From rusmv1!ira.uka.de!yale.edu!qt.cs.utexas.edu!cs.utexas.edu!uunet!mcsun!uknet!ukc!acorn!aglover Mon Oct 21 12:57:26 MET 1991 Article: 2303 of comp.sys.acorn Path: rusmv1!ira.uka.de!yale.edu!qt.cs.utexas.edu!cs.utexas.edu!uunet!mcsun!uknet!ukc!acorn!aglover From: aglover@acorn.co.uk (Alan Glover) Newsgroups: comp.sys.acorn Subject: Re: Icon Virus Message-ID: <10455@acorn.co.uk> Date: 18 Oct 91 09:02:06 GMT References: <3254@m1.cs.man.ac.uk> Sender: aglover@acorn.co.uk Distribution: comp Organization: Acorn Computers Ltd, Cambridge, England Lines: 90 Here's info on all the viruses I've come across so far. Mail me if you can add to the list. Alan .... Viruses A number of viruses have become known within the Acorn world and staff at Acorn have been investigating how we may best help developers in this area. The following information may be used as a guideline. The Known Viruses 1) Extend This lives in applications, using one of eight possible names. It modifies/creates a !Boot file to load itself. Apart from claiming more and more memory (eventually causing the system to run out of memory) it is harmless, but very contagious. Quick Check : Press and type 'help extend' - a message of the form 'Module is...' indicates that it's loaded. 2) Icon (also known as Filer) There are a number of variants of this around - two have been encountered already. Both use !Boot files to propagate. One variant does nothing apart from spread itself. The other generates a nonsensical error message when it is first loaded. Quick Check : a file called Icon inside an application which is filetyped as a sprite, but is actually BASIC. 3) FF8 (also known as ArchieVirus) This is by far the oldest virus, but various bugs in its coding make the chances of it successfully infecting other programs quite small. Unlike the other viruses discussed here, it works by merging itself with files typed FF8 (Absolute). On the 13th of the month, any infected application will fail to run, giving the message 'Archievirus strikes again'. Quick Check : Load a file into !Edit, and look for '1210' at the end of the file (though 'Hypo1210' indicates an innoculation instead). 4) RISCOSext (also known as Thanatos) This is by far the worst of the viruses discussed here. It has various nasty things on particular dates, with a random chance of something happening at any time. Any outbreaks of this virus should be treated rapidly to avoid any chance of data loss. Quick Check : Look in the Task Manager display for 'Thanatos'. 5) DataDQM (also known as VigayVirus) This one causes the screen to judder an increasing amount during each Thursday. Quick Check : An application called 'TaskManager' - not to be confused with the real 'Task Manager' which will appear in the list of module tasks. 6) CeBit Aside from infecting applications (via the !Boot file as usual) it will stop proceedings on every 16th infection to display a message from 'Devil, The Lord of Darkness'. This virus was discovered in Germany, and is not thought to have spread to the UK yet. Quick Check : press , then 'help tlodmod'. A message of the form 'Module is...' shows that it is loaded. 7) MyMod This is a harmless virus, which will display a message on each Friday 13th. It can exist in two forms, the first being the trojan used initially to release it, and the second being the form in which it infects applications. Quick Check : press then 'help mymod'. A message of the form 'Module is...' shows that it is loaded. -------------------------------------------------------------------------- aglover@acorn.co.uk - Moderator of comp.binaries.acorn/comp.sources.acorn Mail submissions to submit@acorn.co.uk, other mail to moderator@acorn.co.uk