago when I opened the shell and tried to get directory with 'ls'-command.
The shell just gave me 'unknown command ls', and after that I noticed that
also 'CD'-command didn't work. Strangely, the programs were still in c-dir,
just as usual. I loaded my favourite debugger and examined the broken 
cli-commands. Both programs were modified so that they only used DOS.Write
to print out 'unknown command'. The weirdest thing was yet to come! I found
a strange file named '!' in devs-directory. This file was an IFF-picture,
black border, white topaz font text : "You will never catch me, the allmighty Xeno"

So, this is probably the first virus to write iff-files on your hard disk?

I have now examined most of the programs on my hard disk with debugger,
searching for 'virus-signs', extra code hunks, xor-loops etc, but no luck.

The only facts I know are: Xeno is not a bootblock virus.
                           It doesn't change reset-vectors.
                           I am pretty sure it is some kind of link virus (like IRQ), but
                           much harder to beat.