Happy New Year 96 Virus

[Storm]

Hiya all, have a real good one for you now

All the dramas I've been having have been because I've had the Happy New Year Virus 96. I used VirusZ and KillHappy from Aminet to get rid of it. Only it keeps coming back!! I have VirusZ run at startup through user-startup so once that loads it kills it from memory.

Files that are loaded prior to VirusZ get infected with the virus. I cleaned these files and they checked 100% clean and I changed the attributes so deleteable and writeable were unchecked which now makes it so these files can't be infected. It seems to work as my system is 100% virus free and everything is working like a charm. Except, VirusZ on bootup always finds the virus in memory, so it's like I have it in a cage but can't get rid of it 100% yet.

I booted with no startup-sequence and ran KillHappy and there was no infections. I ran the assign command and immediately it became infected, as did any other file I executed. My question now is, where is the virus hiding? I can't completely stomp it out

 

[AndyLandy]

If you want to be sure, you need to make a bootable floppy with your AV software on it, created using a different (uninfected) Amiga. Write protect the disk and cold-boot your Amiga from it (i.e. power it off for a whole minute before booting) run your AV stuff from that disk and clean your main system image that way.

 

[Templar]

That sounds a really mad idea, but did you check both KillHappy or VirusZ (with another clean VirusZ)? I mean the executables. There's a possibility that they got infected too.

 

[cosmicfrog]

Its hiding on the thing you booted off, u need to make sure u have removed it from both memory and the disk, some times easyer said than done especialy if mutable disks have become infected

 

[Storm]

Okay so far have used clean versions of Virus Executor, Kill Happy and Virus Z made up on my clean A500+

Straight away they find the virus in memory but all the files check clean. I have a disk with KillHappy only on it and boot the A4000 after being off for 5 minutes with no startup-sequence, put the write protected disk in and do a file scan - no infected files but if I run something like WatchDog (made by the folks that produced the Mills virus scanner) it reports the virus is in memory again.

Somehow the virus is in memory straight away waiting to infect the system. I didn't think this could hide on the hard drives boot sectors or anywhere else on the amiga. This has got me really stumped. At least I have got it so it doesn't spread or infect files.

 

[Snoozy]

I can't imagine why annoying people ever write these viruses. They will have some explanation to give at the pearly gates.

I know this sort of thing would drive me up the wall, how did your computer get infected, via files you were transferring from the internet?

 

[Storm]

I am not sure how or when it got infected, just one of many mysteries I have left unsolved [queue mysterious music]

As for people that write these damn annoying things - execute them I say lol

I can't imagine why annoying people ever write these viruses. They will have some explanation to give at the pearly gates.

I know this sort of thing would drive me up the wall, how did your computer get infected, via files you were transferring from the internet?

 

[davideo]

Have you got a Kickflash or something like it fitted?

Dave G

 

[Storm]

Nope nothing like that. I just have AmigaOS 3.9 and BB3 on a normal IDE harddrive.

Update: I have a workbench disk with WatchDog on it. If I boot that disk with the hard drives disabled in the boot menu there is no virus in memory. However, if I have DH0: enabled then the act of putting the DH0: icon on the workbench screen invokes the virus to memory. I think the missing part to the puzzle is what is loaded to display the hard drive in workbench when booted from a floppy.

Something new I've noticed, it won't commit itself to memory when SnoopDos is running! As soon as you quit though, there it is in memory. Weird.

Have you got a Kickflash or something like it fitted?

Dave G

 

[Storm]

Status: Beaten!

Status: Beaten!

Well after figuring part of the virus must be in the RDB I downloaded RDBSalv so I could read the RDB backup with a hex editor and found a reference to the virus there. I updated the file system with HDTools with the L:FastFileSystem file (45.16) and now the system reboots without setting WatchDog off to virus activity.

Still testing and checking to make sure this is a permanent thing

 

[cosmicfrog]

Just shows you how sneaky those virus can be and some times how clever/ingenious there creators are Just wish they would do something else than viruses but hey ho its all part of computers in the real world so its best know the signs and how to do best/easiest cure. With Viruses I find prevention is better than the cure usually but it depends on the risk assessment at the time

I suggest you run a virus checker on every disk u got or intend to use

 

[Storm]

So true CosmicFrog!!
I have installed three different virus scanners now and always have WatchDog running. I am in the process of scanning absolutely everything to make sure it's gone as it was nasty, I reckon it was a different version of the virus as tools that were reported to worked didn't clear it entirely. I finally had to hex edit the RDB backup to rid the l ast references to the virus and restore it which was a pretty risky move but nevertheless, worked.
I guess I was slack with virus protection because of it being a retro platform. Not anymore!!

 

[davideo]

@Storm

I'm pleased you got it sorted mate.

I've got a certain collection of adfs on my PC that trigger my system when I run a scan.

I've never had one on my Miggy yet. I guess I've been lucky.

Dave G

 

[Storm]

Thanks Dave. Just stoked now I have a stable system again

 

[cosmicfrog]

three different virus scanners seems abit over kill to me but as I not sure what each is doing it may be ok but generally its best to run 1 good one and keep it updated this gose for a PC as well your virus checker is only as good as its last update

 

[Storm]

three different virus scanners seems abit over kill to me but as I not sure what each is doing it may be ok but generally its best to run 1 good one and keep it updated this gose for a PC as well your virus checker is only as good as its last update

I only have one in the background running but if I need to do a scan or if one of the scanners gets infected I have some backups