Christmas Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


    ------------------------
    Amiga Virus Encyclopedia    
    Christmas Link Virus
    ------------------------

 
    Christmas Linkvirus:
    Other name: Chraistmas Violater
 
    The infected file becomes 1056 bytes longer.  The virus adds a hunk
    to the infected file.  The virus does only work, if you have Ranger
    memory  from  $C00000-$C80000  because the virus uses direct memory
    adresses  in  this range and at the end of the first 512 kbyte chip
    memory.

    Example:

    cmpi.l        #$0007E07A,$00C002A4.L        ; 2 Direct memory adresses
                                                ; in one assembler command
    beq.b         L_2
      nop
      lea         L_8C(pc),a0
      lea         $0007FB84.L,a2
    move.w        #$0400,d0
     .loop        move.b        (a0)+,(a2)+     ; The CopyLoop
      dbra        d0,.loop
    move.l        #$0000633A,$0007FE80.L
       L_2:


    The only  visible  text  in  the virus is:  > Generation:  0000 < .
    Other textparts are not visible.

               DC.B        'Nu > Generation: 008 <',0


    The  repair routine was only tested with one file because I did not
    succeed  in  spreading the virus on my test disks.  Does anyone has
    an  infected file which is longer then 2000 bytes?  I need now your
    help/support.

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III with Xvs.library installed


                       Detection and Repairroutine tested on 01.01.1993

    Test by Markus Schmall
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk