------------------------
Amiga Virus Encyclopedia
Akimo File Virus
------------------------
- AKIMO-Virus File Link
Installer: unknown
Versions tested: none
Reason for the name: see below
Vectors changed: none
Affected Process: audio.device,a0
(a0=invisible in the end, so that the original audio.device
is not touched)
Survives reset: No
File lengthened by: 1424 Bytes
Link is first Hunk.
VT attempts to remove the process from memory.
VT attempts to remove the link-virus from the file.
The link-virus reads:
732e6c69 62726172 79006175 64696f2e s.library.audio.
64657669 6365a000 6466303a 63004c6f device..df0:c.Lo
^^ ^^^^^^
61645742 00446972 00547970 65004d6f adWB.Dir.Type.Mo
756e7400 0000496e 7374616c 6c005365 unt...Install.Se
74436c6f 636b0045 6e64436c 69004c69 tClock.EndCli.Li
7374004d 616b6564 69720000 00000064 st.Makedir.....d
Method of staying in memory:
Its own process which is run every 90 seconds.
Conditions:
- Medium valid
- File executable ($3F3)
- No Hunk_Name (4(File) must be 0)
- No Hunk_Overlay ($c(File) must be 0)
- No Hunk_Reloc (has no routine for changing numbers)
- File is not yet contaminated (Test on $160)
- Devices affected:
df0 is renamed as df3-df0 and dh3-dh0 in a loop (see above).
- Files affected: loadWB, etc. See above.
After 90 seconds, the next file and/or device is looked up.
These accesses must be noticeable.
Since the files mentioned above have Reloc Hunks in some WB
versions, they cannot be contaminated (tested on WB1.1 - WB3.1)
As soon as the value of $96 is reached, the mouse pointer is made
into:
AKIMO
OF
MAGIC
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
--------------------------------------------------------------
Translated to English by Antonio Remedios © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
--------------------------------------------------------------
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
