Short: Ancient Virus Killer missing Source Author: Ralf Thanner Uploader: aminet aminet net Type: util/virus Version: 5.02 Architecture: m68k-amigaos Berserker V5.02 (1990) ====================== - works ONLY with Kick 1.2/1.3/2.0 - the Centurion Link Virus is the Smily Cancer - i must decrunched all files - the last Version!? MfG anonymous ============================================================================== B E R S E R K E R 5.01 +++++++++++++++++++++++ © Copyright 1988, 1989, 1990 by Ralf Thanner The code is entirely written in assembler for the Kuma Seka assembler ============================================================================== REVISION HISTORY: ================= R V1.0 - Just a primitive SCA finder and killer. R V1.c - Added Byte Bandit & Byte Warrior killer. - Improved SCA & SCA mutants killer routine. -> OBELISK, AEK, LSD, PENTAGON, BAMIGA SECTOR ONE, WARHWAK, MICROMASTER & NORTHSTAR... R V2.b - finds the Exterminator ( LAMER ). R V2.d - finds the first link virus ( IRQ TEAM 41 ). V2.e - Added alert box. Idea by Olaf Barthel. - Some cleanups and bug-fixes done. R V2.e+ - Doesn't refuse to work with Kick 1.3 any more. - Added custom bootblock writer. - Added kill cold-cool vectors; There are just too many SCA clones on the market and it is saver to clear these pointers. R V3.0 - Now also finds the BSG 9 link virus. - Second ( and final? ) code cleanup for public release - Removed the custom bootblock writer, too many guys thought Berserker to be some kind of virus in disguise. R V3.0+ - Extended to find Gaddafi and Disk-Doctor viruses. V3.1 - Extended to find the REVENGE BOOTLOADER virus. -> THIS IS A NEW ONE!!! - Bug-fix in EXTERMINATOR routine. -> should find ALL lamer versions now... - Code cleanup ( added some subroutines ). V3.2 - Extended to find REVENGE (an old one, but some nice guys told me that Berserker should also find the old ones ... and because Berserker crashed when memory was infiltrated by REVENGE ) V3.2b - Shortened, sped up & cleaned up the code. ( and Berserker still works! ) R V3.39c+ - JOKE.... V3.5 - Added Xeno 'killer' routine by STEVE TIBBET. V4.0 - Added a friendlier CLI-interface and an option to start Berserker from Workbench. R V4.0a - WHAAA, what a pity: forgot to call ReplyMsg.. Bug now fixed... Thanks to Olaf for this hint. - Shortened and improved code again. V4.0b - Threw the 'led switch off' out. - Made the cold/cool capture killer optional. Hello Martin, yes, only for you... - Shortened and improved code again & again.... R V4.0c - AARGH!!! A new link virus: Disaster Master V2. R V4.0d - CENTURION LINK VIRUS killer implemented. - Implemented a resident library checker. - From now on the source contains only the 'virus-killing-part'. R V4.1 - these fucking ass....., in the last two weeks I got three new file/link viruses, and this is even one of the best programmed viruses I ever saw: The Traveling JACK... What chance has a 'Traveling Jack' against a Berserker??? None... - OLSEN found out that 'Berserker' crashed on Kick 2.0. Now checks the Kickstart version. That's not my fault, most viruses will crash, too. - From now on source contains everything. ( some people didn't like it the other way ) - Removed 'math.lib' check. A virus in math.lib?? NAAA... R V5.0 - improved 'Traveling Jack' searcher (now finds the mutant version. - Added a permanent handler. ( read description below ) - Removed 'dos.library' check. My kind of checking doesn't work correctly with dos.library. ( doesn't find any change ) - Takes care of NTSC screens when printing the CLI instructions. - BIG code-cleanup. This cleanup was a REAL one: Berserker has become shorter, faster and (keep your fingers crossed) bug-free... also changed the way I jump into dos.library from 'A5' into 'A6'. ( less problems with future Kickstarts ) to be honest, I changed most of the routines... - New Workbench design. ( uses gadgets ) - Full instructions from workbench. - Source contains only the last revision description. - NO german.docs any more! ( it's not too difficult to under- stand the english docs... ) R V5.01 - Fine tuning ( cli-instructions with 'RETURN' and Workbench instructions with 'LEFT M.B.' ) - New handler version -> V1.4 R V5.02 - Once again fine tuning. CLI PARAMETER CHECK recognizes TAB's now. - New handler version -> V1.5 R = released version release date: 22.11.90 Berserker is now: 7892 bytes long. (not crunched!) ============================================================================== ============================================================================== Berserker-Handler V1.5 ++++++++++++++++++++++ © Copyright 1990 by Ralf Thanner The code is entirely written in assembler for the Kuma Seka assembler ============================================================================== REVISION HISTORY: ================= V1.0 - finds and destroys the two link-viruses 'Traveling Jack' and 'Centurion'. R V1.1 - reprogrammed the whole handler which is now absolutely system friendly. ( launch the handler and use XOPER to see what I mean! ) - If you start 'Berserker-Handler', it prints it's revision number. - Handler should be waterproof... ( I HOPE! ) R V1.2 - improved 'Traveling Jack' searcher. -> now finds the mutant version. V1.3 - Removed a big bug ( was it my fault or COMMODORE's ??? ) when the interrupt server was installed, all other servers running with same priority ( like the Imploder crunch bars or NoisePlayer's play routine ) didn't work. Changed priority to '-2'. - Also changed the check-rate. ( older versions checked every frame ) R V1.4 - Bumped priority to '-126' since 'BAD' had a priority of '-60' which caused it to hang. R V1.5 - changed task priority. R = released version Berserker-Handler is now: 884 bytes long. ( don't crunch! ) ------------- ============================================================================== WHAT DOES Berserker V DO? ========================= Berserker is a viruskiller which was designed as a CLI-command. It works with Kick 1.2, Kick 1.3, 512K and expansion RAM. Berserker 5.0 consists of two files, 'Berserker' and 'Berserker-Handler'. Copy 'Berserker-Handler' into the 'L:' directory if you wish to use the permament checker ( otherwise Berserker will not able to launch the handler ). The Handler needs about 4900 bytes of memory; that should be worth it... ( four KB for the stack and one for the program ) Because of the big number of link viruses on the Amiga, I recommend inserting the Berserker call as the third command in your startup-sequence. ( the later the better... ) You can start Berserker V either from CLI or from Workbench. WORKBENCH: ---------- Berserker opens a window and waits for your choice. ALL OPTIONS SHOULD BE SELF-EXPLANATORY CLI: ---- Berserker offers you following options: 'Berserker ?' - instructions. 'Berserker c' - clears the cold- & coolcapture 'Berserker i' - to install the 'Berserker-Handler' 'Berserker r' - to remove the Handler from memory If you start Berserker V without any command it will start searching through memory in order to kill these little bastards. You can combine the options 'r' or 'i' and 'c'. If Berserker finds a virus a Recoverable Alert appears, just click a mousebutton to continue ( you will get to know the presence of a virus even if the Berserker banner message has been redirected ). If Berserker-Handler is installed and finds 'JACK' or 'CENTURION' a Recoverable Alert appears, just click a mousebutton to continue. I would recommend that you use 'BLVC' to check the file loaded just before the alert appeared. BLVC 'heals' files infected by link-viruses. LIBRARIES ========= Berserker checks the following ones: - EXEC.LIBRARY - EXPANSION.LIBRARY - GRAPHICS.LIBRARY - LAYERS.LIBRARY - INTUITION.LIBRARY Berserker checks these libraries in order to detect any illegal change. Programs like 'SetPatch' use the systemcall 'SETFUNCTION' to change a vector but no virus does. Consequently, Berserker compares the original library checksum with its 'homebrewn' checksum and puts up an alert. -->> ANY CHANGE IS DETECTED. <<-- If Berserker shows its little alert with 'EXEC.LIBRARY' the chance that you system has been infected by a new virus is very high! Berserker does not repair a modified library. The function was added only to give you an opportunity to recognize new viruses... WHICH VIRUSES DOES Berserker KNOW? ================================== 1. SCA and all its mutant brothers and sisters ------------------------------------------- This means AEK, LSD, WARHAWK, OBELISK, PENTAGON, BAMIGA SECTOR ONE.... 2. Byte Bandit ----------- No need for further discussion (or what do you think?). 3. Byte Warrior (DASA0.2) ---------------------- Was the first virus with coded text, so you couldn't recognize it on the bootblock. 4. The Exterminator (LAMER!) ------------------------- This one fills the tracks of a disk with 'LAMER!LAMER!LAMER!'. Exterminator is very tricky, if you try to examine the bootblock it will always look like a normal one. The new version should find all versions of the LAMER-EXTERMINATOR. (that's not true... what a shame) 5. The IRQ-Virus ------------- This one is a link virus. It looks for the second program in the startup-sequence and tries to infect it. If this fails it will try to link itself to the DIR command. WARNING!!! Sometimes it also infects other programs. If a disk is write-protected -> look for REQUESTER Hint for programmers: the IRQ-virus' vector is OLDOPENLIBRARY(-408), therefore always use OPENLIBRARY(-552). Unfortunately the standard Aztec 'C' 3.2a - 5.0 crt0.a68 startup code makes a call to OldOpenLibrary() to get access to the dos.library. Time for a bug fix, Manx? 6. The BSG 9-Virus --------------- This one is a link virus. It looks for the first program in the startup-sequence and tries to infect it. It saves the modified file in the DEVS directory with spaces instead of a name. The virus itself is about 2608 bytes long and becomes visible after four or five resets; the screen turns black and a message appears: " A COMPUTER VIRUS IS A DISEASE " " TERRORISM IS A TRANSGRESSION " " SOFTWARE PIRACY IS A CRIME " " THIS IS THE CURE " " BSG 9 BUNDESGRENZSCHUTZ SEKTION 9 " " SONDERKOMMANDO 'EDV' " 7. The Gadaffi-Virus ----------------- This one is a mutant version of the old Byte Warrior. It copies itself on each disk and tries to play a sound with the disk drive motor after 12 resets. Even though you might find the music funny, the drive will be of a different opinion (this may lead to serious hardware failures!). 8. The Disk-Doctor --------------- This one is a brand new one. It allocates 12 KBytes after each reset and ... to be honest, I didn't test what it also does because this one was very complicated -> before Disk-Doc I had never seen a Task, nor did I know what you can do with one. I'm lucky enough to be able to detect and kill it. ( By writing Memguard I got to know a lot more about tasks...) 9. The REVENGE BOOTLOADER ---------------------- This one is just a normal virus with the ASCII text 'REVENGE BOOTLOADER' in it (not the smartest of ideas). It looks like as if this one has no message in it, it only copies itself onto every disk inserted. This one is a virus of a new generation, it works with every kickstart and with fast-memory. 10. SYSTEM Z -------- I wanted to add this one but a programm which asks before it copies itself onto disk is not a virus in my eyes. 11. REVENGE ------- This is an old one, which at the end of the boot code contains the following ASCII text: "REVENGEV1.2 COUNT:". I had to implement this one because Berserker III crashed when REVENGE was in memory. 12. TIMEBOMB -------- ARGHHHH!! This one is NOT in memory. TIMEBOMB only tries to copy itself to the disk in DF1:. The next time you boot the other disk from DF1: TIMEBOMB fills the whole root track with random data from location $20000. After quite literally killing the disk it displays an alert with it's stupid message. Berserker cannot find and kill this one since it is not in memory. Sorry!!! Special thanks for this virus must go to DATA BECKER. The asshole who wrote the virus took all routines out of AMIGA INTERN I. 13. XENO ---- I can't tell you anything about this one (I never got it). I had to take the routine from STEVE TIBBET. Some of my friends own hard disk drives. S.T. says that the Xeno spread like wildfire and infected even hard disks. My friends were so frightened that, (AAARRGH!! it is very hard to say) I took the routine from VIRUSX4.0. 14. Disaster-Master V2 ------------------ This is a link virus which is 1740 bytes long and only infects disks with a startup-sequence. Disaster-Master is alway found in the first line as 'CLS *' and in the 'C:' directory as the 'CLS' command. Be sure to examine both the startup-sequence script and the 'C:' directory If Berserker discovers that your system has been infected by DM V2. Funny enough if launched without the asterisk ('*') the CLI window is cleared. After a few (???) resets it puts up an alert and resets the computer. 15. CENTURION LINK VIRUS -------------------- This new virus makes itself resident, changes DoIO & KickSum and is always located at $7f000 (some guys will - hopefully - never learn it). The virus itself is 3916 bytes long and tries to infect the programs listed in the startup-sequence (what else!). After a number of resets it changes the mouse pointer to a smiley with a tiny scrolling banner message in it. I heard that you can protect your commands in the startup-sequence with this little trick: change your command line from: 'Berserker' to 'C/Berserker', etc. Keep away from programs like 'new LZ' or 'LHwarp V1.44'; they are fake and contain the virus. If a disk is write-protected -> look for REQUESTER 16. THE TRAVELING JACK ------------------ You can wipe it out with a reset (that's at least what I guess from the code) and changes the dos.library jump table (clever idea)! When installed it tries to write its 'VIRUS.xx' file to disk each time a program accesses the drive. Be careful: it tries to 'link' itself to anything! There are two diffent versions, a normal one and a mutant. Berserker wipes both from memory, but doesn't tell you whether it was the normal or the mutant version. If a disk is write-protected -> look for REQUESTER REQUESTER ========= If a disk is write-protected the virus always brings up a standard DOS Autorequester like this: +System Request ==================##|##+ | | | Volume | | - Disk name - | | is write protected | | | | +-----+ +------+ | | |RETRY| |CANCEL| | | +-----+ +------+ | +--------------------------------------* <- 'OLSEN' is not a good painter.. ADDITIONAL REMARKS ================== Special thanks go to my friends: Olaf B. for testing and ideas & help Michael V. for utis, viruses and testing Henning L. for being a helpfull coder Thorsten H. for tips and help Erik L0vendahl S0rensen, watch out for the next version.... «» DON'T RESOURCE! «» Olsen: Berserker was written using the well known Kuma Seka Assembler. As an American user you might have never heard or seen anything of it. Kuma did it the British way: Seka does neither generate ALink compatible linker object files, nor does it apply to the de facto Metacomco MASM (see Developers' toolkit) standard. For this reason your CAPE, MASM, ASM or AS will probably refuse to re-assemble the source code. Calls like "MOVE 4.W A6" will have to be replaced by something like "MOVE 4,A6". Ralf: I love my SEKA and i use calls like 'MOVE 4.w,a6' for speed, you C-FREAK! SORRY TO ALL THE FOLKS WHO WROTE ME A LETTER AND I DIDN'T ANSWER THEM!!! I WILL ANSWER THEM EVEN IF THEY ARE ONE YEAR OLD... I'M SO LAZY... =============================== Berserker ================================== IMPORTANT NOTICE: This program is (c) Copyright by Ralf Thanner, but can be FREELY DISTRIBUTED, providing that the following rules are respected. - No change is made to the program nor to the accompaning documentation. - Every form of distribution is allowed and encouraged, but no fee can be charged for this program except for, possibly, the cost of magnetic media. - The package is always distributed in its complete form consisting of 4 files: 'Berserker', 'Berserker-Handler', 'Berserker.Doc' and 'Berserker.S'. By copying, distributing and/or using the program you indicate your acceptance of the above rules. ==============================================================================