IRQ I & II Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM




     ------------------------
     Amiga Virus Encyclopedia
     IRQ I & II Virus
     ------------------------
  
           
     Name         : IRQ 1 + 2

     Aliases      : No Aliases

     Clone        : No Clones

     Type/size    : Link/1060 

     Symptoms     : The actual window title will be changed.

     Discovered   : 19 october 1992

     Way to infect: Link infection

     Rating       : Less Dangerous

     Kickstarts   : 1.2
                    1.3

     Damage       : Files can be defective (after infection). 

     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III v1.04ß or higher, and also Xvs.library v33.47 or higher

     Comments     : The IRQ-Virus uses the Kick-Vectors to stay resident
                    in memory.  If you are starting a infected programm,
                    the virus decodes a text and the string:
                    "dos.library.s:/startup-sequence".
                    
                    A infected  program will be increased by 1060 bytes.
                    The virus patches the OldOpenLibrary-Vector from the
                    exec.library.

                    When  you are booting  with an unprotected disk, the
                    virus tries to open  the actual startup-sequence. If
                    it exists,  the virus infects  the first file in the
                    startup-seq.

                    Sometimes  (depending of $dff005)  the  virus change
                    the title of to actual window in:

                    AmigaDOS presents: a new virus by the IRQ-TeamV41.0
 
                    A file can`t be infected two times because the virus
                    searches for a hex-code:

                    CMP.L      #FFFE6100,$1E(A4,D6.L)

                    It exists another IRQ-variant (=IRQ2)  which infects 
                    the  first  file  in  the  startup-sequence till the
                    current disk is full !!
                    That means no check for infected files.

     Test made by : Safe Hex International
     

     


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk