QRDL v1.1 Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



    ------------------------
    Amiga Virus Encyclopedia
    QRDL v1.1 Link Virus
    ------------------------

    
    QRDL V1.1 Linkvirus:

    This virus makes an infected file 2300 bytes longer.  It creates an
    own  first  hunk  (like  the  "classic"  viruses  like CCCP, Smilie
    Cancer).

    The  CoolCapture  is set sometimes.  The following pointers will be
    used:
    - Exec: DoIO / NewOpenLibrary
    - Intuition: OpenWindow (-$CA)
    - $78 (Exec)

    Called this way because of a little ASCII text in the virusfile.

    Sometimes  the bitmap of the just inserted disk will be filled with
    $FFFFFF.   This  routine  will only be started if an old filesystem
    disk  (DOS0)  will  be used.  The result is that the OS thinks that
    the  disk is empty and if you write on the disk, all other files on
    disk became cleared.

    Disassembled code:

            move.l        #$00000370,d0                ; 880 = Rootblock
            move.w        #$007F,d1
    .loop        move.l        #$FFFFFFFF,(a0)+        ; fill with -1
            dbf        d1,.loop
            move.l        #$0000007F,(a3)
            move.w        #$0002,$001C(a1)        ; TD " WRITE "
            jsr        -$01a8(a6)
            move.l        #$00000200,d0
            jsr        -$00D2(a6)
            rts

    sector:        move.l        #$00000200,$0024(a1)
            mulu.w        #$0200,d0
            rts        

    It is possible that infected files will not work anymore because of
    a  bad  hunk  detection routine in the virus.  I cannot rescue such
    files at the moment.

    WARNING:
    The repair routine has only been tested on one file because I could
    not spread the virus on my disks!


                           Detection and termination tested on 21.11.92

    Test by Markus Schmall...
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk