okay@tafs.mitre.org (Okay S J) (10/25/89)
I received this from Amiga-relay this morning....From all reports, it
appears that Xeno, if it is a virus, is the 1st non-boot infector virus
in the Amiga community. All the others I've seen so far live in the boot
sector and most Amiga anti-virals seem to only worry about the boot sector
and in RAM at the time.
I'll cross-post anything I hear from either side to their respective
lists.
- ---Steve
- ----------
Stephen Okay Technical Aide, The MITRE Corporation
x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org
*************************CUT HERE CUT HERE*********************************
Date: 24 Oct 89 11:21:03 GMT
From: MTR780::WINS%"<ahonen@ohdake.uta.fi>" 24-OCT-1989 13:36:26.00
Subj: Xeno - Another bad virus?
From: Anssi Ahonen <ahonen@ohdake.uta.fi>
Newsgroups: comp.sys.amiga
Subject: Xeno - Another bad virus?
Does anyone have information about virus called 'xeno'? This little
beast is living on my hard disk (30 meg Supra, A500) and after many
unsuccesful tries I still haven't find it. It first showed up a few
days ago when I opened the shell and tried to get directory with
'ls'-command. The shell just gave me 'unknown command ls', and after
that I noticed that also 'CD'-command didn't work. Strangely, the
programs were still in c-dir, just as usual. I loaded my favourite
debugger and examined the broken cli-commands. Both programs were
modified so that they only used DOS.Write to print out 'unknown
command'. The weirdest thing was yet to come! I found a strange file
named '!' in devs-directory. This file was an IFF-picture, black
border, white topaz font text : "You will never catch me, the
allmighty Xeno"
So, this is probably the first virus to write iff-files on your hard disk?
I have now examined most of the programs on my hard disk with debugger,
searching for 'virus-signs', extra code hunks, xor-loops etc, but no luck.
The only facts I know are: Xeno is not a bootblock virus.
It doesn't change reset-vectors.
I am pretty sure it is some kind of link virus
(like IRQ), but much harder to beat.
*********************END FORWARDED MESSAGE***********************************