unpowell@csvax.liv.ac.uk (04/19/88)
I've noticed quite a growing concern about ST viruses on the net.
The following uuencoded program is a virus killer. It allows examination
of a disk's boot sector, the removal of an auto executing boot sector and
the installation of an "anti virus" on a disks boot sector. This anti virus
is simply a program, on the boot sector, that tells the user (on boot up)
that his/her disk is virus free.
You may have a colour warning. i.e. screen turns red momentarily,
(before desktop appears) on a colour system or screen becomes reverse (when
desktop appears) on a mono-chrome system, a text message may also be printed
to the screen saying "Virus free disk" and you may have a bell sound when
you boot up. You may have any combination of the above three warnings. You
may also save which combination that you like best.
Thus if you have an anti virus installed on your disk and when you
boot up you don't get your warning, reboot with this virus killer and check
your disk. If you don't get the message "This disk has an anti virus installed"
then something has written over your boot sector. Virus? Do with it what
you will!
Mark Powell
********************************************************************************
"...there's no success JANET unpowell@uk.ac.lis.csvax
like failure and UUCP {backbone}!mcvax!ukc!mupsy!lis-cs!unpowell
failure's no success ARPA unpowell%csvax.lis.ac.uk@nss.cs.ucl.ac.uk
at all..." B.Dylan
********************************************************************************
--------------------------Cut Here----------------------------
table
!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 D:VIRUS.ARC
M&@A625)54TM)3"Y04D< ^04 '0+# ">P6$' ,8#0 ' " !(%H2<^L$#a
M @G0;@\>@'@!PX"A!#@ A (R@%0?01,!,&@ $)06("5G@0\D _%Y:@\4'a
M0(PS4&@"D'%F(#B=,WH" *631L\ ;G36$ I"IPVA_G3>,(,LQC>,#!U"E"CDa
M#$0&>#@2,'4&EH(\' <6J -&TDL[+WV]%"6MBRP^$FB8T<' "A@.9EPL<0? a
M0T@!%F TE",!@ZP.9CA$0?8/7T@"[%ZJ.4+8T4MB+_6 ?"/"4L'8 BP_/*2a
MR4LRH__9>(GA)9@@A#V(0*(8P!TAF";_XQ<R@*_>C+$)Y\>#U]^7(E3G)1)$a
M1R P%$H" /<2Q4L&TFM0MXXD; D: ,,_'$@RR,D5K(F<.+DR3L %)0 Z>E/a
MV4MO_ D#AC4L[:"=,=IYTQ42>A203%8]0 3%(_JIP0 <[KQ$BQGFC.:/)0UUa
M]8,!Y0V 1%9"0&0? HP&( DY0$PP(A9 :'B?0S0V) /$&'QB(>WZ5, !&&8a
M<80^ :AQ&2AA0'!9*F& )!(L81#@(1!A*&$!+QR%(0("@ !0@$Y9G(& 3DZ8a
MX8X0$US6"02 2+$(&"A<!@D 8.R6GDE.-.&C?F<0$(8 8+B#GDE\^OF(" @a
M$803=2 !A7Q;/0*I"DX($41O_M2U'*0A#>!$&-Z H8L?A>DPP D$' % $$V(a
MI$Z,Y^U947OOQ=<0 O2MF!\0%FJ'BQG<^#A:/YA >B0 IM2DQ 9FABI,&)+Pa
M$<"S9S@0JB]*&'&& %,@$@8@UF*KK3X#R-+MM^'&YH:R^@#@!K8:(( #04B:a
MP0 (>!!@Q1#QPA!"$@!P$ ,_!P @"!#8,L @ #90&A&%T#J0U0&'#I"H1)#Ra
M2X 32J#"!SYG[-NO%4*@4K 0>"P,Z09%6)&&''7, 8(9<I11!@ADI#''&FE!a
M,@ 10$ #Q!'[ &!"J+B4Y \Z< 0YM)\^ T-TP[38W3KMS%$:0'#1 ! ! a
M0 +9 /2 -A=HU\0( )L T K:QJ"=#0#IC! #"$>4X489<H3!!@B R_&&' ",a
M( ,(1,B1AAT[N_$&'2#D' 89:(U PA#2#$$X7(8+H<+($A1QN6@BYZX#2!,a
MH?,:J1_. @AT!#X&[))3;L8;=;A!1N(XM%[&&'0<#D+N-_/N.^FFHU[XX8G'a
M ,(5SA.Q\[/(Z[WWLV3$;OV,2S>]]^!#YY]]#,P[C/L=UB_,QR&7T]\&;_Ka
M70,(5;BQAN1WN,%S&79(PQC*$+T;@" );I@#X"C7LY\!8 B\8P,9W' "RH5Aa
M# .<@\T:"#28@0 2#)@"%4 @,YK9; EI8 ,; -< !;3P@P2 (!SRX+@SH(%Ra
M,<#!"VCP@ACD ?!$T,>0- $%TS!!5!XPQW*H,(60@%P;?#9'-+P!O^=(7!Na
MN)[WB@>",;QAALF3P_'> +XO<$,::!#"UL8 ](5 0]AB.+?0! &GJVOA3)@a
M7AG:\ ;(T;$.7"P#'H8'R#2XX0P@$,,;)@<"!1+O<"V< >D0. <Z"&YP8<ABa
M&D 00!/J 0 :"$-2!<$-EQ/C)FDPR8[6;,NHB$,MCNESU0YACFTL :D:]SCa
M=A:$%MJ =%,(@Q_)4 :2U,&4ME3 #=R(AS2&TH4*@$+.-$A'-PQQ#65 "Q'6a
M!X)7VBR3U50E)V?62D-6\I+T8T$+[Y!&-+@2EA>4924%.(=/ F";/^MF&+[Ia
M/T$2TI)B6&$B%TDY1Q9/#DY\@P;3$- AUI&5<W!!"R%X3.\);@YD% /V-)DSa
M-@S1D)(;8!8!( 2"-G)X!P6!SRA(.7^. 9!A""@!(<@&WB%.!U00)!T H(,Ia
M*.]W-+4I"%"0AQ>X(04_ &5.\4 YHAH5J:#T:>^\Y]2C)A4 , , $%J(U2)0a
M<H&T0\/..!C6,%".#FCP61D-=\4X@N .^VQA32]'OYL9K@U=#8(FQVG"=\82a
M<+.D)QUSIH,U*N"910B=\=Z P3J$CGXZ: $H6UB$.8R!=F2,Z>'H0$IK@F!Ra
>8A4C-H?(Q=HY] QA,"17(;J&%+H ?CV!! '"!!H a
a
end
klute%trillian.irb@unido.uucp (Rainer Klute) (04/21/88)
In article <538@csvax.liv.ac.uk> unpowell@csvax.liv.ac.uk writes: > > I've noticed quite a growing concern about ST viruses on the net. >The following uuencoded program is a virus killer. It allows examination >of a disk's boot sector, the removal of an auto executing boot sector and >the installation of an "anti virus" on a disks boot sector. This anti virus >is simply a program, on the boot sector, that tells the user (on boot up) >that his/her disk is virus free. - I won't install anything on the boot sector of any disk if I don't have the source of it (and have compiled it myself for sure). - Sources and binaries should be posted to the moderator of comp.sources.atari.st resp. comp.binaries.atari.st. +---------------------------+------------------------------------------+ | Rainer Klute | UUCP: klute@unido.uucp | | University of Dortmund | (...uunet!mcvax!unido!klute) | | Dept. of CS | BITNET: klute@unido.bitnet | | P.O. Box 500500 | | | D-4600 Dortmund 50 | | +---------------------------+------------------------------------------+ | Federal Republic of Germany | +----------------------------------------------------------------------+
bw0i+@andrew.cmu.edu (Bryan Wu) (04/22/88)
I'm not sure it's a great idea to have an anti-virus floating around. If it copies itself to disks and multiplies, it's potentialy as dangerous as a normal virus. Why not just use the boot sector checking program to check your boot sector if you believe there's a virus on your disk? I personally don't want a program scattered on my disks that I didn't put there myself. I'm sure many others feel the same.
unpowell@csvax.liv.ac.uk (04/27/88)
Recently I posted a virus killer to comp.sys.atari.st. A certain Rainer Klute, commented that he would only use it if he had the source for it. The source, in 68000 assembly language, follows.... This program allows examination of floppy disks, for auto executing boot sectors, and allows such boot sectors to be disabled. It also allows an "anti-virus" to be installed on a disk (which is what, I think, Rainer was wary about). This is simply a program on the boot sector, which on boot up informs the user that the disk doesn't have a virus on it. This is done by turning the screen red (on a colour monitor), reversing the screen (on a monochrome monitor), printing the message "Virus free disk", making the "bell" sound or any combination of those three. So on boot up, with a disk with an anti virus installed, if your screen changes colour and/or the message is printed and/or the bell sounds you know that the anti-virus is still installed on your disk and it hasn't "yet" been written over by a virus. If you boot up with a disk with the anti-virus on it and you don't get your audio, visual or textual message than you know that something or other has written over your boot sector, possibly a virus. This can then be dealt with. The anti-virus does not stay resident after boot up, it simply executes during boot up and no other time. Does this put your mind at ease, Rainer? Mark Powell ******************************************************************************** "...I hate the white JANET unpowell@uk.ac.liv.csvax man, and the man UUCP {backbone}!mcvax!ukc!mupsy!liv-cs!unpowell who turned you all ARPA unpowell%csvax.liv.ac.uk@nss.cs.ucl.ac.uk loose..." R. Harper ******************************************************************************** -----------------------------------Cut here------------------------------------- * ST Virus Killer * Copyright Mark Powell 18/4/1988 * Permission is granted to copy this source, provided no profits * are obtained from such copying * Written for Devpac assembler, GenST, by Hisoft begin clr.l -(sp) move #32,-(sp) trap #1 addq.l #6,sp move.l d0,-(sp) move $484.w,-(sp) bclr #1,$484.w dc.w $a00a start lea mess0(pc),a0 bsr print bsr prntant lea mess01(pc),a0 bsr print wait bsr getkey cmp #'1',d0 beq.s examine cmp #'2',d0 beq remove cmp #'3',d0 beq install cmp #'4',d0 beq alterc cmp #'5',d0 beq changdr cmp #'6',d0 beq save cmp #'7',d0 bne.s wait move (sp)+,$484.w move #32,-(sp) trap #1 addq.l #6,sp clr -(sp) trap #1 changdr cmp #1,$4a6.w beq.s wait eor #1,drive bra.s start examine bsr cls bsr read bsr getchk add (a5)+,d1 cmp #$1234,d1 bne.s noboot cmp #$601c,(a6) bne.s notanti lea $1e(a6),a5 lea code(pc),a0 move #endcode-code-1,d0 chkcode move.b (a0)+,d1 cmp.b (a5)+,d1 bne.s notanti dbra d0,chkcode lea anti(pc),a0 bsr print lea info-code+$1e(a6),a3 bsr prntan1 bsr anykey bra start notanti lea is(pc),a0 bra.s prntres noboot lea isnt(pc),a0 prntres bsr print bsr anykey bra start install bsr cls bsr read lea $1e(a6),a0 move.l a0,a1 move #480/4-1,d0 clrboot clr.l (a0)+ dbra d0,clrboot lea code(pc),a0 move #endcode-code-1,d0 movecd move.b (a0)+,(a1)+ dbra d0,movecd move #$601c,(a6) bsr getchk sub #$1234,d1 neg d1 move d1,(a5) bra.s write remove bsr cls bsr read bsr getchk sub #$1235,d1 neg d1 move d1,(a5) write pea 1.w pea $10000 move d7,-(sp) subq.l #4,sp pea (a6) move #9,-(sp) trap #14 lea 20(sp),sp tst d0 beq start bsr error beq start bra.s write save lea insert(pc),a0 bsr print bsr anykey open clr -(sp) pea name(pc) move #$3d,-(sp) trap #1 addq.l #8,sp tst d0 bpl.s sokay moveq #-18,d0 bsr error bne.s open bra start sokay move d0,d6 clr -(sp) move d6,-(sp) pea (info-begin+$1c).w move #$42,-(sp) trap #1 lea 10(sp),sp pea info(pc) pea 3.w move d6,-(sp) move #$40,-(sp) trap #1 lea 12(sp),sp move d6,-(sp) move #$3e,-(sp) trap #1 addq.l #4,sp bra start alterc lea alter(pc),a0 bsr.s print lea info(pc),a3 lea coloryn(pc),a0 bsr.s getyn lea textyn(pc),a0 bsr.s getyn lea soundyn(pc),a0 bsr.s getyn bra start getyn bsr.s print move.b #1,(a3) getynw bsr.s getkey bclr #5,d0 cmp #'Y',d0 beq.s ynokay cmp #'N',d0 bne.s getynw clr.b (a3) ynokay lea yn(pc),a0 move.b d0,(a0) addq.l #1,a3 bra.s print cls lea clear(pc),a0 bra.s print getkey pea $10002 trap #13 addq.l #4,sp tst d0 beq.s keyget bsr.s keyget bra.s getkey keyget pea $20002 trap #13 addq.l #4,sp move.l d0,d1 swap d1 rts print pea (a0) move #9,-(sp) trap #1 addq.l #6,sp rts getchk move.l a6,a5 clr d1 move #255-1,d0 chklp add (a5)+,d1 dbra d0,chklp rts anykey lea any(pc),a0 bsr.s print bra.s getkey read moveq #0,d7 move.b drive(pc),d7 sub #'A',d7 lea buffer(pc),a6 readag pea 1.w pea $10000 move d7,-(sp) subq.l #4,sp pea (a6) move #8,-(sp) trap #14 lea 20(sp),sp tst d0 bpl.s okayr bsr error bne.s readag addq.l #4,sp bra start okayr rts prntant lea info(pc),a3 prntan1 moveq #0,d6 tst.b (a3)+ beq.s nocol lea color(pc),a0 bsr.s print moveq #1,d6 nocol tst.b (a3)+ beq.s notext lea text+1(pc),a0 tst d6 beq.s first1 subq.l #1,a0 first1 bsr.s print moveq #1,d6 notext tst.b (a3)+ beq.s nosound lea sound+1(pc),a0 tst d6 beq.s first2 subq.l #1,a0 first2 bra print nosound rts * This is the actual anti-virus code, that is written * to the boot sector. code lea info(pc),a3 tst.b (a3)+ beq.s nocolq btst #7,$fa01.w bne.s colour move.l $456.w,a0 * If monochrome then set up lea vbl(pc),a1 * VBL to set reverse screen move.l a1,28(a0) colour move #$700,$8240.w nocolq tst.b (a3)+ beq.s notext1 pea mess(pc) move #9,-(sp) trap #1 addq.l #6,sp notext1 tst.b (a3)+ beq.s nosund1 move #7,-(sp) pea $30002 trap #13 addq.l #6,sp nosund1 rts vbl move.l $44e.w,a0 * VBL to set screen to white on black tst.l 31992(a0) * when desktop finally appears beq.s scrclr move.l $456.w,a0 clr.l 28(a0) clr $8240.w scrclr rts mess dc.b 27,'EVirus free disk',0 info dc.b 1,0,0 endcode * Anti-virus code ends here error neg d0 add d0,d0 lea errpnt-2(pc,d0),a3 lea messe(pc),a0 bsr print moveq #0,d0 move (a3),d0 lea e1(pc,d0),a0 bsr print lea messe1(pc),a0 bsr print bsr getkey cmp #1,d1 rts errpnt dc.w 0,e2-z,e3-z,e4-z,e5-z,e6-z,e7-z,e8-z,e9-z,e10-z,e11-z dc.w e12-z,e13-z,e14-z,e15-z,e16-z,e17-z,e18-z z e1 dc.b '#1 General error' e3 e5 e7 e9 e14 e16 dc.b 0 e2 dc.b '#2 Drive not ready',0 e4 dc.b '#4 CRC error. Read error',0 e6 dc.b '#6 Seek error, track not found',0 e8 dc.b '#8 Sector not found. Read error',0 e10 dc.b '#10 Write error',0 e11 dc.b '#11 Read error',0 e12 dc.b '#12 General error',0 e13 dc.b '#13 Disk write protected',0 e15 dc.b '#15 Unknown device',0 e17 dc.b '#17 Insert disk',0 e18 dc.b 'Couldn',39,'t access disk',0 mess0 dc.b 27,'E ST Virus Killer',13,10,13,10 dc.b ' Copyright 18/4/1988 by M.S.Powell',13,10 dc.b 'Permission granted to copy for no profit',13,10,13,10 dc.b '1. Examine a disk',13,10 dc.b '2. Remove auto executing boot sector',13,10 dc.b '3. Install anti virus: ',0 mess01 dc.b 13,10,'4. Alter anti virus characteristics',13,10 dc.b '5. Drive ' drive dc.b 'A',13,10 dc.b '6. Save defaults',13,10 dc.b '7. Exit',0 any dc.b 13,10,13,10,'Press any key',0 anti dc.b 'Disk has an anti virus installed,',13,10 dc.b 'with characteristics: ',0 is dc.b 'Disk has an executable boot sector',13,10 dc.b 'Possibly a virus.',13,10 dc.b 'Could also be entirely innocent',0 isnt dc.b 'Boot sector isn',39,'t executable',0 color dc.b 'Colour',0 text dc.b ':Text',0 sound dc.b ':Sound',0 coloryn dc.b 'Colour (y/n)? ',0 textyn dc.b 'Text (y/n)? ',0 soundyn dc.b 'Sound (y/n)? ',0 clear dc.b 27,'E',0 yn dc.b '@',13,10,0 insert dc.b 27,'EInsert the disk that this program was',13,10 dc.b 'loaded from',0 alter dc.b 27,'EAnti virus characteristics are:',13,10,13,10,0 messe dc.b 13,10,'Error occurred:- ',0 messe1 dc.b 13,10,'Esc to abort. Any other key to try again',13,10,0 name dc.b 'viruskil.prg',0 even buffer
unpowell@csvax.liv.ac.uk (04/27/88)
In article <gWPck1y00WE2ATM0mK@andrew.cmu.edu>, bw0i+@andrew.cmu.edu (Bryan Wu) writes: > > I'm not sure it's a great idea to have an anti-virus floating around. > If it copies itself to disks and multiplies, it's potentialy as dangerous as a > normal virus. Why not just use the boot sector checking program to check your > boot sector if you believe there's a virus on your disk? > I personally don't want a program scattered on my disks that I didn't > put there myself. I'm sure many others feel the same. There seems to have been a misunderstanding (mainly due to my lack of explanation) about the anti virus. In no way does the anti virus stay resident after boot up nor does it reproduce in any way. It simply runs at boot up to inform the user that his/her disk does not have a virus on it. The source to my program has recently been posted, for those worried that it might be a trojan virus spreading program. I see no reason for not using it other than intense paranoia. Mark Powell ******************************************************************************** "...I hate the white JANET unpowell@uk.ac.liv.csvax man, and the man UUCP {backbone}!mcvax!ukc!mupsy!liv-cs!unpowell who turned you all ARPA unpowell%csvax.liv.ac.uk@nss.cs.ucl.ac.uk loose..." R. Harper ********************************************************************************
klute%trillian.irb@unido.uucp (Rainer Klute) (04/29/88)
In article <961@csvax.liv.ac.uk> unpowell@csvax.liv.ac.uk writes: > [Description of virus killer program incl. source code] > > Does this put your mind at ease, Rainer? Yes, it does. Thank you Rainer Klute +---------------------------+------------------------------------------+ | Rainer Klute | UUCP: klute@unido.uucp | | University of Dortmund | (...uunet!mcvax!unido!klute) | | Dept. of CS | BITNET: klute@unido.bitnet | | P.O. Box 500500 | | | D-4600 Dortmund 50 | | +---------------------------+------------------------------------------+ | Federal Republic of Germany | +----------------------------------------------------------------------+