VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
------------------------
Amiga Virus Encyclopedia
Golden Rider Virus
------------------------
Name : Golden Rider
Aliases : No Alises
Clones : No Clones
Type : Link virus
Size : 868 bytes
Symptoms : No Symptoms
Discovered : 22 november 1992
Way to Infect: Link infection
Rating : Less Dangerous
Kickstarts : 1.2
1.3
Damage : No Damage
Comments : When it patches the DOS.library it infects via
copying itself to the first hunk in an executable
file. Activated this way it will stay resident in
memory. When it is "ramdom" which file it inflicts you
can have the virus for a very long time without
remarking it. Furthermore, if it is a very rarely used
function in the main program it has patched, it will
never be activated anymore. It adds to the file its
own lengt and modify the functions return until after
it has laid itself resident. This way executed it will
patch every new executed file during the same session.
( Same boot period ).
An early Golden Rider version only inflected files
less than 100.000 bytes under KickStart1.2. The newer
ones seems not to have these limits.
The virus copies itself to $7C000 and changes the
CoolCapture to stay resident. For infection the virus
patches the Open()-Vector from the dos.lib. For
write-protection check the virus additionally patches
the DoIO()-Vector. Imagine you are inserting a disk:
Now, the virus checks with the help on DoIO() if
the disk is write-protected. The virus now "remebers"
if the disk was protected or not. Now you are opening
a program (e.g. with an ASCII-Editor). The virus
checks the write-protection value. If the disk wasn`t
write-protected the virus checks for this signs &
numbers in the program-name:
"/", ":", "0", "1" or all letters greater than $40.
If any of these letters/signs are in the file name
the infection will be canceled. If not the virus
links itself behind the 1. Hunk by searching a RTS.
(Like Crime & File Ghost).
The virus just infects files which are:
- executeable
- smaller than 100000 bytes
In the file you can read:
">>> Golden Rider <<< by ABT"
REMOVAL: There is no guarantee that viruskillers can
reestablish the files, so use at first a copy. Else
the file - sizes with your original
software copies. Is it to say that it is no guarantee
to compare with your backup set?
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by : Safe Hex International
