Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!tut.cis.ohio-state.edu!cs.utexas.edu!uunet!mcvax!hp4nl!rivm!ccemdd
From: ccemdd@rivm.UUCP (Marco Dedecker)
Newsgroups: comp.sys.amiga
Subject: Resident programs
Keywords: Virus, Detection, Resident programs
Message-ID: <1331@rivm05.UUCP>
Date: 16 May 89 12:41:56 GMT
Organization: RIVM, Bilthoven, The Netherlands
Lines: 29


I've made my own virus detection program, to detect a resident program
(possible virus) in memory.

It checks :
	- The coolcapture.
	- The coldcapture.
	- The interrupt vectors.
	- KickTagPtr.

I would like to know if I can be sure there is no resident program in 
memory after checking these points. If not, are there other ways a
program or virus can stay resident in memory ?

By the way, I've already encountered a virus which hooked itself
to the exec-routine DoIO. This was to prevent it from being killed
if the cool- or coldcapture were set to zero. If they were set to zero
the virus reactivated itself after the next IO operation. (I think even
a key stroke already reactivated it)

The only way I know to kill it without turning the computer off,
is to rebuild the exec-library using 'setfunction()'. However a 
program that does so is not very compatible since there are more 
versions of kickstart around.  So I would welcome any suggestions 
about this too.



Marco Dedecker