BRENNER_%DULRUU51.BITNET@cunyvm.cuny.edu (02/14/89)
In browsing thru the IRQ-Virus (at least the version I got) I found that the virus looks at the OldOpenLibrary function vector before it changes this function itself. If the Entry point is lower than $fc0000 then the virus gives control to the program without doing anything. So the following code which installs a short dummy routine into OldOpenLibrary should prevent the virus from doing any harm. BTW the virus installs itself in the resident list with a priority of -50 and should be easily detectable by any resident modules scanning program. Enjoy! -Martin ------ code follows --- cut here -------------------------------------------- * :ts=8 * irqprotect.asm * Patch OldOpenLibrary vector to fool the IRQ-Virus * the SetFunction should be safe as we never try to reinstall the * old value * Aztec: as irqprotect -> ln irqprotect * Lattice: asm irqprotect.asm -> blink irqprotect.o * =mb= '89 * Exec function offsets AbsExecBase EQU 4 AllocMem EQU -198 OldOpenLibrary EQU -408 SetFunction EQU -420 MEMF_PUBLIC EQU 1 SECTION CODE Start: MOVE.L AbsExecBase,A6 MOVE.L #6,D0 ;Alloc memory MOVE.L #MEMF_PUBLIC,D1 ;for JMP-instruction JSR AllocMem(A6) TST.L D0 BNE AllocOk MOVEQ #-1,D0 BRA Leave AllocOk: MOVE.L D0,A0 MOVE.W #$4ef9,(A0)+ ;JMP instruction MOVE.L OldOpenLibrary+2(A6),(A0)+ ;old vector MOVE.L A6,A1 ;Exec library LEA OldOpenLibrary,A0 JSR SetFunction(A6) MOVEQ #0,D0 Leave: RTS END --------------- @ @ M a r t i n B r e n n e r ===V=== Uni Ulm / F.R.Germany // !^! email: BRENNER_M@DULRUU51.BITNET \X/AMIGA ^ ^ "Do Arcade Machines Dream of Multitasking?" --- "Enlightment is the privilige of the Seeking ..." ---