Xref: utzoo comp.sys.amiga:27202 comp.sys.amiga.tech:2980 Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ncar!ames!oliveb!amiga!cbmvax!grr From: grr@cbmvax.UUCP (George Robbins) Newsgroups: comp.sys.amiga,comp.sys.amiga.tech Subject: New Year's Virus Report Message-ID: <5601@cbmvax.UUCP> Date: 1 Jan 89 00:08:28 GMT Reply-To: grr@cbmvax.UUCP (George Robbins) Organization: Commodore Technology, West Chester, PA Lines: 49 The following Virus report was posted on BIX today. My recollection is that Steve is English, so perhaps this virus hasn't arrived here. Still, be warned and take the usual care with suspicious disks... TITLE: New Virus While I'm not 100% certain of all the details of what this virus does, (I got it yesterday), I figure I should post this anyway. (What I do say here, I'm quite certain of). I recieved in the mail a new virus, from 2 different continents on the same day. This one's NOT just another bootblock virus. This one affects executable programs. It attaches itself to them. But not just any executable (thankfully), what it does, is it parses your startup-sequence looking for the first executable program there. That's the one it hits. It doesn't seem to be malicious in any way, though it will crash your machine under KS 1.3. It intercepts the OpenLibrary() call (that's how it stays around- whenever OpenLibrary is called, it again checks the startup sequence (thinking maybe a disk has changed - it uses ":S/Startup-sequence" so it will go after any SS on the current disk). It also uses a KickTagPtr, but I'm not sure what for yet. Seems to take about 10 seconds longer to boot, though. Easy way to protect yourself from it: Change your startup sequence on any disk in any drive, so that the first character before the first executable filename is a TAB. The virus tries to Open() the whole line, parses out a few characters, but not the tab. Note that if you use a pathname as in DH0:C/BLAH, and you put a tab in front, you'll get a requester for [TAB]DH0:. Just use [TAB]C/BLAH or whatever. For those out there who have been safe from boot block viruses thus far, well, this one you can get from a downloaded program. Ick. I'll be posting a little utility soon to check a program for this specific virus. (Also, last thing it does: On it's first invocation in a session, it will set the title bar of the ActiveWindow to it's name (IRQ virus), and since it's running as the first thing in your startup sequence, it's changing the intial CLI window's title. ...Steve -- George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr but no way officially representing arpa: cbmvax!grr@uunet.uu.net Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)