Contents | < Browse | Browse >
==========================================================================
SAFE HEX WARNING
Safe Hex International hlau@dou.dk
==========================================================================
18-03-95
SAFE HEX WARNING
The DMS archive named "Network90.DMS" is an AGA demo, which contains the
Commander link virus in the file C/Fileloader.
ABOUT THE COMMANDER VIRUS
-------------------------
Here you have some info about the Commander virus from the Program Virus
Info Base 1.33 made by SHI:
If you`re starting an Commander infected file the virus first searches
for the task "DH0". If this task is in memory the virus tries to infect
the file "DH0:C/LoadWB". After that the virus patches the following
vectors from the dos.library:
- Open()
- Rename()
- Lock()
- Examine()
- ExNext()
- LoadSeg()
- SetComment()
- SetProtection()
These vectors are all used to infect other files. As one result the
Amiga gets little slower by disk access.
The virus just infects files which doesn`t have the letter "V" or "v" as
the first in the filename. And it only gets active if the actual drive
isn`t write protected and only if there are at last 10 free blocks on it.
For infection the virus searches for Offsetjumps or BSR.l [JSR -XXX(a6)
or BSR.L XXX]. These jumps will be manipulated so that they first will
activate the virus.
The virus itself is crypted by useing dff00X. In memory you can read:
"reqtools.library reqtools 38.888"
But there is another crypted message in the virus which says after
decrypting:
"-<( COMMANDER )>- by Bra!N BlaSTer in 1994."
All in all a very primitive virus. I can`t find any special routine
which is very good coded. But this virus is tricky.
This virus description is made by Alex Dimitriadis
CHECK OUT THAT YOU DON'T SPREAD OR RUN THIS NASTY ONE.
Kind Regards
Erik Loevendahl
SAFE HEX INTERNATIONAL