Golden Rider Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


     ------------------------
     Amiga Virus Encyclopedia
     Golden Rider Virus
     ------------------------
    

     Name         : Golden Rider

     Aliases      : No Alises

     Clones       : No Clones

     Type         : Link virus
     
     Size         : 868 bytes

     Symptoms     : No Symptoms

     Discovered   : 22 november 1992

     Way to Infect: Link infection

     Rating       : Less Dangerous

     Kickstarts   : 1.2
                    1.3

     Damage       : No Damage

     Comments     : When  it  patches  the  DOS.library  it  infects  via
                    copying  itself  to  the first  hunk  in an executable
                    file.  Activated  this way  it will stay  resident  in
                    memory. When it is "ramdom" which file it inflicts you
                    can  have  the virus  for  a very  long  time  without
                    remarking it. Furthermore, if it is a very rarely used
                    function  in the main  program it has patched, it will
                    never  be activated  anymore.  It adds to the file its
                    own lengt and modify the functions return  until after
                    it has laid itself resident. This way executed it will
                    patch every new executed file during the same session.
                    ( Same boot period ).

                    An  early  Golden  Rider  version only inflected files
                    less  than 100.000 bytes under KickStart1.2. The newer
                     ones seems not to have these limits.

                    The  virus  copies  itself  to  $7C000 and changes the
                    CoolCapture to stay resident.  For infection the virus
                    patches  the  Open()-Vector  from  the  dos.lib.   For
                    write-protection  check the virus additionally patches
                    the  DoIO()-Vector.  Imagine you are inserting a disk:

                    Now,  the  virus  checks  with  the  help on DoIO() if
                    the  disk is write-protected. The virus now "remebers"
                    if  the disk was protected or not. Now you are opening
                    a  program  (e.g.  with  an  ASCII-Editor).  The virus
                    checks  the write-protection value. If the disk wasn`t
                    write-protected  the  virus  checks  for  this signs &
                    numbers in the program-name:

                    "/", ":", "0", "1" or all letters greater than $40.

                    If  any  of  these  letters/signs are in the file name
                    the  infection  will  be  canceled.  If  not the virus
                    links  itself  behind  the 1. Hunk by searching a RTS.
                    (Like Crime & File Ghost).

                    The virus just infects files which are:
                    - executeable
                    - smaller than 100000 bytes

                    In the file you can read:
                    ">>> Golden Rider <<< by ABT"

                    REMOVAL:  There is no  guarantee that viruskillers can
                    reestablish  the files,  so use at first a copy.  Else
                    the file - sizes  with your original
                    software copies.  Is it to say that it is no guarantee
                    to compare with  your backup set?

     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III with Xvs.library installed

     Test made by : Safe Hex International
Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk