Christmas Violator Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
-----------------------------
Amiga Virus Encyclopedia
Christmas Violator Link Virus
-----------------------------
Name : Christmas Violator
Aliases : Violator
Type : Link
Size : 1044 bytes
Clones : No Clones
Symptoms : The infected file becomes 1056 bytes longer. The virus
adds a hunk to the infected file. The virus does only
work, if you have Ranger memory from $C00000-$C80000
because the virus uses direct memory adresses in this
range and at the end of the first 512 kbyte chip memory.
Discovered : -
Way to infect: Link infection
Rating : Very Dangerous
Kickstarts : 1.3 with RANGER RAM -> $C00000
Damage : Damages ALL infected files because of many bugs.
Removal : Delete infected file or use good viruskiller.
Comments : The Christmas Violator copies itself in two parts to
different memory-addresses:
1st Part $7E000 = Initial Part (Cool, OldOpenLib...)
2nd Part $7FB84 = Part with Link routines
The virus patches the OldOpenLib()-Vector to infect
files. Furthermore the virus changes the CoolCapture
Vector to stay resident in memory.
If now the OldOpenVector is used the virus scans the
Root of the actual disk for executable files. This
file will be infected till the disk is full. (No check
for "already-ifected")
In the file you can read:
">>> Christmas Violator by the Dream Team"
"- (HE HE) <<< Have a nice day..."
This text is crypted and cannot be read in the file.
But a text which isn`t crypted can be read:
"Generation: XXX"
Antivirus : Kickstart 1.2 & 1.3..... : VT-Schutz
Kickstart 2.0 and higher : VirusZ III, with the new Xvs.library installed
Test made by : Markus Schmall & Safe Hex International
