Name : Hardex Virus
Aliases : A Saddam Hussein clone
Type/Size : Disk-Validator virus/1848
Discovered : 10-09-93
Way to infect: L/Disk-validator, (if not found the virus makes one)
Rating : Dangerous
Kickstarts : 1.2/1.3 (all using Disk-Validator)
Damage : Destroys block by overwriting
Comments : The Hardex and Saddam Hussein virus is a modification
of: Return of the Lamer Exterminator 1848 bytes in
SYS:l/ Named Disk-Validator
The Hardex virus will try to make a senseless pointer
to a false bitmap in the root-dir. The failing attempt
to validate the disk will invoke the virus and it will
then install itself at all, none writeprotected disks.
In fact a Kick1.2/3 harddisk partition, too.
If the Root:l/ not exists on a new formatted
disk, it will then create it itself.
Old versions of the system requires the disk-validator
program to validate disks. The Saddam clones makes it
impossible to validate disks. Therefore you will,
every time you insert a disk, ( or boot your harddisk,
copy to, delete from ) see the drive work for an
exorbitant long time. For the harddisk it can take
minutes, if it get finished at all.
DAMAGE: After a counter has been decreased the virus
will write the word "HARD" a number of times in the
fileheaders.
When it is the line with
File - first block start at address:
Number of blocks in sequence:
Next block in sequence:
Block checksum:
you can regard that the file is destroyed.
The AmigaDOS will report: Block checksum error and
you will get a requester like:
Not a DOS disk in drive: or
Disk not validated
Diskstructure currupt
Use DiskDoctor to correct it
The name below the disk.icon is
NDOS
Some mutations will cause the read/writeheads step
over the disksurface and will possibly scratch it
then.
Some of the mutations will only write the word "HARD"
one time in executable files when they are runned and
then decode the rest of the block.
In this way it is impossible to see the virus as long
as it is in memory. That implicates that if your
Disk-Validator on the harddisk is wrong, the virus
will hide itself until the counter reach zero. An
alert will then possibly display the text:
HARDEX VIRUS.
That specifik specimen has before that likely
formatted your disk. (Partition with the system).
In System 2.0 the disk will be unreadable because of
calls to a non existing device.
But as soon as the disk is used with the infected
System 1.3 the files will be readable again.
The fake Disk-Validator will then be active and it
works like a decrypter of its own files. (Infected
file headers).
Possibly Disk utilities like FixDisk and QuarterBack
TOOLS will repair the bad bitmap at the bad address
and then damage some files. But most of the virus
killers today is presumably able to reconstruct the
files.
If you will know the mechanisms in details, try to
write to one of the Virus-Killer programmers and ask.
Don't forget a bill in the letter.
PLEASE REMARK
ŻŻŻŻŻŻŻŻŻŻŻŻŻ
If your viruskiller detects a virus from the Lamer,
ZVirus or Boot Revenge family, don't stop the process
before the intire device is tested.
Some virusprogrammers modify the old bootviruses so
they can copy a Disk-Validator from one disk to
another. I.e. infected with an inactive virus.
Of course it only works with system diskettes with all
the system directories.
But as pointed out earlier, at the first moment a
BitMap turns false the virus will be activated and
then copy itself.
And,- if you Format or DiskCopy a disk it will then
copy itself, too, because of a call to
trackdisk.device.
It will start the validating process at drive df0:
e.g. If you have booted from the harddisk you will not
see a nonvalid disk.icon then.
REPAIR: Delete the Hardex virus on all bootable disks
immediately and copy the Disk-Validator from the
write-protected Wb-disk to them. Check all your disks
with a good viruskiller. Or check if some of your none
bootable disks should content a :l/Disk-Validator.
Then delete.
The virus killers are able to find and repair the bad
files and drawers, but as an extra certainty you can
use FixDisk or QuarterBack TOOLS after that.
SHI - TBH 04-94
[Go back]