The Archimedes Virus Reference Document - Version 1.14t (February 14, 1992)

                  1991, 1992 Tor O. Houghton and Alan Glover

As the number of people using the Archimedes range of computers has increased over the years, so has the number of viruses.

This document contains the compiled information from various virus researchers and their killers and should (hopefully) assist those who think they might be infected by a virus. It is not intented to provide a very detailed technical description (although I might sway from this once or twice! :-), but to allow the reader to understand what the virus generally does, what makes it activate and what it does upon activation. Most important, however, it should help the user with the removal!

This document is Public Domain (i.e. no profit based use, etc.). If this is distributed together with commercial software, I would like the latest version of it (whatever it does) and a mention somewhere. I *do* spend a lot of time updating this, and I don't think I am too bold in suggesting this.

Please note that this document is also available as an Impression file.

Acknowledgements (in alphabetical order):

Svlad Cjelli (Dean <who?>)
Alan Glover, Acorn Computers Ltd.
Eivind Hagen
Bjxrn Hotvedt
Richard K. Lloyd
Terje Slettebx

Archimedes, Acorn and RISC OS are registered trademarks of Acorn Computers Ltd.

This document is copyright. Profit based distribution (whether PD or Shareware) without the prior consent from the authors, is strictly illegal.

A virus is nothing magical. Anyone with a bit of programming skills and some knowledge about the machine's operating system is capable of creating a virus.

Usually these programmers think it is fun, they've read too many cyberpunk books, or they are generally pitiful creatures who like to inflict damage.

Final note: In spite of many journalist's secret wishes, a computer virus cannot spread from one type of computer to another. For example, a virus written on PC running DOS or Windows cannot infect the Archimedes - in native mode. If you are using the PC emulator, a virus functions perfectly here too.

A few definitions:

                                                  
        CONNECTIVITY    The level of ability a computer has to connect to
                        other computer. Nowadays it is very easy to, for
                        example, phone a BBS and download new software. The
                        higher lever of connectivity, the higher the level
                        of possible exposure to computer viruses (i.e. the
                        more users the greater the exposure!).

        TROJAN HORSE    This is a generic name (taken from Greek mythology)
                        for a penetration method that includes hidden code.
                        An example of this is the Link virus which, being a
                        helpful in the ways of converting backspace to
                        delete, also launches a virus into your computer
                        environment.

        VIRUS           A computer virus can be defined as a malicious
                        program capable of replicating itself. See "A
                        Computer Security Glossary for the Advanced
                        Practitioner" in the Computer Security Journal IV,
                        No. 1, 1987 for a similar description.

                        Note, however, that most (there are exceptions!!)
                        viruses on the Archimedes do no serious damage (in
                        the form of deletion/encryption/compression of
                        files/media).

        WORM            A computer program which moves through your computer
                        system, altering data as it copies itself and
                        deleting the old copy. If a worm reproduces it could
                        also be called a virus. There are no reports of
                        worms on the Archimedes, mainly because it is such
                        a closed system, and would be detected much too
                        easily to become a hazard. Networks are more exposed
                        to such nasties. Worms may carry malicious code.

New viruses (and/or documents), comments, suggestions, backstabbings, flamings etc, should be either:

a) mailed to

Tor O. Houghton
Fjellveien 4
PO Box 142
1361 Billingstad
NORWAY

or,

b) emailed to #121 on The World of Cryton (+44 749 670030 / 300-14400bps)

or,

c) emailed to Tor Houghton on Excelsior! (M)BBS (+47 2 846379 / 300-14400bps)

or,

      
d) mail me through my neighbour's internet address - bhotvedt@gollum.uio.no

or to reach Alan Glover you will have to send:

e) email to Alan Glover at aglover@acorn.co.uk

or,

f) snail mail to

Alan Glover (Virus)
Acorn Computers Ltd.
Fulbourn Road
Cherry Hinton
Cambridge
CB1 4JN
United Kingdom

or,

g) emailed to #6 on The World of Cryton (+44 (0)749 670030 / 300-14400bps)

or,

h) emailed to #244 on Arcade (+44 (0)81 654 2212/655 4412 / 300-9600bps)

or,

f) by FidoNet netmail to 'alan glover' at 2:253/174.

Virus detection utilities referred to in this document:

                                             
        Hunter          : ) Michel Fasen                           (1.13) *
        Interferon      : ) Tor O. Houghton                        (2.08)
        IVSearch        : <somebody> - No name present!            (2.05)   #
        Killer          : ) Alan Glover (Pineapple Software Ltd.)  (1.27)
        Scanner         : ) Tor O. Houghton                        (1.16)
        VirusKill       : ) Terje Sletteboe                        (1.00)
        VKiller        ible number of filer windows possible. Ovvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvooooooooooooooooooooooooooooooooooooooooosssssssssssssssssssssssssssssssssssssssssssssssssssssyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy i
f you keep?        your copy of the viruskiller on a write-protected floppy this is 
        quite easy! Remember to check removable discs too!

Please note that resets and/or error which occur are usually the results of bad programming, and is therefore not considered as malicious. (It merely depicts the programmer's skills - he should have stuck to LOGO.)

Viruses not included yet (missing documentation):

             
        Name            Aliases
         
        <none>

Virus name              : Archie
Aliases                 : FF8
Origin                  : United Kingdom
Isolation date          : 1988 
Effective length        : 920 bytes
Virus type              : Resident Absolute (FF8) file infector.
Symptoms                : May cause "Address exception" or "Undefined 
                          instruction" errors. Absolute files will grow in 
                          length.

Detection methods        
          Media         : Killer 1.17+, VKiller 2.00+, Scanner 1.02+
          Memory        : Interferon 2.00+, Killer 1.17+, VKiller 2.00+

Removal instructions

          Media         : Killer 1.17+
          Memory        : Killer 1.17+, VKiller 2.00+

General comments

This is a piece of ARM code that is appended to executables with the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has a tell-tale 4-character string at the end of its code, "1210", which is used as an "already-infected" flag. The first instruction of the original executable is saved near the end of the virus code space and is replaced by a branch to the first instruction of the ArchieVirus code.

What Archievirus does when first run:

Attempts to infect executables (Absolute filetype) with the filespecs "@.*" and "%.*". In other words, all executables in the current and library directory are attacked.
Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA. If a call to OS_File 36 returns with an error, then it hasn't infected the RMA yet, so it proceeds to claim 920 bytes of RMA, copy itself into there and points a claim of the OS_File vector to its new RMA location.
The time is checked to see if it is the 13th of the month. If so, the code loops indefinitely, displaying the 45-character message: Hehe...ArchieVirus strikes again...
(In the virus, this message is EORed with &64, and is therefore not easy to spot.)
4. Assuming it wasn't the 13th of the month (and NO, it doesn't check for a Friday!), then the original first instruction of the executable is replaced and the original normal code continues from &8000 onwards.
The OS_File vector claim is quite important, because this serves two purposes:
a. It allows OS_File 36 to return without an error, signalling that the RMA is already infected.
b. It checks for OS_Files 0 and 10 (Save memory to file), 11 (create empty file) and 12,14,16 and 255 (Load file). If any of these are encountered then an infection attack is activated (see step 1 above).
(Source: Richard K. Lloyd)
```
Virus name              : CeBIT
Aliases                 : Lord of Darkness, TlodMod
Origin                  : Germany
Isolation date          : March 1991
Effective length        : 1240 bytes
Virus type              : Resident !Boot file infector, stores code as
                          separate file.
Symptoms                : File "TlodMod" in application directories.
```
```
Detection methods        
          Media         : Killer 1.17+, VKiller 2.10+, VProtect 1.06+
          Memory        : Interferon 2.00+, Killer 1.17+, VKiller 2.10+
```
Removal instructions
```
          Media         : Killer 1.17+, VKiller 2.10+, delete named file,
                          remove last line from !Boot.
          Memory        : Killer 1.17+, VKiller 2.10+
```
General comments
This is a module called "TlodMod" with the following title string:
TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS
It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod. If this already exists, then no further action is taken. If it doesn't, however, it then attempts to append the following line to <Obey$Dir>.!Boot:
rme. TlodMod 0 rml. <Obey$Dir>.TlodMod
If it succeeds at this, a counter is incremented and the module is replicated as <Obey$Dir>.TlodMod. Every 16th successful infection will trip the virus into issuing a "*Wipe $.path.file*" (which will inevitably fail!) and then displaying a message accompanied by a simple graphic.
The message displayed is:
```
                      This is a warning to all Users,
                      I am back on the Archimedes ...
```
```
                      Your Archie is infected now and
                      with him most of your programms.
```
```
                      Don't worry, nothing is damaged,
                      but keep in mind the protection!
```
```
                      And always think about the other
                      side of THE LORD OF DARKNESS ...
```
```
                        Virus generation is <count>
```
(Source: Richard K. Lloyd)
```
Virus name              : Extend
Aliases                 : 
Origin                  : United Kingdom
Isolation date          : October 1990
Effective length        : 940 bytes
Virus type              : Resident Task. Stores code as separate file.
Symptoms                : File "MonitorRM", "CheckMod", "ExtendRM", 
                          "OSextend", "ColourRM", "Fastmod", "CodeRM" or
                          "MemRM" in application directory. Each time the
                          code is executed it grabs 1k of RMA - this will
                          eventually lead to a system crash.
```
```
Detecti          there is
```
a "!Spr" file, delete !Run a
```
nd eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee?                          "!Spr to !Run - otherwise delete !Boot&          Memory        : Killer 1.26+delete the file, only to see it instantly re-appear again if it is in memory!
```
It loads in OS workspace, at &5500, it is therefore liable to crash the machine should the OS use that area of workspace.
```
                               
```
The !Run or !Boot file looks like this:
LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d]
It's action on infection is to save <Obey$Dir>.Image, and then either to create a !Boot file if one does not exist, or if it does, rename the !Run file to !Spr and then create a new !Run file.
(Sources: Alan Glover, Svlad Cjelli)
```
Virus name              : Link
Aliases                 : 
Origin                  : United Kingdom
Isolation date          : January 10, 1992
Effective length        : 1416 bytes
Virus type              : Resident Absolute file infector. A Trojan Horse.
Symptoms                : Module 'BSToDel' in module list.
```
```
Detection methods        
          Media         : Killer 1.27+, Scanner 1.03+
          Memory        : Killer 1.27+
```
Removal instructions
```
          Media         : Killer 1.27+, Scanner 1.06+
          Memory        : Killer 1.27+
```
General comments
The reason why I found the Link virus was because of the module "BSToDel" appearing in the module list. As I already have made my own "backspace to delete" utility as a module, I wondered where that module came from! (It certainly wasn't as a separate module on the disc.)
As far as I can tell, here's what the virus does:
Before installing itself as a module, it infects %.Squeeze (if there is a library directory, and if Squeeze is indeed in it) - just in case there wasn't enough room in the RMA. Then it hooks onto the FSControlV and InsV vectors. The latter so that it can do what the module title expects it to do: convert backspace (&08) to delete (&7F) (the reason why I also typed it
as a Trojan Horse).
The FSControl vector is used so that it can look for certain actions - namely *Run and *Copy. When it detects one of these, it does the following:
Replaces the first three instructions in the file with its own, making an absolute branch to the end of the file. The rest of the module is then stored here, with the original three instructions too. To make detection a bit more difficult, it encrypts itself with an EOR variant (different key each time).
On any Friday the 13th, it will display the message
```
        Message from LINK: Active since 30-Nov-91
```
every time it infects a program. [As Alan pointed out, this date is fixed, so meaning that it bears no releationship to the time which a system became infected.]
```
The virus does in                  : United Kingdom*Isolation dttttttttttttttttttttttttttttttttt                                             : June-August 1991#Effeciiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiieeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeelength        : 900 Bytes7Virus yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee             : Resident !Boot fieeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeinfector.=Symptoms               : Module 'NetManager' in modulelist.          Memory        : Interferon 2.00+, Killer 1.17+
```
Removal instructions
```
          Media         : Killer 1.17+, delete !Boot. 
          Memory        : Killer 1.17+, RMKill NetManager.
```
General comments
I (Alan Glover, Acorn) believe this to be the prototype for, or maybe the inspiration for, the TrapHandler virus. Although the coding is quite different in places, there's quite a similarity in the design.
There are a number of coding errors in this, most notably around the time bomb area, making it harmless in this form. The intention of the code is to check for Friday 13th, and display a message, however it will never detonate (... unless there's a fixed version in circulation ... though that's what I believe TrapHandler is).
It's fortunate that it never displays the message, because there's another coding error and the message isn't actually there!
(Source: Alan Glover)
```
Virus name              : NetStatus
Aliases                 : Boot
Origin                  : Either Norway or Belgium.
Isolation date          : October 1991
Effective length        : 2072 bytes
Virus type              : Resident !Boot file infector. 
Symptoms                : !Boot filelength increase.
```
```
Detection methods        
          Media         : Killer 1.27+, Scanner 1.02+, VirusKill 1.00+,
                          VProtect 1.10+
          Memory        : Interferon 1.10+, Killer 1.27+
```
Removal instructions
```
          Media         : Killer 1.27+, Scanner 1.02+, VirusKill 1.00+
          Memory        : Interferon 1.10+, Killer 1.27+, RMKill NetStatus.
```
General comments
NetStatus is written as a module, and in many ways it functions exactly the same way as the TrapHandler virus, as it saves all of its code in an application's !Boot file. It differs strongly from TrapHandler, however, as it does not overwrite the !Boot file. The original !Boot instructions are executed after the virus has been loaded, making it more difficult to spot than TrapHandler.
Some times a message will appear (the screen goes black first):
```
                   
```
[This message is encrypted, and will neither show up in memory nor in the infected !Boot file.]
```
        Hello, there.
        Just a little message.
        The infection count is: <infection count>
        This program is harmless
        10 Jun 1991
```
And disassembly proves the program right - it does not do anything harmful.
One might think that NetStatus should be placed as a 'variant' of TrapHandler, as the way the two viruses work are so similar (both viruses work by loading the !Boot file into memory below &8000 and then jumping to the code). However, seeing that the code itself was so different, I chose to let it have it's own entry. Also, NetStatus infects the !Boot file instead of overwriting it!
If you think you might have been infected by this virus, do *Help NetStatus to see if it is version 2.00, and if it is, do a *Modules to check where it resides. If the address is 018xxxxx then you are infected, if not, the address should be 038xxxxx.
This virus has the potential to cause chaos on Econet (tm) networks, where it will replace the real NetStatus module - causing anything that relies on it to fail.
```
Virus name              : Parasite
Aliases                 : 
Origin                  : UK, Cheshire ?
Isolation date          : February 1992
Effective length        : 6435 (strain 1), 7252 (strain 2)
Virus type              : Resident !Boot/!Run file infector, stores code as
                          separate file.
Symptoms                : Additional modules appearing within applications
```
Detection methods
```
          Media         : Killer 1.27+, VProtect 1.12+
          Memory        : Killer 1.27+
```
Removal Instructions
```
          Media         : Killer 1.27+
          Memory        : Killer 1.27+
```
General comments
This is a **very** nasty virus. Handle any infections with care!
The two strains are identical, except that the first always uses the same name for it's module, and the second has a random choice of 20 (twenty) filenames.
It will only activate on machines whose network station number is <80 - which will include non-networked machines, which typically have 0 or 1 in the CMOS.
Do NOT try to RMKill the module - a delayed action machine crash will result.
It will *wipe any of the following file/directory names - !vkiller, vir, shield, prot and !guardian - this points at a UK origin since it is not aware of !Scanner.
It has a whole repertoire of dirty tricks, which are time triggered:
- Corruption of the net printer name (it uses this as workspace)
- Midnight, and xx:13: crash the computer
- Before 07:00: crash the computer 300-900 seconds later
- 00:00 to 00:59 on 1st Jan: crash the he start of memory.
  - 1 out of 13 chances: Randomise the 240 bytes of CMOS.
  - 4 out of 13 chances: Randomly display one of 8 very rude messages - one of which also changes the mouse pointer shape to a rude graphic and another will also shutdown an icon bar application (the same routine as above).
  - 1 out of 13 chances: Wipe the contents of <Obey$Dir>.
It also has a "special date" section as follows:
Any Friday 13th: Advertises its own "virus killer" (from Armen Software).
April 1st: 10 Address exception errors, followed by coloured rectangles and a 'stuck' mouse pointer for 10 seconds. An "April Fool" message is then displayed.
December 25th: Destroys the disk map of ADFS drives 0, 4 and 5 followed by a "Merry Chrimble" message.
October 31st: Formats the floppy in drive 0, followed by a "Spooky" message.
January 1st: As December 25th, but followed by a New Year's Resolution message (to keep your disks write-protected :-( ).
[Trying to kill it from the Desktop does *not* work, however VKiller and Killer can remove it from memory. Also, Thanatos will not initialise if Sys$Path is defined - which is useful for keeping it out of memory if an infection is discovered.]
(Source: Richard K. Lloyd, Alan Glover)
```
Virus name              : TrapHandler
Aliases                 : 
Origin                  : United Kingdom
Isolation date          : September, 1991
Effective length        : 924 bytes
Virus type              : Resident !Boot file infector. Overwrites original
                          !Boot file completely (or creates a new one if it
                          doesn't find one) and stores own code here.
Symptoms                : Applications which depend on a !Boot file fail to
                          run (i.e. if the !System !Boot file was 
                          overwritten, !Edit would fail to run due to the
                          fact that the !System folder hasn't been seen.
                          The same applies if the !Boot file in the !Fonts
                          directory is overwritten. The module 'TrapHandler'
                          is present in the module list.
```
Detection method
```
          Media         : Killer 1.17+, Scanner 1.03+, VProtect 1.10+
          Memory        : Interferon 2.00+, Killer 1.17+
Removal instructions    
          Media         : Killer 1.17+, Scanner 1.03+, delete !Boot file. 
          Memory        : Killer 1.17+, RMKill TrapHandler.
```
General comments
The TrapHandler virus is written as a module which infects application directories by overwriting the !Boot file with its own code. By hooking onto the FSControl vector, it looks for a *Run action, and on finding one (eg. the user opens a directory with applications, and if any of these contain a !Boot file (which RISC OS automatically executes)), TrapHandler overwrites the application's !Boot file with its own code.
This code is loaded into memory by using a simple
```
        *LOAD <Obey$Dir>.!Boot <address>
```
and then executing the code from there using a *GO <address> command.
On any Friday after the 20th of any month it will open a regular message box (i.e. using Wimp_ReportError) with the number of infections in the header, and an 'Ignorance will be your undoing.' This message is rather misleading, as the only destructive thing it does is overwrite your !Boot files (although it could - as all viruses can - be modified to do much nastier things). I might sound a bit trivial here - if your $.!Boot on the harddisc was overwritten, you might be a bit more than annoyed. However, as this !Boot file only gets run when you reset your machine, it is not very likely to get infected by this virus.
```
Virus name              : Vigay virus
Aliases                 : DataDQM, Shakes
Origin                  : United Kingdom
Isolation date          : Probably April 1991.
Effective length        : 2311 or 2432 bytes
Virus type              : Task. Stores code in separate file.
Symptoms                : File "DataDQM" in application directories. The 
                          Task "TaskManager" in the Task Manager window.
Detection method        
          Media         : Killer 1.17+, VKiller 2.20+, VProtect 1.10+
          Memory        : Killer 1.17+, VKiller 2.20+
Removal instructions    
          Media         : Killer 1.17+, VKiller 2.20+, delete !Boot and file.
          Memory        : Killer 1.17+, VKiller 2.20+
```
General comments
This is a 2311-byte BASIC program called "datadqm" with an associated 97-byte !Boot file. The REMs at the start of the program are as follows:
REM (C)1989 PAUL VIGAY
REM
REM A nasty little Archie Virus !!
REM ... or is something up with your monitor ??? REM
REM version 1.1a (24th October 1989)
Hence you now know why it's called the "Vigay Virus" - the author's name appears as a comment at the start!
When first run, it initialises as an application task called "TaskManager" [unlike the real "Task Manager" wich is a module task] and then waits for either:
1. a chance of (500 * hours left of a Thursday) to 1 to crop up to spark off a silly "wobble" demo (wobbles the screen and mouse pointer). Yes, this demo only appears on a Thursday and more frequently as the day wears on. or:
  2) a file/directory double-click, in which case it attempts to replicate itself to the first application directory at that level that doesn't already have either an !Boot or a datadqm file.
  (Source: Richard K. Lloyd)
  [Apparently there are several versions existing (but apparently not circulating), some activating on Fridays, others on Friday the 13th. There are also version compiled with the Archimedes Basic Compiler by Dabbs Press.]
  NOTE: This document is mainly distributed along with the utilities Scanner
  and Killer, although updates will appear separately if no new versions
  of these two utilities is released.
  --
  - The Poly Of Central London -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >User : Ching Liu ////// // // ////// // ////// // // <
    >email : uneec@sun.pcl.ac.uk // // // // // // // // // // // <
    >**This Space For Rent** ////// ////// // ////// // // //////// <
    =-=-=-=-=- Going - Horizontal +++ Vertical +++ Digital +++ Mental =-=-=-=-=-=