BRENNER_%DULRUU51.BITNET@cunyvm.cuny.edu (02/14/89)
In browsing thru the IRQ-Virus (at least the version I got) I found
that the virus looks at the OldOpenLibrary function vector before
it changes this function itself. If the Entry point is lower than
$fc0000 then the virus gives control to the program without doing
anything. So the following code which installs a short dummy routine
into OldOpenLibrary should prevent the virus from doing any harm.
BTW the virus installs itself in the resident list with a priority
of -50 and should be easily detectable by any resident modules
scanning program.
Enjoy!
-Martin
------ code follows --- cut here --------------------------------------------
* :ts=8
* irqprotect.asm
* Patch OldOpenLibrary vector to fool the IRQ-Virus
* the SetFunction should be safe as we never try to reinstall the
* old value
* Aztec: as irqprotect -> ln irqprotect
* Lattice: asm irqprotect.asm -> blink irqprotect.o
* =mb= '89
* Exec function offsets
AbsExecBase EQU 4
AllocMem EQU -198
OldOpenLibrary EQU -408
SetFunction EQU -420
MEMF_PUBLIC EQU 1
SECTION CODE
Start:
MOVE.L AbsExecBase,A6
MOVE.L #6,D0 ;Alloc memory
MOVE.L #MEMF_PUBLIC,D1 ;for JMP-instruction
JSR AllocMem(A6)
TST.L D0
BNE AllocOk
MOVEQ #-1,D0
BRA Leave
AllocOk:
MOVE.L D0,A0
MOVE.W #$4ef9,(A0)+ ;JMP instruction
MOVE.L OldOpenLibrary+2(A6),(A0)+ ;old vector
MOVE.L A6,A1 ;Exec library
LEA OldOpenLibrary,A0
JSR SetFunction(A6)
MOVEQ #0,D0
Leave:
RTS
END
---------------
@ @ M a r t i n B r e n n e r
===V=== Uni Ulm / F.R.Germany //
!^! email: BRENNER_M@DULRUU51.BITNET \X/AMIGA
^ ^ "Do Arcade Machines Dream of Multitasking?"
--- "Enlightment is the privilige of the Seeking ..." ---