unpowell@csvax.liv.ac.uk (04/19/88)
I've noticed quite a growing concern about ST viruses on the net.
The following uuencoded program is a virus killer. It allows examination
of a disk's boot sector, the removal of an auto executing boot sector and
the installation of an "anti virus" on a disks boot sector. This anti virus
is simply a program, on the boot sector, that tells the user (on boot up)
that his/her disk is virus free.
You may have a colour warning. i.e. screen turns red momentarily,
(before desktop appears) on a colour system or screen becomes reverse (when
desktop appears) on a mono-chrome system, a text message may also be printed
to the screen saying "Virus free disk" and you may have a bell sound when
you boot up. You may have any combination of the above three warnings. You
may also save which combination that you like best.
Thus if you have an anti virus installed on your disk and when you
boot up you don't get your warning, reboot with this virus killer and check
your disk. If you don't get the message "This disk has an anti virus installed"
then something has written over your boot sector. Virus? Do with it what
you will!
Mark Powell
********************************************************************************
"...there's no success JANET unpowell@uk.ac.lis.csvax
like failure and UUCP {backbone}!mcvax!ukc!mupsy!lis-cs!unpowell
failure's no success ARPA unpowell%csvax.lis.ac.uk@nss.cs.ucl.ac.uk
at all..." B.Dylan
********************************************************************************
--------------------------Cut Here----------------------------
table
!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 D:VIRUS.ARC
M&@A625)54TM)3"Y04D< ^04 '0+# ">P6$' ,8#0 ' " !(%H2<^L$#a
M @G0;@\>@'@!PX"A!#@ A (R@%0?01,!,&@ $)06("5G@0\D _%Y:@\4'a
M0(PS4&@"D'%F(#B=,WH" *631L\ ;G36$ I"IPVA_G3>,(,LQC>,#!U"E"CDa
M#$0&>#@2,'4&EH(\' <6J -&TDL[+WV]%"6MBRP^$FB8T<' "A@.9EPL<0? a
M0T@!%F TE",!@ZP.9CA$0?8/7T@"[%ZJ.4+8T4MB+_6 ?"/"4L'8 BP_/*2a
MR4LRH__9>(GA)9@@A#V(0*(8P!TAF";_XQ<R@*_>C+$)Y\>#U]^7(E3G)1)$a
M1R P%$H" /<2Q4L&TFM0MXXD; D: ,,_'$@RR,D5K(F<.+DR3L %)0 Z>E/a
MV4MO_ D#AC4L[:"=,=IYTQ42>A203%8]0 3%(_JIP0 <[KQ$BQGFC.:/)0UUa
M]8,!Y0V 1%9"0&0? HP&( DY0$PP(A9 :'B?0S0V) /$&'QB(>WZ5, !&&8a
M<80^ :AQ&2AA0'!9*F& )!(L81#@(1!A*&$!+QR%(0("@ !0@$Y9G(& 3DZ8a
MX8X0$US6"02 2+$(&"A<!@D 8.R6GDE.-.&C?F<0$(8 8+B#GDE\^OF(" @a
M$803=2 !A7Q;/0*I"DX($41O_M2U'*0A#>!$&-Z H8L?A>DPP D$' % $$V(a
MI$Z,Y^U947OOQ=<0 O2MF!\0%FJ'BQG<^#A:/YA >B0 IM2DQ 9FABI,&)+Pa
M$<"S9S@0JB]*&'&& %,@$@8@UF*KK3X#R-+MM^'&YH:R^@#@!K8:(( #04B:a
MP0 (>!!@Q1#QPA!"$@!P$ ,_!P @"!#8,L @ #90&A&%T#J0U0&'#I"H1)#Ra
M2X 32J#"!SYG[-NO%4*@4K 0>"P,Z09%6)&&''7, 8(9<I11!@ADI#''&FE!a
M,@ 10$ #Q!'[ &!"J+B4Y \Z< 0YM)\^ T-TP[38W3KMS%$:0'#1 ! ! a
M0 +9 /2 -A=HU\0( )L T K:QJ"=#0#IC! #"$>4X489<H3!!@B R_&&' ",a
M( ,(1,B1AAT[N_$&'2#D' 89:(U PA#2#$$X7(8+H<+($A1QN6@BYZX#2!,a
MH?,:J1_. @AT!#X&[))3;L8;=;A!1N(XM%[&&'0<#D+N-_/N.^FFHU[XX8G'a
M ,(5SA.Q\[/(Z[WWLV3$;OV,2S>]]^!#YY]]#,P[C/L=UB_,QR&7T]\&;_Ka
M70,(5;BQAN1WN,%S&79(PQC*$+T;@" );I@#X"C7LY\!8 B\8P,9W' "RH5Aa
M# .<@\T:"#28@0 2#)@"%4 @,YK9; EI8 ,; -< !;3P@P2 (!SRX+@SH(%Ra
M,<#!"VCP@ACD ?!$T,>0- $%TS!!5!XPQW*H,(60@%P;?#9'-+P!O^=(7!Na
MN)[WB@>",;QAALF3P_'> +XO<$,::!#"UL8 ](5 0]AB.+?0! &GJVOA3)@a
M7AG:\ ;(T;$.7"P#'H8'R#2XX0P@$,,;)@<"!1+O<"V< >D0. <Z"&YP8<ABa
M&D 00!/J 0 :"$-2!<$-EQ/C)FDPR8[6;,NHB$,MCNESU0YACFTL :D:]SCa
M=A:$%MJ =%,(@Q_)4 :2U,&4ME3 #=R(AS2&TH4*@$+.-$A'-PQQ#65 "Q'6a
M!X)7VBR3U50E)V?62D-6\I+T8T$+[Y!&-+@2EA>4924%.(=/ F";/^MF&+[Ia
M/T$2TI)B6&$B%TDY1Q9/#DY\@P;3$- AUI&5<W!!"R%X3.\);@YD% /V-)DSa
M-@S1D)(;8!8!( 2"-G)X!P6!SRA(.7^. 9!A""@!(<@&WB%.!U00)!T H(,Ia
M*.]W-+4I"%"0AQ>X(04_ &5.\4 YHAH5J:#T:>^\Y]2C)A4 , , $%J(U2)0a
M<H&T0\/..!C6,%".#FCP61D-=\4X@N .^VQA32]'OYL9K@U=#8(FQVG"=\82a
M<+.D)QUSIH,U*N"910B=\=Z P3J$CGXZ: $H6UB$.8R!=F2,Z>'H0$IK@F!Ra
>8A4C-H?(Q=HY] QA,"17(;J&%+H ?CV!! '"!!H a
a
endklute%trillian.irb@unido.uucp (Rainer Klute) (04/21/88)
In article <538@csvax.liv.ac.uk> unpowell@csvax.liv.ac.uk writes: > > I've noticed quite a growing concern about ST viruses on the net. >The following uuencoded program is a virus killer. It allows examination >of a disk's boot sector, the removal of an auto executing boot sector and >the installation of an "anti virus" on a disks boot sector. This anti virus >is simply a program, on the boot sector, that tells the user (on boot up) >that his/her disk is virus free. - I won't install anything on the boot sector of any disk if I don't have the source of it (and have compiled it myself for sure). - Sources and binaries should be posted to the moderator of comp.sources.atari.st resp. comp.binaries.atari.st. +---------------------------+------------------------------------------+ | Rainer Klute | UUCP: klute@unido.uucp | | University of Dortmund | (...uunet!mcvax!unido!klute) | | Dept. of CS | BITNET: klute@unido.bitnet | | P.O. Box 500500 | | | D-4600 Dortmund 50 | | +---------------------------+------------------------------------------+ | Federal Republic of Germany | +----------------------------------------------------------------------+
bw0i+@andrew.cmu.edu (Bryan Wu) (04/22/88)
I'm not sure it's a great idea to have an anti-virus floating around.
If it copies itself to disks and multiplies, it's potentialy as dangerous as a
normal virus. Why not just use the boot sector checking program to check your
boot sector if you believe there's a virus on your disk?
I personally don't want a program scattered on my disks that I didn't
put there myself. I'm sure many others feel the same.unpowell@csvax.liv.ac.uk (04/27/88)
Recently I posted a virus killer to comp.sys.atari.st. A certain
Rainer Klute, commented that he would only use it if he had the source for
it. The source, in 68000 assembly language, follows....
This program allows examination of floppy disks, for auto executing
boot sectors, and allows such boot sectors to be disabled. It also allows
an "anti-virus" to be installed on a disk (which is what, I think, Rainer
was wary about). This is simply a program on the boot sector, which on boot
up informs the user that the disk doesn't have a virus on it. This is done
by turning the screen red (on a colour monitor), reversing the screen (on
a monochrome monitor), printing the message "Virus free disk", making
the "bell" sound or any combination of those three. So on boot up, with a disk
with an anti virus installed, if your screen changes colour and/or the message
is printed and/or the bell sounds you know that the anti-virus is still
installed on your disk and it hasn't "yet" been written over by a virus.
If you boot up with a disk with the anti-virus on it and you don't get your
audio, visual or textual message than you know that something or other has
written over your boot sector, possibly a virus. This can then be dealt
with.
The anti-virus does not stay resident after boot up, it simply executes
during boot up and no other time.
Does this put your mind at ease, Rainer?
Mark Powell
********************************************************************************
"...I hate the white JANET unpowell@uk.ac.liv.csvax
man, and the man UUCP {backbone}!mcvax!ukc!mupsy!liv-cs!unpowell
who turned you all ARPA unpowell%csvax.liv.ac.uk@nss.cs.ucl.ac.uk
loose..." R. Harper
********************************************************************************
-----------------------------------Cut here-------------------------------------
* ST Virus Killer
* Copyright Mark Powell 18/4/1988
* Permission is granted to copy this source, provided no profits
* are obtained from such copying
* Written for Devpac assembler, GenST, by Hisoft
begin
clr.l -(sp)
move #32,-(sp)
trap #1
addq.l #6,sp
move.l d0,-(sp)
move $484.w,-(sp)
bclr #1,$484.w
dc.w $a00a
start lea mess0(pc),a0
bsr print
bsr prntant
lea mess01(pc),a0
bsr print
wait bsr getkey
cmp #'1',d0
beq.s examine
cmp #'2',d0
beq remove
cmp #'3',d0
beq install
cmp #'4',d0
beq alterc
cmp #'5',d0
beq changdr
cmp #'6',d0
beq save
cmp #'7',d0
bne.s wait
move (sp)+,$484.w
move #32,-(sp)
trap #1
addq.l #6,sp
clr -(sp)
trap #1
changdr cmp #1,$4a6.w
beq.s wait
eor #1,drive
bra.s start
examine bsr cls
bsr read
bsr getchk
add (a5)+,d1
cmp #$1234,d1
bne.s noboot
cmp #$601c,(a6)
bne.s notanti
lea $1e(a6),a5
lea code(pc),a0
move #endcode-code-1,d0
chkcode move.b (a0)+,d1
cmp.b (a5)+,d1
bne.s notanti
dbra d0,chkcode
lea anti(pc),a0
bsr print
lea info-code+$1e(a6),a3
bsr prntan1
bsr anykey
bra start
notanti lea is(pc),a0
bra.s prntres
noboot lea isnt(pc),a0
prntres bsr print
bsr anykey
bra start
install bsr cls
bsr read
lea $1e(a6),a0
move.l a0,a1
move #480/4-1,d0
clrboot clr.l (a0)+
dbra d0,clrboot
lea code(pc),a0
move #endcode-code-1,d0
movecd move.b (a0)+,(a1)+
dbra d0,movecd
move #$601c,(a6)
bsr getchk
sub #$1234,d1
neg d1
move d1,(a5)
bra.s write
remove bsr cls
bsr read
bsr getchk
sub #$1235,d1
neg d1
move d1,(a5)
write pea 1.w
pea $10000
move d7,-(sp)
subq.l #4,sp
pea (a6)
move #9,-(sp)
trap #14
lea 20(sp),sp
tst d0
beq start
bsr error
beq start
bra.s write
save lea insert(pc),a0
bsr print
bsr anykey
open clr -(sp)
pea name(pc)
move #$3d,-(sp)
trap #1
addq.l #8,sp
tst d0
bpl.s sokay
moveq #-18,d0
bsr error
bne.s open
bra start
sokay move d0,d6
clr -(sp)
move d6,-(sp)
pea (info-begin+$1c).w
move #$42,-(sp)
trap #1
lea 10(sp),sp
pea info(pc)
pea 3.w
move d6,-(sp)
move #$40,-(sp)
trap #1
lea 12(sp),sp
move d6,-(sp)
move #$3e,-(sp)
trap #1
addq.l #4,sp
bra start
alterc lea alter(pc),a0
bsr.s print
lea info(pc),a3
lea coloryn(pc),a0
bsr.s getyn
lea textyn(pc),a0
bsr.s getyn
lea soundyn(pc),a0
bsr.s getyn
bra start
getyn bsr.s print
move.b #1,(a3)
getynw bsr.s getkey
bclr #5,d0
cmp #'Y',d0
beq.s ynokay
cmp #'N',d0
bne.s getynw
clr.b (a3)
ynokay lea yn(pc),a0
move.b d0,(a0)
addq.l #1,a3
bra.s print
cls lea clear(pc),a0
bra.s print
getkey pea $10002
trap #13
addq.l #4,sp
tst d0
beq.s keyget
bsr.s keyget
bra.s getkey
keyget pea $20002
trap #13
addq.l #4,sp
move.l d0,d1
swap d1
rts
print pea (a0)
move #9,-(sp)
trap #1
addq.l #6,sp
rts
getchk move.l a6,a5
clr d1
move #255-1,d0
chklp add (a5)+,d1
dbra d0,chklp
rts
anykey lea any(pc),a0
bsr.s print
bra.s getkey
read moveq #0,d7
move.b drive(pc),d7
sub #'A',d7
lea buffer(pc),a6
readag pea 1.w
pea $10000
move d7,-(sp)
subq.l #4,sp
pea (a6)
move #8,-(sp)
trap #14
lea 20(sp),sp
tst d0
bpl.s okayr
bsr error
bne.s readag
addq.l #4,sp
bra start
okayr rts
prntant lea info(pc),a3
prntan1 moveq #0,d6
tst.b (a3)+
beq.s nocol
lea color(pc),a0
bsr.s print
moveq #1,d6
nocol tst.b (a3)+
beq.s notext
lea text+1(pc),a0
tst d6
beq.s first1
subq.l #1,a0
first1 bsr.s print
moveq #1,d6
notext tst.b (a3)+
beq.s nosound
lea sound+1(pc),a0
tst d6
beq.s first2
subq.l #1,a0
first2 bra print
nosound rts
* This is the actual anti-virus code, that is written
* to the boot sector.
code lea info(pc),a3
tst.b (a3)+
beq.s nocolq
btst #7,$fa01.w
bne.s colour
move.l $456.w,a0 * If monochrome then set up
lea vbl(pc),a1 * VBL to set reverse screen
move.l a1,28(a0)
colour move #$700,$8240.w
nocolq tst.b (a3)+
beq.s notext1
pea mess(pc)
move #9,-(sp)
trap #1
addq.l #6,sp
notext1 tst.b (a3)+
beq.s nosund1
move #7,-(sp)
pea $30002
trap #13
addq.l #6,sp
nosund1 rts
vbl move.l $44e.w,a0 * VBL to set screen to white on black
tst.l 31992(a0) * when desktop finally appears
beq.s scrclr
move.l $456.w,a0
clr.l 28(a0)
clr $8240.w
scrclr rts
mess dc.b 27,'EVirus free disk',0
info dc.b 1,0,0
endcode
* Anti-virus code ends here
error neg d0
add d0,d0
lea errpnt-2(pc,d0),a3
lea messe(pc),a0
bsr print
moveq #0,d0
move (a3),d0
lea e1(pc,d0),a0
bsr print
lea messe1(pc),a0
bsr print
bsr getkey
cmp #1,d1
rts
errpnt dc.w 0,e2-z,e3-z,e4-z,e5-z,e6-z,e7-z,e8-z,e9-z,e10-z,e11-z
dc.w e12-z,e13-z,e14-z,e15-z,e16-z,e17-z,e18-z
z
e1 dc.b '#1 General error'
e3
e5
e7
e9
e14
e16 dc.b 0
e2 dc.b '#2 Drive not ready',0
e4 dc.b '#4 CRC error. Read error',0
e6 dc.b '#6 Seek error, track not found',0
e8 dc.b '#8 Sector not found. Read error',0
e10 dc.b '#10 Write error',0
e11 dc.b '#11 Read error',0
e12 dc.b '#12 General error',0
e13 dc.b '#13 Disk write protected',0
e15 dc.b '#15 Unknown device',0
e17 dc.b '#17 Insert disk',0
e18 dc.b 'Couldn',39,'t access disk',0
mess0 dc.b 27,'E ST Virus Killer',13,10,13,10
dc.b ' Copyright 18/4/1988 by M.S.Powell',13,10
dc.b 'Permission granted to copy for no profit',13,10,13,10
dc.b '1. Examine a disk',13,10
dc.b '2. Remove auto executing boot sector',13,10
dc.b '3. Install anti virus: ',0
mess01 dc.b 13,10,'4. Alter anti virus characteristics',13,10
dc.b '5. Drive '
drive dc.b 'A',13,10
dc.b '6. Save defaults',13,10
dc.b '7. Exit',0
any dc.b 13,10,13,10,'Press any key',0
anti dc.b 'Disk has an anti virus installed,',13,10
dc.b 'with characteristics: ',0
is dc.b 'Disk has an executable boot sector',13,10
dc.b 'Possibly a virus.',13,10
dc.b 'Could also be entirely innocent',0
isnt dc.b 'Boot sector isn',39,'t executable',0
color dc.b 'Colour',0
text dc.b ':Text',0
sound dc.b ':Sound',0
coloryn dc.b 'Colour (y/n)? ',0
textyn dc.b 'Text (y/n)? ',0
soundyn dc.b 'Sound (y/n)? ',0
clear dc.b 27,'E',0
yn dc.b '@',13,10,0
insert dc.b 27,'EInsert the disk that this program was',13,10
dc.b 'loaded from',0
alter dc.b 27,'EAnti virus characteristics are:',13,10,13,10,0
messe dc.b 13,10,'Error occurred:- ',0
messe1 dc.b 13,10,'Esc to abort. Any other key to try again',13,10,0
name dc.b 'viruskil.prg',0
even
bufferunpowell@csvax.liv.ac.uk (04/27/88)
In article <gWPck1y00WE2ATM0mK@andrew.cmu.edu>, bw0i+@andrew.cmu.edu (Bryan Wu) writes: > > I'm not sure it's a great idea to have an anti-virus floating around. > If it copies itself to disks and multiplies, it's potentialy as dangerous as a > normal virus. Why not just use the boot sector checking program to check your > boot sector if you believe there's a virus on your disk? > I personally don't want a program scattered on my disks that I didn't > put there myself. I'm sure many others feel the same. There seems to have been a misunderstanding (mainly due to my lack of explanation) about the anti virus. In no way does the anti virus stay resident after boot up nor does it reproduce in any way. It simply runs at boot up to inform the user that his/her disk does not have a virus on it. The source to my program has recently been posted, for those worried that it might be a trojan virus spreading program. I see no reason for not using it other than intense paranoia. Mark Powell ******************************************************************************** "...I hate the white JANET unpowell@uk.ac.liv.csvax man, and the man UUCP {backbone}!mcvax!ukc!mupsy!liv-cs!unpowell who turned you all ARPA unpowell%csvax.liv.ac.uk@nss.cs.ucl.ac.uk loose..." R. Harper ********************************************************************************
klute%trillian.irb@unido.uucp (Rainer Klute) (04/29/88)
In article <961@csvax.liv.ac.uk> unpowell@csvax.liv.ac.uk writes: > [Description of virus killer program incl. source code] > > Does this put your mind at ease, Rainer? Yes, it does. Thank you Rainer Klute +---------------------------+------------------------------------------+ | Rainer Klute | UUCP: klute@unido.uucp | | University of Dortmund | (...uunet!mcvax!unido!klute) | | Dept. of CS | BITNET: klute@unido.bitnet | | P.O. Box 500500 | | | D-4600 Dortmund 50 | | +---------------------------+------------------------------------------+ | Federal Republic of Germany | +----------------------------------------------------------------------+