Commander Linkvirus:
        --------------------

        KS 3.1: yes MC68040: yes
        KS 1.3: yes


        - increases filelength by 1664 bytes
        - Patched vectors:

         DosOpen(), DosRename(), DosLock(), DosExamine(), DosExNext(),
         DosLoadSeg(), DosSetcomment(), DosSetProt()

        No resetvectors will be changed by this virus !

        First appearence of this virus: Scandinavia
        The virus  seems  to  be  wide  spreaden  in  the  scandinavian
        countries.  I  have  heard  several  reports  from  Sweden  and
        Denmark.

        Approximatly 1 month after the first appearance in denmark, the
        virus reached Germany and Switzerland, too.

        This virus goes a similar way like the Dark Avenger viruses. It
        looks for a special longword in the first hunk and replaces  it
        by a "JSR" command in its own code. The own code will be placed
        at the end of the first hunk. The code is crypted with a simple
        eor-loop, which depends of the rasterbeam.

        The searched longword is a BSR  or a  JSR command  and will  be
        recalculated in the virus. VirusWorkshop is  able to refix  all
        the patched  things. Special  thanks  at  this  point  to  Ingo
        Schmidt, who really helped me a lot...

        @{b}The BSR.B commands will be not touched.@{ub}

        Special: It looks for the task "DH0". If this task is existing,
        it  will be tried to infect the  file "dh0:c/loadwb". The virus
        infects all files, which  will be accessed  using  the  patched
        functions. Possible protections from DOS will be removed by the
        infected files.

        The patchroutine is  quite  complex (or  complicated  in  other
        words).

        This virus is  quite similar  in some routines to the Commander
        bomb on PC. I got this hint from one of the members of the  VTC
        in Hamburg.

        The following texts are double crypted and can be found at the
        end of the virus:

        '-<( COMMANDER )>- by Bra!N BlaSTer in 1994'
        'DH0:C/LoadWB'
        'DH0'
        'dos.library'
        'reqtools.library reqtools 38.888' (don`t know what this is)





                                Detection tested 03.10.1994.
                                (Memoryremoval and fileremoval)


        Comment 4.1.1995: Only VT, VZ and VW (from the big viruskillers)
        remove the  Commander  virus  correct. Another  english speaking
        viruskiller  (last update 31.12.1994) is  not able to repair all
        the infected files.

        There appeared another Commander viruskiller, which carries the
        whole virus !

        Comment 03.10.1994: It already exists another special
        Commander Viruskiller, but this viruskiller is not able
        to recalculate the jsr commands ! (1.4 is actual at this
        special thing)

        Comment 19.10.1994: The repairroutine was a little bit
        buggy under special circumstances. Now fixed. Sorry.

        Comment 24.11.1994: After a SHI member from DK wrote about
        the real Commander virus installer, I got it 2 two later from
        Jan Andersen (former SHI TEAM DK). This is the intro from
        RAGE and APEX. The original file is 64924 bytes long (I got
        it in Germany). The "installer" is 71800 bytes long and
        contains some additional CLI textroutines, which hide the
        virus. This is in my opinion NEVER the original installer,
        but VW 4.4 and higher will recognize it....

        Comment 01.12.1994: A new installer appeared some days ago. This time
        it is (again) a production from Duplo (like dpl-de99, which I urgently
        need!).
        This time it is a two disk AGA demo titled My mamy is a vampire. The
        virus can be found in the first file from disk 1, called Vampire.exe.
        The virus is included in the file and I don`t know how it fiddled in
        the demo. Maybe some of the Duplo programmers can say this to me ?

        The infector is 875778 bytes long, packed and somekind of OS enhancer
        was added before....

        
        Test by Markus Schmall

[Go back]