Hanf Virus - Amiga Virus Encyclopedia


     Amiga Virus Encyclopedia
     Hanf Virus
     - Hanf link virus

         Name reason:
           At the beginning of the first hunch you can read:
           600c4e75 48414e46 00000fb8 4e7648e7 `.NuHANF .... NvH.
         File extension: # 5472 bytes
         Not reset-proof
         Bent vectors:
           - $ F0 (TimerBase)
           - $ 6c-Proc e.g. DF0, DF1 etc.
             (is searched via DosBase, ROOT, Info etc.)
           - BeginIo of different Ser.-Devs

           Decoded can be read in the link section:
           4e5d4cdf 7fff6000 064e6172 74736572 N] L .......Nartser
           00426175 6442616e 64697400 62736369 .BaudBandit.bsci
           73646e00 636f6d70 6f727473 00647561 sdn.comports.dua
           72740065 6d707365 7200656e 766f7973 rt.empser.envoys
           65726961 6c006776 70736572 00686967 erial.gvpser.hig
           68737065 65640069 626d7365 72006e65 hspeed.ibmser.ne
           74736572 006e6577 73657200 73657269 tser.newser.seri
           616c0073 696f7362 72007371 75697272 al.siosbr.squirr
           656c7365 7269616c 0074656c 73657200 elserial.telser.
           55535253 65726961 6c007577 00763334 USRSerial.uw.v34
           73657269 616c0000 2e646576 69636500 serial ... device.

         Memory anchoring:
           - test whether already in memory (HANF)
           - the part is always re-encoded in memory with $ DFF006
             (that was not yet available)

         Link operation:
           - File not yet contaminated (HANF)
           - No RTS on 2 (CodeHunk) so no libs etc.
           - File executable ($ 3F3)
           - The last hunk of the file is code or data
           - 1st hunk at least $ 3A
           - A short piece of the virus part overwrites the
             Beginning of the first hunk
           - The main virus part is behind the last code-
             or linked data hunk
           - the part is always re-encoded with $ DFF006 at
             link operation
           - Defective files were also created during tests

           - Probably with BeginIo Ser.-Devs
             (I haven't tested it because I don't have any of these
              Use devices (vectorser))

         VT tries to reset the vectors in memory. For
         However, I think it makes more sense to restart one
         clean antivirus disk since my system with the virus part is not
         was very stable.
         VT tries to expand the link on an executable file.

     Original test by Heiner Schneegold
     Translated fram german to english by Google translate


Virum Help Team
Denmark & Canada
Copyright © All rights reserved