!VKiller/Docs/ArchieDoc

Home » Archimedes archive » Micro User » MU 1991-12.adf » !VKiller/Docs/ArchieDoc

This website contains an archive of files for the Acorn Electron, BBC Micro, Acorn Archimedes, Commodore 16 and Commodore 64 computers, which Dominic Ford has rescued from his private collection of floppy disks and cassettes.

Some of these files were originally commercial releases in the 1980s and 1990s, but they are now widely available online. I assume that copyright over them is no longer being asserted. If you own the copyright and would like files to be removed, please contact me.

Tape/disk:	Home » Archimedes archive » Micro User » MU 1991-12.adf
Filename:	!VKiller/Docs/ArchieDoc
Read OK:	✔
File size:	13D7 bytes
Load address:	FFFFFF43
Exec address:	1D6DFC0E

Duplicates

There are 9 duplicate copies of this file in the archive:

Archimedes archive » Micro User » MU 1991-11.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1992-01.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1992-02.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1991-12.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1991-09.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1991-08.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1991-10.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1992-04.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1991-07.adf » !VKiller/Docs/ArchieDoc
Archimedes archive » Micro User » MU 1992-03.adf » !VKiller/Docs/ArchieDoc

This is very detailed (although stopping short of a disassembly of course)
description of ArchieVirus. It is strongly recommended reading, if only to
give you a better understanding of how the virus operates.

ArchieVirus technical information
---------------------------------

This is a piece of ARM code that is appended to executables with the Absolute
(&FF8) filetype. It is 920 (&398) bytes long and has a tell-tale 4-character
string at the end of its code, "1210", which is used as an "already-infected"
flag. The first instruction of the original executable is saved near the end
of the virus code space and is replaced by a branch to the first instruction
of the ArchieVirus code.

Here's a complete run-down of what ArchieVirus does when first run:

1. Attempts to infect executables (Absolute filetype) with the filespecs "@.*"
   and "%.*". In other words, all executables in the current and library
   directory are attacked.

2. Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA. If a call
   to OS_File 36 returns with an error, then it hasn't infected the RMA yet,
   so it proceeds to claim 920 bytes of RMA, copy itself into there and
   points a claim of the OS_File vector to its new RMA location.
   NOTE: A *RMTidy command effectively releases this OS_File claim and is
         an easy manual way of removing ArchieVirus from the RMA.

3. The time is checked to see if it is the 13th of the month. If so, the
   code loops indefinitely, displaying the 45-character message:
   
   Hehe...ArchieVirus strikes again...

   Since there is no linefeed present, this will fill the screen with a fast
   scrolling blur :-) Obviously, Shift-Ctrl will allow mere humans to read it.
   Interestingly, this is the only place that the virus name, ArchieVirus,
   is found and this is tricky to spot because it is EORed with &64.

4. Assuming it wasn't the 13th of the month (and NO, it doesn't check for a
   Friday !), then the original first instruction of the executable is replaced
   and the original normal code continues from &8000 onwards.

The OS_File vector claim is quite important, because this serves two purposes:

a. It allows OS_File 36 to return without an error, signalling that the RMA
   is already infected.

b. It checks for OS_Files 0 and 10 (Save memory to file), 11 (create empty
   file) and 12,14,16 and 255 (Load file). If any of these are encountered
   then an infection attack is activated (see step 1 above).

ArchieVirus Decrement Count
---------------------------

Yet again, this is a virus that has a strange way of keeping track of infect-
ions. A count is DECREMENTED after a successful infection, which is strange
indeed. It's as if the author was considering a "limiter" in the code (when
count = 0, don't infect anymore), but decided not to include one at the last
minute. Of course, it could just be a warped mind - only the author knows the
original value of the count, so a simple subtraction will give ONLY HIM the
number of infections. By the way, the copy of ArchieVirus I have has its
decrement count at 1 in case you're interested. VKiller will displayed this
Decrement Count when the ArchieVirus is detected.

Possibly serious problems with ArchieVirus
------------------------------------------

The version of ArchieVirus I was given has a constant &A718 at offset &20
from the start of the ArchieVirus code. This constant is *supposed* to
indicate the start address of the ArchieVirus code + 12. However, this
constant NEVER changes and the code incorrectly uses it for a copy reference
point when duplicating itself into RMA. Hence, any calls to OS_File once this
faulty ArchieVirus code is installed will cause an "Address exception" or
"Undefined instruction" error depending on what rubbish has been copied into
the RMA.

Ironically, I have patched one instruction in my own personal copy of Archie-
Virus to use a relative address and the code is now stable and no longer
crashes :-) I have done this because I suspect the original author of Archie-
Virus may have spotted the bug and patched the code in a similar way to me.

As is very typical with many viruses, the ArchieVirus code does very little
file error checking and frequently reports "Not open for update" if the file
is locked or the disk is write-protected whilst attempting an infection.

ArchieVirus Innoculation
------------------------

The 4 character ASCII string "1210" at the end of the executable is checked
for existence by ArchieVirus to decide if it has infected the executable yet.

It is therefore easy to innoculate against ArchieVirus in two steps:
1) Replace the first instruction of the original executable with the copy
   held in the virus code area and
2) Remove the 920 bytes of virus code and replace it with the 8 character
   string "Hypo1210" (this was the string originally used by Hugo Fiennes'
   "Hypothermic" innoculator so I've decided to stick with his convention).

Hence, the executable will shrink back in size to only 8 bytes longer than
its original length and will have been innoculated too.

00000000  54 68 69 73 20 69 73 20  76 65 72 79 20 64 65 74  |This is very det|
00000010  61 69 6c 65 64 20 28 61  6c 74 68 6f 75 67 68 20  |ailed (although |
00000020  73 74 6f 70 70 69 6e 67  20 73 68 6f 72 74 20 6f  |stopping short o|
00000030  66 20 61 20 64 69 73 61  73 73 65 6d 62 6c 79 20  |f a disassembly |
00000040  6f 66 20 63 6f 75 72 73  65 29 0a 64 65 73 63 72  |of course).descr|
00000050  69 70 74 69 6f 6e 20 6f  66 20 41 72 63 68 69 65  |iption of Archie|
00000060  56 69 72 75 73 2e 20 49  74 20 69 73 20 73 74 72  |Virus. It is str|
00000070  6f 6e 67 6c 79 20 72 65  63 6f 6d 6d 65 6e 64 65  |ongly recommende|
00000080  64 20 72 65 61 64 69 6e  67 2c 20 69 66 20 6f 6e  |d reading, if on|
00000090  6c 79 20 74 6f 0a 67 69  76 65 20 79 6f 75 20 61  |ly to.give you a|
000000a0  20 62 65 74 74 65 72 20  75 6e 64 65 72 73 74 61  | better understa|
000000b0  6e 64 69 6e 67 20 6f 66  20 68 6f 77 20 74 68 65  |nding of how the|
000000c0  20 76 69 72 75 73 20 6f  70 65 72 61 74 65 73 2e  | virus operates.|
000000d0  0a 0a 41 72 63 68 69 65  56 69 72 75 73 20 74 65  |..ArchieVirus te|
000000e0  63 68 6e 69 63 61 6c 20  69 6e 66 6f 72 6d 61 74  |chnical informat|
000000f0  69 6f 6e 0a 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |ion.------------|
00000100  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
00000110  2d 2d 2d 2d 2d 0a 0a 54  68 69 73 20 69 73 20 61  |-----..This is a|
00000120  20 70 69 65 63 65 20 6f  66 20 41 52 4d 20 63 6f  | piece of ARM co|
00000130  64 65 20 74 68 61 74 20  69 73 20 61 70 70 65 6e  |de that is appen|
00000140  64 65 64 20 74 6f 20 65  78 65 63 75 74 61 62 6c  |ded to executabl|
00000150  65 73 20 77 69 74 68 20  74 68 65 20 41 62 73 6f  |es with the Abso|
00000160  6c 75 74 65 0a 28 26 46  46 38 29 20 66 69 6c 65  |lute.(&FF8) file|
00000170  74 79 70 65 2e 20 49 74  20 69 73 20 39 32 30 20  |type. It is 920 |
00000180  28 26 33 39 38 29 20 62  79 74 65 73 20 6c 6f 6e  |(&398) bytes lon|
00000190  67 20 61 6e 64 20 68 61  73 20 61 20 74 65 6c 6c  |g and has a tell|
000001a0  2d 74 61 6c 65 20 34 2d  63 68 61 72 61 63 74 65  |-tale 4-characte|
000001b0  72 0a 73 74 72 69 6e 67  20 61 74 20 74 68 65 20  |r.string at the |
000001c0  65 6e 64 20 6f 66 20 69  74 73 20 63 6f 64 65 2c  |end of its code,|
000001d0  20 22 31 32 31 30 22 2c  20 77 68 69 63 68 20 69  | "1210", which i|
000001e0  73 20 75 73 65 64 20 61  73 20 61 6e 20 22 61 6c  |s used as an "al|
000001f0  72 65 61 64 79 2d 69 6e  66 65 63 74 65 64 22 0a  |ready-infected".|
00000200  66 6c 61 67 2e 20 54 68  65 20 66 69 72 73 74 20  |flag. The first |
00000210  69 6e 73 74 72 75 63 74  69 6f 6e 20 6f 66 20 74  |instruction of t|
00000220  68 65 20 6f 72 69 67 69  6e 61 6c 20 65 78 65 63  |he original exec|
00000230  75 74 61 62 6c 65 20 69  73 20 73 61 76 65 64 20  |utable is saved |
00000240  6e 65 61 72 20 74 68 65  20 65 6e 64 0a 6f 66 20  |near the end.of |
00000250  74 68 65 20 76 69 72 75  73 20 63 6f 64 65 20 73  |the virus code s|
00000260  70 61 63 65 20 61 6e 64  20 69 73 20 72 65 70 6c  |pace and is repl|
00000270  61 63 65 64 20 62 79 20  61 20 62 72 61 6e 63 68  |aced by a branch|
00000280  20 74 6f 20 74 68 65 20  66 69 72 73 74 20 69 6e  | to the first in|
00000290  73 74 72 75 63 74 69 6f  6e 0a 6f 66 20 74 68 65  |struction.of the|
000002a0  20 41 72 63 68 69 65 56  69 72 75 73 20 63 6f 64  | ArchieVirus cod|
000002b0  65 2e 0a 0a 48 65 72 65  27 73 20 61 20 63 6f 6d  |e...Here's a com|
000002c0  70 6c 65 74 65 20 72 75  6e 2d 64 6f 77 6e 20 6f  |plete run-down o|
000002d0  66 20 77 68 61 74 20 41  72 63 68 69 65 56 69 72  |f what ArchieVir|
000002e0  75 73 20 64 6f 65 73 20  77 68 65 6e 20 66 69 72  |us does when fir|
000002f0  73 74 20 72 75 6e 3a 0a  0a 31 2e 20 41 74 74 65  |st run:..1. Atte|
00000300  6d 70 74 73 20 74 6f 20  69 6e 66 65 63 74 20 65  |mpts to infect e|
00000310  78 65 63 75 74 61 62 6c  65 73 20 28 41 62 73 6f  |xecutables (Abso|
00000320  6c 75 74 65 20 66 69 6c  65 74 79 70 65 29 20 77  |lute filetype) w|
00000330  69 74 68 20 74 68 65 20  66 69 6c 65 73 70 65 63  |ith the filespec|
00000340  73 20 22 40 2e 2a 22 0a  20 20 20 61 6e 64 20 22  |s "@.*".   and "|
00000350  25 2e 2a 22 2e 20 49 6e  20 6f 74 68 65 72 20 77  |%.*". In other w|
00000360  6f 72 64 73 2c 20 61 6c  6c 20 65 78 65 63 75 74  |ords, all execut|
00000370  61 62 6c 65 73 20 69 6e  20 74 68 65 20 63 75 72  |ables in the cur|
00000380  72 65 6e 74 20 61 6e 64  20 6c 69 62 72 61 72 79  |rent and library|
00000390  0a 20 20 20 64 69 72 65  63 74 6f 72 79 20 61 72  |.   directory ar|
000003a0  65 20 61 74 74 61 63 6b  65 64 2e 0a 0a 32 2e 20  |e attacked...2. |
000003b0  55 73 65 73 20 4f 53 5f  46 69 6c 65 20 33 36 20  |Uses OS_File 36 |
000003c0  61 73 20 61 20 22 73 65  6d 61 70 68 6f 72 65 22  |as a "semaphore"|
000003d0  20 74 6f 20 73 65 65 20  69 66 20 69 74 20 69 73  | to see if it is|
000003e0  20 6c 6f 64 67 65 64 20  69 6e 20 52 4d 41 2e 20  | lodged in RMA. |
000003f0  49 66 20 61 20 63 61 6c  6c 0a 20 20 20 74 6f 20  |If a call.   to |
00000400  4f 53 5f 46 69 6c 65 20  33 36 20 72 65 74 75 72  |OS_File 36 retur|
00000410  6e 73 20 77 69 74 68 20  61 6e 20 65 72 72 6f 72  |ns with an error|
00000420  2c 20 74 68 65 6e 20 69  74 20 68 61 73 6e 27 74  |, then it hasn't|
00000430  20 69 6e 66 65 63 74 65  64 20 74 68 65 20 52 4d  | infected the RM|
00000440  41 20 79 65 74 2c 0a 20  20 20 73 6f 20 69 74 20  |A yet,.   so it |
00000450  70 72 6f 63 65 65 64 73  20 74 6f 20 63 6c 61 69  |proceeds to clai|
00000460  6d 20 39 32 30 20 62 79  74 65 73 20 6f 66 20 52  |m 920 bytes of R|
00000470  4d 41 2c 20 63 6f 70 79  20 69 74 73 65 6c 66 20  |MA, copy itself |
00000480  69 6e 74 6f 20 74 68 65  72 65 20 61 6e 64 0a 20  |into there and. |
00000490  20 20 70 6f 69 6e 74 73  20 61 20 63 6c 61 69 6d  |  points a claim|
000004a0  20 6f 66 20 74 68 65 20  4f 53 5f 46 69 6c 65 20  | of the OS_File |
000004b0  76 65 63 74 6f 72 20 74  6f 20 69 74 73 20 6e 65  |vector to its ne|
000004c0  77 20 52 4d 41 20 6c 6f  63 61 74 69 6f 6e 2e 0a  |w RMA location..|
000004d0  20 20 20 4e 4f 54 45 3a  20 41 20 2a 52 4d 54 69  |   NOTE: A *RMTi|
000004e0  64 79 20 63 6f 6d 6d 61  6e 64 20 65 66 66 65 63  |dy command effec|
000004f0  74 69 76 65 6c 79 20 72  65 6c 65 61 73 65 73 20  |tively releases |
00000500  74 68 69 73 20 4f 53 5f  46 69 6c 65 20 63 6c 61  |this OS_File cla|
00000510  69 6d 20 61 6e 64 20 69  73 0a 20 20 20 20 20 20  |im and is.      |
00000520  20 20 20 61 6e 20 65 61  73 79 20 6d 61 6e 75 61  |   an easy manua|
00000530  6c 20 77 61 79 20 6f 66  20 72 65 6d 6f 76 69 6e  |l way of removin|
00000540  67 20 41 72 63 68 69 65  56 69 72 75 73 20 66 72  |g ArchieVirus fr|
00000550  6f 6d 20 74 68 65 20 52  4d 41 2e 0a 0a 33 2e 20  |om the RMA...3. |
00000560  54 68 65 20 74 69 6d 65  20 69 73 20 63 68 65 63  |The time is chec|
00000570  6b 65 64 20 74 6f 20 73  65 65 20 69 66 20 69 74  |ked to see if it|
00000580  20 69 73 20 74 68 65 20  31 33 74 68 20 6f 66 20  | is the 13th of |
00000590  74 68 65 20 6d 6f 6e 74  68 2e 20 49 66 20 73 6f  |the month. If so|
000005a0  2c 20 74 68 65 0a 20 20  20 63 6f 64 65 20 6c 6f  |, the.   code lo|
000005b0  6f 70 73 20 69 6e 64 65  66 69 6e 69 74 65 6c 79  |ops indefinitely|
000005c0  2c 20 64 69 73 70 6c 61  79 69 6e 67 20 74 68 65  |, displaying the|
000005d0  20 34 35 2d 63 68 61 72  61 63 74 65 72 20 6d 65  | 45-character me|
000005e0  73 73 61 67 65 3a 0a 20  20 20 0a 20 20 20 48 65  |ssage:.   .   He|
000005f0  68 65 2e 2e 2e 41 72 63  68 69 65 56 69 72 75 73  |he...ArchieVirus|
00000600  20 73 74 72 69 6b 65 73  20 61 67 61 69 6e 2e 2e  | strikes again..|
00000610  2e 0a 0a 20 20 20 53 69  6e 63 65 20 74 68 65 72  |...   Since ther|
00000620  65 20 69 73 20 6e 6f 20  6c 69 6e 65 66 65 65 64  |e is no linefeed|
00000630  20 70 72 65 73 65 6e 74  2c 20 74 68 69 73 20 77  | present, this w|
00000640  69 6c 6c 20 66 69 6c 6c  20 74 68 65 20 73 63 72  |ill fill the scr|
00000650  65 65 6e 20 77 69 74 68  20 61 20 66 61 73 74 0a  |een with a fast.|
00000660  20 20 20 73 63 72 6f 6c  6c 69 6e 67 20 62 6c 75  |   scrolling blu|
00000670  72 20 3a 2d 29 20 4f 62  76 69 6f 75 73 6c 79 2c  |r :-) Obviously,|
00000680  20 53 68 69 66 74 2d 43  74 72 6c 20 77 69 6c 6c  | Shift-Ctrl will|
00000690  20 61 6c 6c 6f 77 20 6d  65 72 65 20 68 75 6d 61  | allow mere huma|
000006a0  6e 73 20 74 6f 20 72 65  61 64 20 69 74 2e 0a 20  |ns to read it.. |
000006b0  20 20 49 6e 74 65 72 65  73 74 69 6e 67 6c 79 2c  |  Interestingly,|
000006c0  20 74 68 69 73 20 69 73  20 74 68 65 20 6f 6e 6c  | this is the onl|
000006d0  79 20 70 6c 61 63 65 20  74 68 61 74 20 74 68 65  |y place that the|
000006e0  20 76 69 72 75 73 20 6e  61 6d 65 2c 20 41 72 63  | virus name, Arc|
000006f0  68 69 65 56 69 72 75 73  2c 0a 20 20 20 69 73 20  |hieVirus,.   is |
00000700  66 6f 75 6e 64 20 61 6e  64 20 74 68 69 73 20 69  |found and this i|
00000710  73 20 74 72 69 63 6b 79  20 74 6f 20 73 70 6f 74  |s tricky to spot|
00000720  20 62 65 63 61 75 73 65  20 69 74 20 69 73 20 45  | because it is E|
00000730  4f 52 65 64 20 77 69 74  68 20 26 36 34 2e 0a 0a  |ORed with &64...|
00000740  34 2e 20 41 73 73 75 6d  69 6e 67 20 69 74 20 77  |4. Assuming it w|
00000750  61 73 6e 27 74 20 74 68  65 20 31 33 74 68 20 6f  |asn't the 13th o|
00000760  66 20 74 68 65 20 6d 6f  6e 74 68 20 28 61 6e 64  |f the month (and|
00000770  20 4e 4f 2c 20 69 74 20  64 6f 65 73 6e 27 74 20  | NO, it doesn't |
00000780  63 68 65 63 6b 20 66 6f  72 20 61 0a 20 20 20 46  |check for a.   F|
00000790  72 69 64 61 79 20 21 29  2c 20 74 68 65 6e 20 74  |riday !), then t|
000007a0  68 65 20 6f 72 69 67 69  6e 61 6c 20 66 69 72 73  |he original firs|
000007b0  74 20 69 6e 73 74 72 75  63 74 69 6f 6e 20 6f 66  |t instruction of|
000007c0  20 74 68 65 20 65 78 65  63 75 74 61 62 6c 65 20  | the executable |
000007d0  69 73 20 72 65 70 6c 61  63 65 64 0a 20 20 20 61  |is replaced.   a|
000007e0  6e 64 20 74 68 65 20 6f  72 69 67 69 6e 61 6c 20  |nd the original |
000007f0  6e 6f 72 6d 61 6c 20 63  6f 64 65 20 63 6f 6e 74  |normal code cont|
00000800  69 6e 75 65 73 20 66 72  6f 6d 20 26 38 30 30 30  |inues from &8000|
00000810  20 6f 6e 77 61 72 64 73  2e 0a 0a 54 68 65 20 4f  | onwards...The O|
00000820  53 5f 46 69 6c 65 20 76  65 63 74 6f 72 20 63 6c  |S_File vector cl|
00000830  61 69 6d 20 69 73 20 71  75 69 74 65 20 69 6d 70  |aim is quite imp|
00000840  6f 72 74 61 6e 74 2c 20  62 65 63 61 75 73 65 20  |ortant, because |
00000850  74 68 69 73 20 73 65 72  76 65 73 20 74 77 6f 20  |this serves two |
00000860  70 75 72 70 6f 73 65 73  3a 0a 0a 61 2e 20 49 74  |purposes:..a. It|
00000870  20 61 6c 6c 6f 77 73 20  4f 53 5f 46 69 6c 65 20  | allows OS_File |
00000880  33 36 20 74 6f 20 72 65  74 75 72 6e 20 77 69 74  |36 to return wit|
00000890  68 6f 75 74 20 61 6e 20  65 72 72 6f 72 2c 20 73  |hout an error, s|
000008a0  69 67 6e 61 6c 6c 69 6e  67 20 74 68 61 74 20 74  |ignalling that t|
000008b0  68 65 20 52 4d 41 0a 20  20 20 69 73 20 61 6c 72  |he RMA.   is alr|
000008c0  65 61 64 79 20 69 6e 66  65 63 74 65 64 2e 0a 0a  |eady infected...|
000008d0  62 2e 20 49 74 20 63 68  65 63 6b 73 20 66 6f 72  |b. It checks for|
000008e0  20 4f 53 5f 46 69 6c 65  73 20 30 20 61 6e 64 20  | OS_Files 0 and |
000008f0  31 30 20 28 53 61 76 65  20 6d 65 6d 6f 72 79 20  |10 (Save memory |
00000900  74 6f 20 66 69 6c 65 29  2c 20 31 31 20 28 63 72  |to file), 11 (cr|
00000910  65 61 74 65 20 65 6d 70  74 79 0a 20 20 20 66 69  |eate empty.   fi|
00000920  6c 65 29 20 61 6e 64 20  31 32 2c 31 34 2c 31 36  |le) and 12,14,16|
00000930  20 61 6e 64 20 32 35 35  20 28 4c 6f 61 64 20 66  | and 255 (Load f|
00000940  69 6c 65 29 2e 20 49 66  20 61 6e 79 20 6f 66 20  |ile). If any of |
00000950  74 68 65 73 65 20 61 72  65 20 65 6e 63 6f 75 6e  |these are encoun|
00000960  74 65 72 65 64 0a 20 20  20 74 68 65 6e 20 61 6e  |tered.   then an|
00000970  20 69 6e 66 65 63 74 69  6f 6e 20 61 74 74 61 63  | infection attac|
00000980  6b 20 69 73 20 61 63 74  69 76 61 74 65 64 20 28  |k is activated (|
00000990  73 65 65 20 73 74 65 70  20 31 20 61 62 6f 76 65  |see step 1 above|
000009a0  29 2e 0a 0a 41 72 63 68  69 65 56 69 72 75 73 20  |)...ArchieVirus |
000009b0  44 65 63 72 65 6d 65 6e  74 20 43 6f 75 6e 74 0a  |Decrement Count.|
000009c0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
000009d0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 0a 0a 59 65 74  |-----------..Yet|
000009e0  20 61 67 61 69 6e 2c 20  74 68 69 73 20 69 73 20  | again, this is |
000009f0  61 20 76 69 72 75 73 20  74 68 61 74 20 68 61 73  |a virus that has|
00000a00  20 61 20 73 74 72 61 6e  67 65 20 77 61 79 20 6f  | a strange way o|
00000a10  66 20 6b 65 65 70 69 6e  67 20 74 72 61 63 6b 20  |f keeping track |
00000a20  6f 66 20 69 6e 66 65 63  74 2d 0a 69 6f 6e 73 2e  |of infect-.ions.|
00000a30  20 41 20 63 6f 75 6e 74  20 69 73 20 44 45 43 52  | A count is DECR|
00000a40  45 4d 45 4e 54 45 44 20  61 66 74 65 72 20 61 20  |EMENTED after a |
00000a50  73 75 63 63 65 73 73 66  75 6c 20 69 6e 66 65 63  |successful infec|
00000a60  74 69 6f 6e 2c 20 77 68  69 63 68 20 69 73 20 73  |tion, which is s|
00000a70  74 72 61 6e 67 65 0a 69  6e 64 65 65 64 2e 20 49  |trange.indeed. I|
00000a80  74 27 73 20 61 73 20 69  66 20 74 68 65 20 61 75  |t's as if the au|
00000a90  74 68 6f 72 20 77 61 73  20 63 6f 6e 73 69 64 65  |thor was conside|
00000aa0  72 69 6e 67 20 61 20 22  6c 69 6d 69 74 65 72 22  |ring a "limiter"|
00000ab0  20 69 6e 20 74 68 65 20  63 6f 64 65 20 28 77 68  | in the code (wh|
00000ac0  65 6e 0a 63 6f 75 6e 74  20 3d 20 30 2c 20 64 6f  |en.count = 0, do|
00000ad0  6e 27 74 20 69 6e 66 65  63 74 20 61 6e 79 6d 6f  |n't infect anymo|
00000ae0  72 65 29 2c 20 62 75 74  20 64 65 63 69 64 65 64  |re), but decided|
00000af0  20 6e 6f 74 20 74 6f 20  69 6e 63 6c 75 64 65 20  | not to include |
00000b00  6f 6e 65 20 61 74 20 74  68 65 20 6c 61 73 74 0a  |one at the last.|
00000b10  6d 69 6e 75 74 65 2e 20  4f 66 20 63 6f 75 72 73  |minute. Of cours|
00000b20  65 2c 20 69 74 20 63 6f  75 6c 64 20 6a 75 73 74  |e, it could just|
00000b30  20 62 65 20 61 20 77 61  72 70 65 64 20 6d 69 6e  | be a warped min|
00000b40  64 20 2d 20 6f 6e 6c 79  20 74 68 65 20 61 75 74  |d - only the aut|
00000b50  68 6f 72 20 6b 6e 6f 77  73 20 74 68 65 0a 6f 72  |hor knows the.or|
00000b60  69 67 69 6e 61 6c 20 76  61 6c 75 65 20 6f 66 20  |iginal value of |
00000b70  74 68 65 20 63 6f 75 6e  74 2c 20 73 6f 20 61 20  |the count, so a |
00000b80  73 69 6d 70 6c 65 20 73  75 62 74 72 61 63 74 69  |simple subtracti|
00000b90  6f 6e 20 77 69 6c 6c 20  67 69 76 65 20 4f 4e 4c  |on will give ONL|
00000ba0  59 20 48 49 4d 20 74 68  65 0a 6e 75 6d 62 65 72  |Y HIM the.number|
00000bb0  20 6f 66 20 69 6e 66 65  63 74 69 6f 6e 73 2e 20  | of infections. |
00000bc0  42 79 20 74 68 65 20 77  61 79 2c 20 74 68 65 20  |By the way, the |
00000bd0  63 6f 70 79 20 6f 66 20  41 72 63 68 69 65 56 69  |copy of ArchieVi|
00000be0  72 75 73 20 49 20 68 61  76 65 20 68 61 73 20 69  |rus I have has i|
00000bf0  74 73 0a 64 65 63 72 65  6d 65 6e 74 20 63 6f 75  |ts.decrement cou|
00000c00  6e 74 20 61 74 20 31 20  69 6e 20 63 61 73 65 20  |nt at 1 in case |
00000c10  79 6f 75 27 72 65 20 69  6e 74 65 72 65 73 74 65  |you're intereste|
00000c20  64 2e 20 56 4b 69 6c 6c  65 72 20 77 69 6c 6c 20  |d. VKiller will |
00000c30  64 69 73 70 6c 61 79 65  64 20 74 68 69 73 0a 44  |displayed this.D|
00000c40  65 63 72 65 6d 65 6e 74  20 43 6f 75 6e 74 20 77  |ecrement Count w|
00000c50  68 65 6e 20 74 68 65 20  41 72 63 68 69 65 56 69  |hen the ArchieVi|
00000c60  72 75 73 20 69 73 20 64  65 74 65 63 74 65 64 2e  |rus is detected.|
00000c70  0a 0a 50 6f 73 73 69 62  6c 79 20 73 65 72 69 6f  |..Possibly serio|
00000c80  75 73 20 70 72 6f 62 6c  65 6d 73 20 77 69 74 68  |us problems with|
00000c90  20 41 72 63 68 69 65 56  69 72 75 73 0a 2d 2d 2d  | ArchieVirus.---|
00000ca0  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
*
00000cc0  2d 2d 2d 2d 2d 2d 2d 0a  0a 54 68 65 20 76 65 72  |-------..The ver|
00000cd0  73 69 6f 6e 20 6f 66 20  41 72 63 68 69 65 56 69  |sion of ArchieVi|
00000ce0  72 75 73 20 49 20 77 61  73 20 67 69 76 65 6e 20  |rus I was given |
00000cf0  68 61 73 20 61 20 63 6f  6e 73 74 61 6e 74 20 26  |has a constant &|
00000d00  41 37 31 38 20 61 74 20  6f 66 66 73 65 74 20 26  |A718 at offset &|
00000d10  32 30 0a 66 72 6f 6d 20  74 68 65 20 73 74 61 72  |20.from the star|
00000d20  74 20 6f 66 20 74 68 65  20 41 72 63 68 69 65 56  |t of the ArchieV|
00000d30  69 72 75 73 20 63 6f 64  65 2e 20 54 68 69 73 20  |irus code. This |
00000d40  63 6f 6e 73 74 61 6e 74  20 69 73 20 2a 73 75 70  |constant is *sup|
00000d50  70 6f 73 65 64 2a 20 74  6f 0a 69 6e 64 69 63 61  |posed* to.indica|
00000d60  74 65 20 74 68 65 20 73  74 61 72 74 20 61 64 64  |te the start add|
00000d70  72 65 73 73 20 6f 66 20  74 68 65 20 41 72 63 68  |ress of the Arch|
00000d80  69 65 56 69 72 75 73 20  63 6f 64 65 20 2b 20 31  |ieVirus code + 1|
00000d90  32 2e 20 48 6f 77 65 76  65 72 2c 20 74 68 69 73  |2. However, this|
00000da0  0a 63 6f 6e 73 74 61 6e  74 20 4e 45 56 45 52 20  |.constant NEVER |
00000db0  63 68 61 6e 67 65 73 20  61 6e 64 20 74 68 65 20  |changes and the |
00000dc0  63 6f 64 65 20 69 6e 63  6f 72 72 65 63 74 6c 79  |code incorrectly|
00000dd0  20 75 73 65 73 20 69 74  20 66 6f 72 20 61 20 63  | uses it for a c|
00000de0  6f 70 79 20 72 65 66 65  72 65 6e 63 65 0a 70 6f  |opy reference.po|
00000df0  69 6e 74 20 77 68 65 6e  20 64 75 70 6c 69 63 61  |int when duplica|
00000e00  74 69 6e 67 20 69 74 73  65 6c 66 20 69 6e 74 6f  |ting itself into|
00000e10  20 52 4d 41 2e 20 48 65  6e 63 65 2c 20 61 6e 79  | RMA. Hence, any|
00000e20  20 63 61 6c 6c 73 20 74  6f 20 4f 53 5f 46 69 6c  | calls to OS_Fil|
00000e30  65 20 6f 6e 63 65 20 74  68 69 73 0a 66 61 75 6c  |e once this.faul|
00000e40  74 79 20 41 72 63 68 69  65 56 69 72 75 73 20 63  |ty ArchieVirus c|
00000e50  6f 64 65 20 69 73 20 69  6e 73 74 61 6c 6c 65 64  |ode is installed|
00000e60  20 77 69 6c 6c 20 63 61  75 73 65 20 61 6e 20 22  | will cause an "|
00000e70  41 64 64 72 65 73 73 20  65 78 63 65 70 74 69 6f  |Address exceptio|
00000e80  6e 22 20 6f 72 0a 22 55  6e 64 65 66 69 6e 65 64  |n" or."Undefined|
00000e90  20 69 6e 73 74 72 75 63  74 69 6f 6e 22 20 65 72  | instruction" er|
00000ea0  72 6f 72 20 64 65 70 65  6e 64 69 6e 67 20 6f 6e  |ror depending on|
00000eb0  20 77 68 61 74 20 72 75  62 62 69 73 68 20 68 61  | what rubbish ha|
00000ec0  73 20 62 65 65 6e 20 63  6f 70 69 65 64 20 69 6e  |s been copied in|
00000ed0  74 6f 0a 74 68 65 20 52  4d 41 2e 0a 0a 49 72 6f  |to.the RMA...Iro|
00000ee0  6e 69 63 61 6c 6c 79 2c  20 49 20 68 61 76 65 20  |nically, I have |
00000ef0  70 61 74 63 68 65 64 20  6f 6e 65 20 69 6e 73 74  |patched one inst|
00000f00  72 75 63 74 69 6f 6e 20  69 6e 20 6d 79 20 6f 77  |ruction in my ow|
00000f10  6e 20 70 65 72 73 6f 6e  61 6c 20 63 6f 70 79 20  |n personal copy |
00000f20  6f 66 20 41 72 63 68 69  65 2d 0a 56 69 72 75 73  |of Archie-.Virus|
00000f30  20 74 6f 20 75 73 65 20  61 20 72 65 6c 61 74 69  | to use a relati|
00000f40  76 65 20 61 64 64 72 65  73 73 20 61 6e 64 20 74  |ve address and t|
00000f50  68 65 20 63 6f 64 65 20  69 73 20 6e 6f 77 20 73  |he code is now s|
00000f60  74 61 62 6c 65 20 61 6e  64 20 6e 6f 20 6c 6f 6e  |table and no lon|
00000f70  67 65 72 0a 63 72 61 73  68 65 73 20 3a 2d 29 20  |ger.crashes :-) |
00000f80  49 20 68 61 76 65 20 64  6f 6e 65 20 74 68 69 73  |I have done this|
00000f90  20 62 65 63 61 75 73 65  20 49 20 73 75 73 70 65  | because I suspe|
00000fa0  63 74 20 74 68 65 20 6f  72 69 67 69 6e 61 6c 20  |ct the original |
00000fb0  61 75 74 68 6f 72 20 6f  66 20 41 72 63 68 69 65  |author of Archie|
00000fc0  2d 0a 56 69 72 75 73 20  6d 61 79 20 68 61 76 65  |-.Virus may have|
00000fd0  20 73 70 6f 74 74 65 64  20 74 68 65 20 62 75 67  | spotted the bug|
00000fe0  20 61 6e 64 20 70 61 74  63 68 65 64 20 74 68 65  | and patched the|
00000ff0  20 63 6f 64 65 20 69 6e  20 61 20 73 69 6d 69 6c  | code in a simil|
00001000  61 72 20 77 61 79 20 74  6f 20 6d 65 2e 0a 0a 41  |ar way to me...A|
00001010  73 20 69 73 20 76 65 72  79 20 74 79 70 69 63 61  |s is very typica|
00001020  6c 20 77 69 74 68 20 6d  61 6e 79 20 76 69 72 75  |l with many viru|
00001030  73 65 73 2c 20 74 68 65  20 41 72 63 68 69 65 56  |ses, the ArchieV|
00001040  69 72 75 73 20 63 6f 64  65 20 64 6f 65 73 20 76  |irus code does v|
00001050  65 72 79 20 6c 69 74 74  6c 65 0a 66 69 6c 65 20  |ery little.file |
00001060  65 72 72 6f 72 20 63 68  65 63 6b 69 6e 67 20 61  |error checking a|
00001070  6e 64 20 66 72 65 71 75  65 6e 74 6c 79 20 72 65  |nd frequently re|
00001080  70 6f 72 74 73 20 22 4e  6f 74 20 6f 70 65 6e 20  |ports "Not open |
00001090  66 6f 72 20 75 70 64 61  74 65 22 20 69 66 20 74  |for update" if t|
000010a0  68 65 20 66 69 6c 65 0a  69 73 20 6c 6f 63 6b 65  |he file.is locke|
000010b0  64 20 6f 72 20 74 68 65  20 64 69 73 6b 20 69 73  |d or the disk is|
000010c0  20 77 72 69 74 65 2d 70  72 6f 74 65 63 74 65 64  | write-protected|
000010d0  20 77 68 69 6c 73 74 20  61 74 74 65 6d 70 74 69  | whilst attempti|
000010e0  6e 67 20 61 6e 20 69 6e  66 65 63 74 69 6f 6e 2e  |ng an infection.|
000010f0  0a 0a 41 72 63 68 69 65  56 69 72 75 73 20 49 6e  |..ArchieVirus In|
00001100  6e 6f 63 75 6c 61 74 69  6f 6e 0a 2d 2d 2d 2d 2d  |noculation.-----|
00001110  2d 2d 2d 2d 2d 2d 2d 2d  2d 2d 2d 2d 2d 2d 2d 2d  |----------------|
00001120  2d 2d 2d 0a 0a 54 68 65  20 34 20 63 68 61 72 61  |---..The 4 chara|
00001130  63 74 65 72 20 41 53 43  49 49 20 73 74 72 69 6e  |cter ASCII strin|
00001140  67 20 22 31 32 31 30 22  20 61 74 20 74 68 65 20  |g "1210" at the |
00001150  65 6e 64 20 6f 66 20 74  68 65 20 65 78 65 63 75  |end of the execu|
00001160  74 61 62 6c 65 20 69 73  20 63 68 65 63 6b 65 64  |table is checked|
00001170  0a 66 6f 72 20 65 78 69  73 74 65 6e 63 65 20 62  |.for existence b|
00001180  79 20 41 72 63 68 69 65  56 69 72 75 73 20 74 6f  |y ArchieVirus to|
00001190  20 64 65 63 69 64 65 20  69 66 20 69 74 20 68 61  | decide if it ha|
000011a0  73 20 69 6e 66 65 63 74  65 64 20 74 68 65 20 65  |s infected the e|
000011b0  78 65 63 75 74 61 62 6c  65 20 79 65 74 2e 0a 0a  |xecutable yet...|
000011c0  49 74 20 69 73 20 74 68  65 72 65 66 6f 72 65 20  |It is therefore |
000011d0  65 61 73 79 20 74 6f 20  69 6e 6e 6f 63 75 6c 61  |easy to innocula|
000011e0  74 65 20 61 67 61 69 6e  73 74 20 41 72 63 68 69  |te against Archi|
000011f0  65 56 69 72 75 73 20 69  6e 20 74 77 6f 20 73 74  |eVirus in two st|
00001200  65 70 73 3a 0a 31 29 20  52 65 70 6c 61 63 65 20  |eps:.1) Replace |
00001210  74 68 65 20 66 69 72 73  74 20 69 6e 73 74 72 75  |the first instru|
00001220  63 74 69 6f 6e 20 6f 66  20 74 68 65 20 6f 72 69  |ction of the ori|
00001230  67 69 6e 61 6c 20 65 78  65 63 75 74 61 62 6c 65  |ginal executable|
00001240  20 77 69 74 68 20 74 68  65 20 63 6f 70 79 0a 20  | with the copy. |
00001250  20 20 68 65 6c 64 20 69  6e 20 74 68 65 20 76 69  |  held in the vi|
00001260  72 75 73 20 63 6f 64 65  20 61 72 65 61 20 61 6e  |rus code area an|
00001270  64 0a 32 29 20 52 65 6d  6f 76 65 20 74 68 65 20  |d.2) Remove the |
00001280  39 32 30 20 62 79 74 65  73 20 6f 66 20 76 69 72  |920 bytes of vir|
00001290  75 73 20 63 6f 64 65 20  61 6e 64 20 72 65 70 6c  |us code and repl|
000012a0  61 63 65 20 69 74 20 77  69 74 68 20 74 68 65 20  |ace it with the |
000012b0  38 20 63 68 61 72 61 63  74 65 72 0a 20 20 20 73  |8 character.   s|
000012c0  74 72 69 6e 67 20 22 48  79 70 6f 31 32 31 30 22  |tring "Hypo1210"|
000012d0  20 28 74 68 69 73 20 77  61 73 20 74 68 65 20 73  | (this was the s|
000012e0  74 72 69 6e 67 20 6f 72  69 67 69 6e 61 6c 6c 79  |tring originally|
000012f0  20 75 73 65 64 20 62 79  20 48 75 67 6f 20 46 69  | used by Hugo Fi|
00001300  65 6e 6e 65 73 27 0a 20  20 20 22 48 79 70 6f 74  |ennes'.   "Hypot|
00001310  68 65 72 6d 69 63 22 20  69 6e 6e 6f 63 75 6c 61  |hermic" innocula|
00001320  74 6f 72 20 73 6f 20 49  27 76 65 20 64 65 63 69  |tor so I've deci|
00001330  64 65 64 20 74 6f 20 73  74 69 63 6b 20 77 69 74  |ded to stick wit|
00001340  68 20 68 69 73 20 63 6f  6e 76 65 6e 74 69 6f 6e  |h his convention|
00001350  29 2e 0a 0a 48 65 6e 63  65 2c 20 74 68 65 20 65  |)...Hence, the e|
00001360  78 65 63 75 74 61 62 6c  65 20 77 69 6c 6c 20 73  |xecutable will s|
00001370  68 72 69 6e 6b 20 62 61  63 6b 20 69 6e 20 73 69  |hrink back in si|
00001380  7a 65 20 74 6f 20 6f 6e  6c 79 20 38 20 62 79 74  |ze to only 8 byt|
00001390  65 73 20 6c 6f 6e 67 65  72 20 74 68 61 6e 0a 69  |es longer than.i|
000013a0  74 73 20 6f 72 69 67 69  6e 61 6c 20 6c 65 6e 67  |ts original leng|
000013b0  74 68 20 61 6e 64 20 77  69 6c 6c 20 68 61 76 65  |th and will have|
000013c0  20 62 65 65 6e 20 69 6e  6e 6f 63 75 6c 61 74 65  | been innoculate|
000013d0  64 20 74 6f 6f 2e 0a                              |d too..|
000013d7

Our privacy policy is here.
Last updated: 01 May 2025, 21:49 UTC
Website designed by .