------------------------
Amiga Virus Encyclopedia
Commander Link Virus
------------------------
Commander Linkvirus:
KS 3.1: yes MC68040: yes
KS 1.3: yes
- increases filelength by 1664 bytes
- Patched vectors:
DosOpen(), DosRename(), DosLock(), DosExamine(), DosExNext(),
DosLoadSeg(), DosSetcomment(), DosSetProt()
No resetvectors will be changed by this virus !
First appearence of this virus: Scandinavia
The virus seems to be wide spreaden in the scandinavian countries.
I have heard several reports from Sweden and Denmark.
Approximatly one month after the first appearance in denmark the
virus reached Germany and Switzerland, too.
This virus goes a similar way like the 'Dark Avenger viruses'. It
looks for a special longword in the first hunk and replaces it by a
"JSR" command in its own code. The own code will be placed at the
end of the first hunk. The code is crypted with a simple eor-loop,
which depends of the rasterbeam.
Th e searched longword is a BSR or a JSR command and will be
recalculated in the virus. VirusWorkshop is able to refix all the
patched things. Special thanks at this point to Ingo Schmidt, who
really helped me a lot...
@{b}The BSR.B commands will be not touched.@{ub}
Special: It looks for the task "DH0". If this task is existing, it
will be tried to infect the file "dh0:c/loadwb". The virus infects
all files, which will be accessed using the patched functions.
Possible protections from DOS will be removed by the infected files
The patchroutine is quite complex (or complicated in other words).
This virus is quite similar in some routines to the Commander bomb
on PC,I got this hint from one of the members of the VTC in Hamburg
The following texts are double crypted and can be found at the end
of the virus:
'-<( COMMANDER )>- by Bra!N BlaSTer in 1994'
'DH0:C/LoadWB'
'DH0'
'dos.library'
'reqtools.library reqtools 38.888' (don`t know what this is)
Detection tested 03.10.1994.
(Memoryremoval and fileremoval)
Comment 4.1.1995:
Only VT, VZ and VW (from the big viruskillers) remove the Commander
virus correct. Another english speaking viruskiller (last update
31.12.1994) is not able to repair all the infected files.
There appeared another Commander viruskiller, which carries the
whole virus !
Comment 03.10.1994:
It already exists another special Commander Viruskiller, but this
viruskiller is not able to recalculate the jsr commands ! (1.4 is
actual at this special thing)
Comment 19.10.1994:
The repairroutine was a little bit buggy under special circumstances
Now fixed. Sorry.
Comment 24.11.1994:
After a SHI member from Denmark wrote about the real Commander virus
installer, I got it 2 two later from Jan Andersen (former SHI TEAM
DK) This is the intro from RAGE and APEX. The original file is 64924
bytes long (I got it in Germany) The "installer" is 71800 bytes long
and contains some additional CLI textroutines, which hide the virus
This is in my opinion NEVER the original installer, but VW 4.4 and
higher will recognize it....
Comment 01.12.1994:
A new installer appeared some days ago. This time it is (again) a
production from Duplo (like dpl-de99, which I urgently need!).
This time it is a two disk AGA demo titled My mamy is a vampire. The
virus can be found in the first file from disk 1, called Vampire.exe
The virus is included in the file and I don`t know how it fiddled in
the demo. Maybe some of the Duplo programmers can say this to me ?
The infector is 875778 bytes long packed and somekind of OS enhancer
was added before....
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test by Markus Schmall
HEX picture of Commander virus:
