Red October 1.7 Linkvirus:
  --------------------------

  -Kickstart 3.x: Yes
  -MC68040      : Yes

  -Infected files become 1296 bytes longer
  -No changed vectors



  The virus allocates the memory for the to be infected file. It does
  not path a DOS vector, it simply tries to infect files via EXNext etc.
  The virus recognizes itself using the first codehunk and the first
  longword in this hunk ($4e714e71).

  The virus does not correct any Relochuncs and most infected programms
  crash. It simply copies its codehunk before the first codehunk and
  increases the length. The virus is very simple, but I decided to
  recognize this one, too. This virus is very old.

  Around offset 1100 in the first hunk, you can read:



        'timer.device'
        'dos.library'
        'ram:'
        'ram:1'           



  The original first infected file is 1296 bytes long and will be
  cleared completely (`cause there is nothing more to fix`).

  To this virus, there exists a documentation, which was spread years
  ago together with this virus:


  The Red October Virus 1.7 (901029)

  This virus program is for demonstration and testing purpose only.

  The Red October virus is a non-overwriting virus and was developed
  and tested under AmigaDOS 1.3.

  The following points influenced the development of the program:

  1. The virus should infect other programs only when system clock
     seconds are evenly divisible by three.

  2. All of the infected files should continue to work properly.

  3. The manipulation task in the virus causes a system crash when
     the system clock seconds are 16, 32 or 48 (evenly divisible
     by sixteen).

  4. The virus only infects files which are shorter than 50000
     bytes in the current directory.

  Delete the virus and the infected programs on the computer when
  you are done. WORK WITH COPIES ONLY.




  Test by Markus Schmall              Detection tested 12.2.1995.

[Go back]