Short: Ancient Virus Killer with Source Author: Ralf Thanner Uploader: aminet aminet net Type: util/virus Version: 4.1 Architecture: m68k-amigaos Berserker V4.1 (1990) ===================== - works ONLY with Kick 1.2/1.3/2.0 - the Centurion Link Virus is the Smile Cancer MfG anonymous ************************************************************************** * * B E R S E R K E R IV.1 * ----------------------- * * (c) Copyright 1988, 1989, 1990 by Ralf Thanner * * This code is entirely written in assembler for the Kuma Seka assembler * * Executable program and source code are both in the PUBLIC-DOMAIN! * * A small copy fee for Berserker is okay, but anything which looks like * commercial redistribution is forbidden (remember that!). * ************************************************************************** * * REVISION HISTORY: * ================= * * R V1.0 - Just a primitive SCA finder and killer. * * R V1.c - Added Byte Bandit & Byte Warrior killer. * - Improved SCA & SCA mutants killer routine. * -> OBELISK, AEK, LSD, PENTAGON, BAMIGA SECTOR ONE, * WARHWAK, MICROMASTER & NORTHSTAR... * * R V2.b - Now also finds the Exterminator (LAMER). * * R V2.d - Now finds the first link virus (IRQ TEAM 41). * * V2.e - Added alert box. Idea by Olaf Barthel. * - Some cleanups and bug-fixes done. * * R V2.e+ - Doesn't refuse to work with Kick 1.3 any more. * - Added custom bootblock writer. * - Added kill cold-cool vectors; * There are just too many SCA clones on the market * and it is saver to clear these pointers. * * R V3.0 - Now also finds the BSG 9 link virus. * - Second (and final?) code cleanup for public * release (YEAH!!!). * - Removed the custom bootblock writer, too many guys * thought Berserker to be some kind of virus in * disguise. * * R V3.0+ - Extended to find Gaddafi and Disk-Doctor viruses. * * V3.1 - Extended to find the REVENGE BOOTLOADER virus. * -> THIS IS A NEW ONE!!! * - Bug-fix in EXTERMINATOR routine done. * -> should now find ALL lamer versions.... (does not!) * - Code cleanup (added some sub-routines). * * V3.2 - Extended to find REVENGE (is an old one, but some * nice guys told me, that berserker should also find * the old ones....and because BERSERKER crashed when * memory was infiltrated by REVENGE ) * * V3.2b - Shortening, speeding up & cleaning the code. * ( and berserker still works.... ) * * R V3.39c+ - JOKE.... * * V3.5 - Added Xeno 'killer' routine by STEVE TIBBET. * * V4.0 - Added a more userfriendly Cli-Interface and the * possibility to start BERSERKER from workbench. * * R V4.0a - WHAAA, what a pity: forgot to reply message.. * Bug now fixed... Thanks to Olaf for this hint. * - Shortened and improved code again. * * V4.0b - Throw the 'led switch off' out. * - Made the cold/cool capture killer optionable. * Hello Martin, yes -> only for you.... * - Shortened and improved code again & again..... * * R V4.0c - AARGH!! A new file virus -> Disaster Master V2 * * R V4.0d - CENTURION LINK VIRUS killer implemented * - Implemented a resident library checker. * - From now on the source contains only the * 'virus-killing-part'. * * R V4.1 - these fucking assholes... in the last two weeks * i got three new file/link viruses, and this is * even one of the best programmed viruses i ever * saw: The Traveling JACK.... but which chance has * a 'Traveling Jack' against a BERSERKER??? none... * - OLSEN found out that 'BERSERKER' crashed on * KICK 2.0.. checks now kick version. * - OKI DOKI.. from now on source contains everything.. * (some people didn't like it the other way) * - removed 'math.lib' check... a virus in math.lib?? NAAA.. * * R = released version * * BERSERKER is now: 6920 bytes long. (not crunched!) * ************************************************************************** WHAT DOES BERSERKER IV DO? ========================== Berserker is a viruskiller which was designed as a CLI-command. It works with Kick 1.2, Kick 1.3, 512K and expansion RAM. Because of the big number of link viruses on the Amiga, I recommend inserting the Berserker call as the third command in your startup-sequence. (the later the better) You can start BERSERKER IV either from CLI or from Workbench. WORKBENCH: ---------- Berserker opens a window and waits for your choice. You can choose between: '?' - short instructions. 'C' - for checking your memory. 'Q' - for quiting. CLI: ---- Berserker offers you following options: 'berserker ?' - longer instructions. 'berserker c' - clears the cold- & coolcapture If you start BERSERKER IV without any command it will start searching through memory in order to kill these little bastards. If Berserker finds a virus a Recoverable Alert appears, just click a mousebutton to continue (this was added due to the possibility that the Berserker banner message might have been redirected, the chance to know about a virus in the system won't be wasted this way). LIBRARIES ========= BERSERKER checks the following ones: - EXEC.LIBRARY - EXPANSION.LIBRARY - GRAPHICS.LIBRARY - LAYERS.LIBRARY - INTUITION.LIBRARY - DOS.LIBRARY Berserker checks these libraries in order to detect any illegal change. Programs like 'SetPatch' use the systemcall 'SETFUNCTION' to change a vector but no virus does. Therefore compares BERSERKER the original library checksum with his self made checksum and ZAPA DAPA DOO... -->> ANY CHANGE IS DETECTED. <<-- If BERSERKER shows his little alert with 'EXEC.LIBRARY' or 'DOS.LIBRARY' the chance being infected by a new virus is very high! BERSERKER does not repair a changed library, this function was only implemented to give you a higher chance recognizing new viruses.... WHICH VIRUSES DOES BERSERKER KNOW? ================================== 1. SCA and all its mutant brothers and sisters ------------------------------------------- This means AEK, LSD, WARHAWK, OBELISK, PENTAGON, BAMIGA SECTOR ONE.... 2. Byte Bandit ----------- No need for further discussion (or what do you think?). 3. Byte Warrior (DASA0.2) ---------------------- Was the first virus with coded text, so you couldn't recognize it on the bootblock. 4. The Exterminator (LAMER!) ALL VERSIONS / CODED OR NOT -------------------------------------------------------- This one fills the tracks of a disk with 'LAMER!LAMER!LAMER!'. Exterminator is very tricky, if you try to examine the bootblock it will always look like a normal one. The new version should find all versions of the LAMER-EXTERMINATOR. 5. The IRQ-Virus ------------- This one is a link virus. It looks for the second program in the startup-sequence and tries to infect it. If this fails it will try to link itself to the DIR command. WARNING!!! Sometimes it also infects other programs. If a disk is write-protected -> REQUESTER Hint for programmers: the IRQ-virus' vector is OLDOPENLIBRARY(-408), therefore always use OPENLIBRARY(-552). Unfortunately the standard Aztec 'C' 3.2a - 3.6a crt0.a68 startup code makes a call to OldOpenLibrary() to get access to the dos.library. Time for a bug fix, Manx? 6. The BSG 9-Virus --------------- This one is a link virus. It looks for the first program in the startup-sequence and tries to infect it. It saves the modified file in the DEVS directory with spaces instead of a name. The virus itself is about 2608 bytes long and becomes visible after four or five resets; the screen turns black and a message appears: " A COMPUTER VIRUS IS A DISEASE " " TERRORISM IS A TRANSGRESSION " " SOFTWARE PIRACY IS A CRIME " " THIS IS THE CURE " " BSG 9 BUNDESGRENZSCHUTZ SEKTION 9 " " SONDERKOMMANDO 'EDV' " HERE COMES THE MIDNIGHT MANIAC & MAYDAY VIRUS HAHA PARADOX RULEZ !! 7. The Gadaffi-Virus ----------------- This one is a mutant version of the old Byte Warrior. It copies itself on each disk and tries to play a sound with the disk drive motor after 12 resets. Even though you might find the music funny, the drive will be of a different opinion (this may lead to serious hardware failures!). 8. The Disk-Doctor --------------- This one is a brand new one. It allocates 12 KBytes after each reset and ... to be honest, I didn't test what it also does because this one was very complicated -> before Disk-Doc I had never seen a Task, nor did I know what you can do with one. I'm lucky enough to be able to detect and kill it. ( After writing memguard i know a lot more about tasks...) 9. The REVENGE BOOTLOADER ---------------------- This one is just a normal virus with the ASCII text 'REVENGE BOOTLOADER' in it. Not a very smart idea..... It looks like as if this one has no message in it, he only copies himself onto every inserted disk. This one is a virus of a new generation, it works with every kickstart and with fast-mem. Nevertheless no chance against BERSERKER.... 10. SYSTEM Z -------- I wanted to add this one but a programm which asks before it copies itself onto disk is not a virus in my eyes. 11. REVENGE ------- This is an old one, which contains at the end in the boot following ASCII text: "REVENGEV1.2 COUNT:" I had to implement this one because BERSERKER III crashed when REVENGE was in memory. 12. TIMEBOMB -------- ARGHHHH!! This one is NOT in memory. TIMEBOMB only tries to copy itself to the disk in DF1:. The next time you boot the other disk from DF1: TIMEBOMB fills the whole root track with stuff from loacation $20000. After killing that disk it displays an alert with it's stupid message. BERSERKER cannot find and kill this one coz it's not in memory. Sorry!! Special thanks for this virus must go to DATA BECKER. The asshole who wrote the virus took all routines out of AMIGA INTERN I. 13. XENO ---- I can tell you nothing about this one, because i never got one.. Therefore i had to take the routine from STEVE TIBBET, the only reason i did it are my friends. Some of them have a harddisk and S.T. says that the Xeno spreads like wildfire and infects even hard-disk. They were so frightened that, (AAARRGH!! it is very hard to speak out) i took the routine from VIRUSX4.0. 14. Disaster-Master V2 ------------------ This is a new File virus. He is 1740 bytes long and he only infects disks with a startup-sequence. In the startup-seq. Disaster-Master is alway found in first place as 'CLS *' and in the 'C' DIR as 'CLS'. When BERSERKER told you that you are infected with DM V2 look into the s/start... and into the 'C' dir and delete this bastard. The funny thing is that he really clears the screen........ After a few (???) resets he starts an alert with his stupid message and resets the AMIGA. 15. CENTURION LINK VIRUS -------------------- This new virus makes himself resident, changes the DOIO & KICKSUM. He is ALWAYS located at $7f000. (thanx god!) Virus is 3916 bytes long and tries to infect the programs in the startup-sequence (what else!). After XX resets he changes the mousepointer to a smiley with a little scroller in it. I heard that you can protect your commands in the startup-seq. with this little trick. Change your command line from: 'BERSERKER' to 'C/BERSERKER'. Keep away from programs like 'new LZ' or 'LHwarp V1.44'. This versions are FAKE. They have the virus build in. If a disk is write-protected -> REQUESTER 16. THE TRAVELING JACK ------------------ you can wipe him out with a reset.. (i think so...) he changes the dos.lib jump tab.. (clever idea!) when he is installed, he tries to write his 'VIRUS.xx' file to the disk. each time a programm access the drive he write his stupid text. Be carefull, he tries to 'link' everything... If a disk is write-protected -> REQUESTER REQUESTER ========= If a disk is write-protected the virus always brings up a standard DOS Autorequester like this: +System Request ==================##|##+ | | | Volume | | - Disk name - | | is write protected | | | | +-----+ +------+ | | |RETRY| |CANCEL| | | +-----+ +------+ | +--------------------------------------* ADDITIONAL REMARKS ================== Special thanks go to: Olaf B. for testing and ideas Michael V. for utis, viruses and testing Henning L. for being one of the BEST assembler freaks Thorsten H. for also being one of the BEST Gunnar L. for being a friend and good programmer Martha for leaving me after two years... Olsen: Berserker was written using the well known Kuma Seka Assembler. As an American user you might have never heard or seen anything of it. Kuma did it the British way: Seka does neither generate ALink compatible linker object files, nor does it apply to the de facto Metacomco MASM (see Developers' toolkit) standard. For this reason your CAPE, MASM, ASM or AS will probably refuse to re-assemble the source code. Calls like "MOVE 4.W A6" will have to be replaced by something like "MOVE 4,A6". Don't wonder if the executable progam becomes longer than the supplied Berserker file: it has been compressed using a brilliant object file packer called "Powerpacker". Berserker is NOT a virus, this IS a guarantee. Ralf: I love my SEKA and i use calls like 'MOVE 4.w,a6' for speed, you C-FREAK! P.a.V. (Programmers against Viruses) SORRY TO ALL THE FOLKS WHO WROTE ME A LETTER AND I DIDN'T ANSWER THEM!!! I WILL ANSWER THEM EVEN IF THEY ARE ONE YEAR OLD... I'M SO LAZY........ MY BEST REGARDS GO TO STEVE TIBBET & FRED FISH!