johnsen@daimi.dk (Henrik Johnsen) (12/29/88)
A couple of weeks ago we received a disk from a member of the 68000 User Group in Denmark, with at least one virus on it. This was the IRQ Link Virus mentioned some time ago in this group. It is out and spreading, and we have currently no cure for it. Symptoms are a title bar with text: IRQ Presents another virus for the Amiga On closer examination several programs (not the bootblock, it's OK) were strange. BlitzFonts did not look like the original. We have used the old (Fish 26) UnHunk program on these, and the code hunk of NewZap was very small (<2kbytes), while the data hunk was large enough to contain the program proper. It seems that the virus installs itself as the code hunk, and puts the original program into a data hunk. As we are no Execbase, disassembly, etc. gurus, we have sent copies of the beast to Leonardo Fei (Guardian) and Steve Tibbet (VirusX) for examination. And, BTW, software piracy in Denmark is not that bad. Everything is available, if you want it, but we have not seen any BBS with significant numbers of pirated programs. Belgium, Holland, and Germany are noted for their crackers, and virus writers, IRQ is from Germany. Henrik Clausen, hrc@daimi.dk, Henrik Johnsen, johnsen@daimi.dk
page@swan.ulowell.edu (Bob Page) (12/31/88)
This one of the two potential methods of virus I was worried about (and it's the worst of the two). I guarantee this will spread much faster and wider than any other Amiga virus. This one is a *real* virus. The only innoculation is to check _every_ write to _every_ disk on your system, and refuse if the block looks like a known pattern. The only treatment is to check every disk looking for the virus and re-write each infected program to rearrange the hunks. Time consuming and error-prone, and the next strain will just restart the problem. The fault with this approach is that you can't easily distribute the antidote. Since the innoculator program has to contain the virus code pattern, any time you try to copy the program, you will be stopped because the innoculator will detect the pattern! And think about it - if you can write a program such that you can copy the innoculator program without being detected, anyone can come up with a similar method to disguise the pattern. Worse, they could go right to the metal and scribble the bits right on the disk. You can't stop that on the current Amiga. There is another alternative, although not pretty, and not 100% effective. Make sure your disks are always 100% full, so any write (that extends the file) will fail. The problem is if the virus itself can fit in a partial block - if your program takes 18.1 blocks it takes 19 blocks on the disk. If the virus code is only 0.8 blocks, you can still get infected. The *only* ways not to get it? 0. Write protect all your disks and don't give them out. :-( 1. Don't use any new software, commercial or public, unless you have source code and you *know* your compiler is OK. 2. Don't let anyone else use your machine, or your disks. Once again, we need to know where this is and how it works, if we are to be successful in fighting it. As a "publisher" of publicly available code, I feel I have a stake in this. If anyone has a copy of this, please send it to me and I will write a disk scanner. It's not the ultimate answer but it's a start. If anyone else has any more info, please send it or post it if you feel it's worthwhile. I don't want to push the panic button but I'm not happy about this news. I just hope the virus doesn't contain any time bombs. [I'm going on vacation in a few hours but am still very interested and will be thinking a lot about it while baking in the sun. :-) If you can't e-mail via Usenet/ARPAnet, you can email to 'page' on BIX or 'zoxso' on people link, or surface mail to Bob Page, PO Box 1773, Lowell MA 01853, USA.] ..Bob johnsen@daimi.dk (Henrik Johnsen) wrote: >Symptoms are a title bar with text: > IRQ Presents another virus for the Amiga >virus installs itself as the code hunk, and puts the original program >into a data hunk. -- Bob Page, U of Lowell CS Dept. page@swan.ulowell.edu ulowell!page Have five nice days.