Amiga Virus Encyclopedia
- Hanf link virus
At the beginning of the first hunch you can read:
600c4e75 48414e46 00000fb8 4e7648e7 `.NuHANF .... NvH.
File extension: # 5472 bytes
- $ F0 (TimerBase)
- $ 6c-Proc e.g. DF0, DF1 etc.
(is searched via DosBase, ROOT, Info etc.)
- BeginIo of different Ser.-Devs
Decoded can be read in the link section:
4e5d4cdf 7fff6000 064e6172 74736572 N] L .......Nartser
00426175 6442616e 64697400 62736369 .BaudBandit.bsci
73646e00 636f6d70 6f727473 00647561 sdn.comports.dua
72740065 6d707365 7200656e 766f7973 rt.empser.envoys
65726961 6c006776 70736572 00686967 erial.gvpser.hig
68737065 65640069 626d7365 72006e65 hspeed.ibmser.ne
74736572 006e6577 73657200 73657269 tser.newser.seri
616c0073 696f7362 72007371 75697272 al.siosbr.squirr
656c7365 7269616c 0074656c 73657200 elserial.telser.
55535253 65726961 6c007577 00763334 USRSerial.uw.v34
73657269 616c0000 2e646576 69636500 serial ... device.
- test whether already in memory (HANF)
- the part is always re-encoded in memory with $ DFF006
(that was not yet available)
- File not yet contaminated (HANF)
- No RTS on 2 (CodeHunk) so no libs etc.
- File executable ($ 3F3)
- The last hunk of the file is code or data
- 1st hunk at least $ 3A
- A short piece of the virus part overwrites the
Beginning of the first hunk
- The main virus part is behind the last code-
or linked data hunk
- the part is always re-encoded with $ DFF006 at
- Defective files were also created during tests
- Probably with BeginIo Ser.-Devs
(I haven't tested it because I don't have any of these
Use devices (vectorser))
VT tries to reset the vectors in memory. For
However, I think it makes more sense to restart one
clean antivirus disk since my system with the virus part is not
was very stable.
VT tries to expand the link on an executable file.
Original test by Heiner Schneegold
Translated fram german to english by Google translate