NeuroticDeath 5 Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
--------------------------
Amiga Virus Encyclopedia
NeuroticDeath 5 Link Virus
--------------------------
- NEurOTiCDEatH virus type 5 link virus
Name NOT understandable, but adopted
In the decoded link part you can read:
8002ee58 32c04e75 00000002 00005b4d ... X2.Nu ...... [M
74675f33 415d0000 1bdf0000 00096100 tg_3A] ........ a.
Compared to Type 3, I don't have a Neuro .. text
found
File extension: larger # 6000 bytes and smaller # 8000 bytes
(so it was with my tests)
Not reset-proof
Processor better than 68000
Not all kickstart versions
Bent vectors: LoadSeg NewLoadSeg DoIo
The virus part is to be activated from Dec. 28, 96.
Memory anchoring:
- Test whether already in memory e.g. debug Data
- Test whether antivirus prg.e is active (e.g. Xtruder)
- Loadseg NewLoadSeg and DoIo are bent
- Tests later loaded file names for "v" or "V".
Link operation:
- With LoadSeg and NewLoadSeg
- Medium validated
- File executable ($ 3F3)
- CodeHunk is found ($ 3E9)
- Overflows $ 3F1-Hunks
- File length larger # 32768
- File smaller # 286720
- Searching for bcc ($ 6v00wxyz) in the 1st Hunks,
jsr xy ($ 4EBAwxyz) or jsr -xy (a6) ($ 4EAEwxyz)
- This LW is replaced by bsr virus ($ 6100wxyz)
- the part is always re-encoded with $ DFF007
Report:
- NO
Destruction:
- Write garbage with DoIo
- Destroy Random Block based on $ DFF006
- Random block always bigger # 63 ($ 7E00)
- VT CANNOT recognize a block like this
- This block cannot be saved
VT tries to reset the vectors in memory.
VT cannot repair all files.
If there are errors in the file, send me
such files please.
Original test by Heiner Schneegold
Translated from german to english by Google translate
