- AKIMO-Virus      File  Link
         Installer: unknown
         Versions tested: none
         Reason for the name: see below
         Vectors changed: none
         Affected Process: audio.device,a0
           (a0=invisible in the end, so that the original audio.device
           is not touched)
         Survives reset: No
         File lengthened by: 1424 Bytes
         Link is first Hunk.
         VT attempts to remove the process from memory.
         VT attempts to remove the link-virus from the file.

         The link-virus reads: 
            732e6c69 62726172 79006175 64696f2e s.library.audio.
            64657669 6365a000 6466303a 63004c6f device..df0:c.Lo
                         ^^   ^^^^^^
            61645742 00446972 00547970 65004d6f adWB.Dir.Type.Mo
            756e7400 0000496e 7374616c 6c005365 unt...Install.Se
            74436c6f 636b0045 6e64436c 69004c69 tClock.EndCli.Li
            7374004d 616b6564 69720000 00000064 st.Makedir.....d
         Method of staying in memory:
         Its own process which is run every 90 seconds.

           - Medium valid
           - File executable ($3F3)
           - No Hunk_Name  (4(File) must be 0)
           - No Hunk_Overlay ($c(File) must be 0)
           - No Hunk_Reloc (has no routine for changing numbers)
           - File is not yet contaminated (Test on $160)
           - Devices affected:
             df0 is renamed as df3-df0 and dh3-dh0 in a loop (see above).
           - Files affected: loadWB, etc. See above.
             After 90 seconds, the next file and/or device is looked up.
             These accesses must be noticeable.
             Since the files mentioned above have Reloc Hunks in some WB
             versions, they cannot be contaminated (tested on WB1.1 - WB3.1)

         As soon as the value of $96 is reached, the mouse pointer is made

   Translated to English by Antonio Remedios  2001 VHT-Denmark
   Org. Test by Heiner Schneegold.

[Go back]