Path: utzoo!utgpu!water!watmath!clyde!rutgers!mit-eddie!husc6!cmcl2!brl-adm!umd5!trantor.umd.edu!louie
From: louie@trantor.umd.edu (Louis A. Mamakos)
Newsgroups: comp.sys.amiga
Subject: Re: The REAL virus problem
Message-ID: <2183@umd5.umd.edu>
Date: 8 Jan 88 16:57:13 GMT
References: <7967@g.ms.uky.edu> <265@coplex.UUCP> <7977@g.ms.uky.edu> <1401@uoregon.UUCP> <3091@cbmvax.UUCP> <7993@g.ms.uky.edu> <3104@cbmvax.UUCP> <8007@g.ms.uky.edu>
Sender: ris@umd5.umd.edu
Reply-To: louie@trantor.umd.edu (Louis A. Mamakos)
Organization: University of Maryland, College Park
Lines: 44

Stop all of the speculating on what the SCA virus does, and what it doesn't.
Take the UUENCODED virus which was posted a little while ago, kermit it
down to your amiga and disassemble it.

The easiest way to do this is to write a program that just loads the thing
in memory, and then us Manx DB to disassemble it.  Happily, the SCA virus
is written using PC relative references (in most places), so it is easy to
disassemble.

Something like:

	main() {
		char *where;
		FILE *f;

		where = malloc(1024);
		f = fopen("virus", "r");
		fread(where, 1024, 1, f);
		printf("Virus loaded at %lx\n", where);
		getchar();
		fclose(f);
		exit(0);
	}
		
In one evening, I disassembed and commented the thing, except for the
diddling around it does to put up the message where it fools with the
RastPort and Bitmap structures.

It is actually quite instructive to see how the boot process works, and how
the various vectors in the system are used.

Before you ask, no I won't post the disassembled version of the virus to the
net.  No point in making it any easier to modify it and create yet another
version.  If you really want to know what it does, look into it!  Let's try
to reduce the clutter in this newsgroup on this subject.  It is getting boring
and tiresome.

If you want to feel safe and have that fuzzy warm feeling, don't run j-random
binaries or boot disks of stuff that you don't have the sources to.  I only
run stuff on my machine that has been purchased or that I've compiled from
source code.  Just wait until the first virus comes out that is installed 
from just *running* a program, rather than booting a disk.
Louis A. Mamakos  WA3YMH    Internet: louie@TRANTOR.UMD.EDU
University of Maryland, Computer Science Center - Systems Programming