------------------------
Amiga Virus Encyclopedia
Wech Link Virus
------------------------
- WECH-LVirus file link and destruction
File extension: 952 bytes
Bent vector: LoadSeg
LastAlert is also changed
Resetfest: No.
Link behind the first hunk.
VT tries to reset Loadseg in memory.
VT tries to remove the link part from a file.
Memory anchoring:
- LastAlert changed to 00FFFFFF, 01FFFFFF, 02FFFFFF etc.
- LoadSeg is bent
Destruction (on purpose):
Once LastAlert and $ DFF006 have a certain value
the beginning of the file overwritten.
picture.datatype-destroyed:
00: 57454348 57454348 57454348 57454348 CHANGEOVER
10: 57454348 57454348 57454348 57454348 CHANGEOVER
20: 57454348 57454348 57454348 00040000 EXCHANGE ...
These files cannot be saved.
Propagation conditions:
- File is not yet contaminated (test with SetComment)
- Filename does not contain "-", ". L"
- File executable (3F3)
- 3E9 hunk is found
- Installation variants of the jump in the link part:
- RTS at the hunk end should become NOP (NEVER successful in the test)
- RTS 0000 at the Hunkend becomes NOPNOP
- RTS not exactly at the hunk end becomes Bra.s
- 4EAEwxyz in hunk becomes 4EBA virus
The part does not respond.
Hints:
- A syquest was unusable after 15 minutes.
- Files were created WITHOUT jump jumps
fail.
- Files with defective files were created during the intended link process
Link part.
- No test on KS1.3 (LoadSeg)
- Uses odd addresses
- Probably confuses $ 80 (FIBlock) with $ 7c (FIBlock)
Total guess: Beginners ?????
Original test by Heiner Schneegold
Translated from german to english by Google translate
