This is the textual version of the AVRD. In order to minimise
editing overhead this version is now derived directly from the
source of the HyperText version. The derivation is performed
by a program, so the formatting may not always be perfect -
but we'd rather spend our time coding !Killer/!Scanner !

Ignore any references to clicking in specific places in the
document - this facility is only available in the HyperText
version.


###########################################################################

The Archimedes Virus Reference Document
---------------------------------------------------------------------------

Version 1.84h (6th January 1994)

Copyright  1991-1994 Tor O. Houghton and Alan Glover

This document is copyright. Profit based distribution (whether PD 
or Shareware) without prior consent from the authors, is strictly 
illegal. If in doubt, contact one of the authors. Note that this 
version of !ClearView also has certain conditions upon its distribution.

This is the hypertext form of this document, using the Binary Star 
!ClearView package. Click here (on the underlined word) for a brief 
guide to using this software and details about obtaining enhanced 
versions.

A full list of the contents, and an index of the viruses covered 
in this edition of this document can be seen by clicking the 'index' 
icon (the rightmost one), or the underlined word in this sentence.



###########################################################################

Abstract
---------------------------------------------------------------------------

As the number of people using the Acorn Archimedes range of computers 
has increased over the years, so has the number of viruses.

This document contains the compiled information from various virus 
researchers and their killers. In particular, it is (as the title 
suggests) a compendium of the knowledge about viruses of Tor Houghton 
and Alan Glover.

The purpose of this document is to give as many details as possible 
on each virus known, and to assist those who think they might be 
infected by a virus.
 
A dilemma occurred as this document took form. How much information 
should be included? If we provided too much information, this document 
could well become an effective "cookbook" for people wanting to write 
a virus (and also be used by authors of anti-virus programs to claim 
coverage of virus they've never seen based on the information here). 
This is not our intention. The professionals and programmers who 
read this will easily identify the missing or omitted information 
because they already have this background knowledge - it is part 
of the working tools of our profession.

The document is not intended to provide very detailed technical information 
on a virus (although this may happen as a way of explaining it), 
but to allow the reader to understand what the virus generally does, 
what makes it activate and what it does upon activation. Most important, 
however, it should help the user with the removal!

1.0 Introduction
---------------------------------------------------------------------------

A virus is nothing magical. Anyone with a bit of programming skills 
and some knowledge about the machine's operating system is capable 
of creating a virus. Usually these programmers think it is fun, they've 
read too many cyberpunk books, or they are generally pitiful creatures 
who like to inflict damage.

Final note: In spite of many journalist's secret wishes, a computer 
virus cannot spread from one type of computer to another. For example, 
a virus written on a PC running MS-DOS or Windows cannot infect the 
Archimedes - in native mode. If you are using the PC emulator, a 
virus functions perfectly under this environment too (probably with 
a few exceptions due to the fact that there are about 1000 viruses 
running under this particular operating system). The only area in 
which some crossover is possible is hardware - if you have a DOS 
virus which thrashes the floppy disc out of alignment, it will obviously 
affect it when it is used normally!

1.1 Some Definitions
---------------------------------------------------------------------------

Connectivity: The level of ability a computer has to connect to other 
computers. Nowadays it is very easy to, for example, phone a BBS 
and download new software. The higher the level of connectivity, 
the higher the level of possible exposure to computer viruses. The 
same may also be considered true of other sources of software, such 
as PD libraries.

Trojan Horse: This is a generic term (taken from Greek mythology) 
for a penetration method that includes hidden code. An example of 
this is the Link virus which, while being helpful in the ways of 
converting backspace to delete, also launches a virus into your computer.

Virus: A computer virus can be defined as a malicious program capable 
of replicating itself. See "A Computer Security Glossary for the 
Advanced Practitioner" in the Computer Security Journal IV, No. 1, 
1987 for a similar description. Please note that most computer viruses 
on the Archimedes do nothing but replicate, although there are a 
few exceptions. My own definition is 'a program which attempts to 
replicate without the user's knowledge or consent and may perform 
unauthorised actions'.

Worm: A computer program which moves through your computer system, 
altering data as it copies itself and deleting the old copy. If a 
worm reproduces it could also be called a virus. There are no reports 
of worms on the Archimedes, mainly because it is such a closed system, 
and would be detected much too easily to become a hazard. Networks 
are more exposed to such nasties.

1.2 Entry Explanations
---------------------------------------------------------------------------

Name: The most common name of the virus. Often chosen because of 
some text found in the virus, or like CeBIT, connected to some event 
(the biggest computer show in Europe).

Aliases: Names which other anti-viral agent documents (usually brief 
notes which are included with the program) use for the same virus. 
This includes names that are commonly used by BBS users etc. Always 
try to use the name used here for a given virus rather than any of 
thealternative names.

Origin: The country where the virus seems to have originated from 
(or at least, where it was isolated).

Isolation Date: The date (as detailed as possible) when the virus 
was first found.

Effective Length: The length the virus occupies on the disc. The 
actual length in memory may well be different.

Virus Type: Task refers to viruses written as a multitasking program 
(i.e. appears on the Task Manager, with or without a task name). 
Resident refers to viruses which, by reserving some memory, insert 
themselves as a machine code program invisible to the task manager. 
By monitoring certain interrupts the virus is able to spread. Also, 
if the virus attaches itself to files, this is noted along with what 
type of files it infects.

Symptoms: Odd behaviour which might occur if the virus is loaded. 
This could be spurious crashes or files suddenly appearing (or disappearing!). 
Take note that this has nothing to do with what the virus actually 
does when it activates, as this will be detailed as extensively as 
possible under the 'general comments' section.

Detection: Refers to anti-virus agents (complete with earliest version 
number) which to our knowledge detects the virus. Please be so kind 
as to update me on this, as I know there are several anti-virus programs 
wandering around which I don't have! With the exception of Killer/VProtect 
and Scanner/Interferon these comments are based solely on the documentation 
provided with the programs - beware of claims to detect 'all known 
viruses' when only a subset of those here are listed!

Removal: Refers either to programs which remove the virus from the 
infected file (complete with earliest version number), or if possible, 
which files to delete without destroying the program. Where it says 
'Remove named file(s)', take note that if there is a !Boot file present, 
be sure to check this too (i.e. with !Edit).  In particular, never 
assume that a Module may be RMKilled, or that an application task 
may be Quit. It might disappear, but it may also set up a time bomb 
with serious effects on the system.

As a rule, it is unwise to attempt to remove a virus from memory 
yourself. However some anti-virus programs contain specific code 
to detect and remove viruses which are present in memory. Where an 
anti-virus program is known to be able to do this the program and 
version is given. The criteria for this is that the anti-virus program 
either neutralises or removes the virus from memory, leaving the 
machine in a safe enough state for the anti-virus program to remove 
the infection from your media. Even with this protection, you should 
still do a CTRL-Reset as soon as possible after you have been infected.

General Comments: As detailed information about the virus as possible. 
Also, if there are any mutated versions of the virus, these are detailed 
here too, along with any relevant information. Please note that the 
number after the virus name states how many bytes it occupies on 
the disc.

Source: The person who provided the information about the virus concerned. 
Where a name does not appear, it will probably have been written 
by Tor Houghton or Alan Glover. In some cases, an acknowledgment 
will be included to someone who has helped in the isolation or analysis 
of the virus.

Sometimes square brackets ("[]") with a comment might appear. These 
are our comments, and offer additional useful information which we 
thought the original author left out. 

###########################################################################

Virus index
---------------------------------------------------------------------------


Click on the virus name to find out more about it
                            
Alien                               
Aprilfool
Archie          FF8
Arcuebus
AxisHack
BBCEconet
Bigfoot    
BooHoo      
Breakfast
CeBIT
Code            Sicarius   
Diehard
Ebenezer
EMod
Ex_port
Extend
ExtendV2          
FCodex
Funky          
Garfield_I
Garfield_W
Handler
Icon *          Icon-A, Filer, Poison, NewVirus, Wraith
Image
Image2
Increment
Irqfix
Link
Mode87
Module          ModVir, Illegal
MonitorDat
MyMod           Silicon Herpes
NetManager
NetStatus       Boot
NewDesk
Parasite *
Penicillin *
Poltergeist
Runopt
Shy
Sprite *        
SpriteUtils           
T2 *
TaskManager
Terminator *
Thanatos *      RISCOSExt
Traphandler
Valid    
VanDamme
Vigay           DataDQM, Shakes
Whoops
Wimpman

Viruses marked with an asterisk (*) carry malicious code (in the 
case of Icon in the 2158 byte strain only).  Any detection of one 
of these viruses should be treated thus:

1) Perform a CTRL-RESET as soon as possible.To be safe, press F12 
and type FX 200,3 beforehand. This should get the virus out of memory, 
just leaving the storage media to be cleaned. Remember that infection 
can be as easy as opening a filer viewer!

2) Load a virus killer, and check that the virus is not active. Some 
virus killers (e.g. Pineapple's !Killer) are capable of removing 
any resident virus, and withstanding infection attempts whilst doing 
this. Bear in mind that not all anti-virus programs are intended 
to start up in an environment where a virus is active.

3) Run the virus killer through the system, opening the minimum possible 
number of filer windows. Obviously, if you keep your copy of the 
virus killer on a write-protected floppy this is quite easy! Remember 
to check removable discs too!

Please note that spurious resets and/or errors which occur are usually 
the results of poor programming, and is therefore not considered 
malicious (it merely depicts the programmer's skills - he should 
have stuck to LOGO).

Although not usually marked as malicious, some viruses will cause 
the !Boot of an application to be overwritten. This can cause things 
which usually happen automatically (eg: locating !System) to fail.


###########################################################################

Alien
===========================================================================

Last Updated:        21st November 1993
Aliases:             
Origin:              United Kingdom
Isolation Date:      November 1993
Effective Length:    7831 bytes
Virus Type:          Resident application infector
Symptoms:            Error messages from 'Alien'

---------------------------------------------------------------------------

Detection Media:     Killer 1.511+    Memory:      Killer 1.511+
                     VProtect 1.51+

Removal   Media:     Killer 1.511+    Memory:      Killer 1.511+

---------------------------------------------------------------------------

General Comments:
Whilst this is quite definitely an Icon variant, it does have a number 
of changes which make it rather different.

For starters, it has a choice of 22 names and 21 filetypes between 
it chooses at random.

The filenames are: ProgInfo, Image, DiscInfo, Data, Options, Temp, 
Data, data, Mod, Shit, Wanker, Boot, Mode, System, Dump, Remote, 
Symbol, Script, Desk, Screen, Monitor and Resiter.

The filetypes are: FFD, FFA, FF8, FF4, FF2, FED, FEC, FEC, FEA, FE4, 
FE3, FE2, FE9, FF5, FE1, FF3, AFF, AE9, FF0, FF6, FF7.

Practically all the textual commands within the program are expressed 
as sequences of CHR$(nnn). Inevitably choosing such a long-winded 
method has led to a number of typos and syntax errors in the expressions.

Given the variety of possible filenames, VProtect detects it only 
as a Generic Icon virus.

As it stands, it is almost harmless - there are so many errors in 
the text that few of its actions will actually work. However, its 
replication works fine....


###########################################################################

Aprilfool
===========================================================================

Last Updated:        18th December 1992
Aliases:             
Origin:              United Kingdom
Isolation Date:      December 1992
Effective Length:    1618 bytes
Virus Type:          Resident application infector
Symptoms:            RAM disc contains directory called 'Scrapheap'

---------------------------------------------------------------------------

Detection Media:     Killer 1.383+    Memory:      Killer 1.383+

Removal   Media:     Killer 1.383+    Memory:      Killer 1.383+

---------------------------------------------------------------------------

General Comments:
This virus initialises as a desktop task called 'AprilFool'. It spreads 
by saving a copy of the virus into the application being infected. 
The file saved is BASIC., and called 'Virus'. It also renames the 
current !Boot to BootBackup and saves a new !Boot file.

This may well cause great confusion, since any environmental variables 
set up by the !Boot file normally won't be!

It holds copies of the virus and prototype !Boot file in the RAM 
disc - so the virus will not even work if you have no RAM disc configured!

Aside from trying to infect applications, it will also delete !lemmings.LemBoot 
whenever it is encountered.

On the 1st April it will bring up an error box from ADFS Filer saying 
'April Fool'.



###########################################################################

Archie
===========================================================================

Last Updated:        24th November 1993
Aliases:             FF8
Origin:              United Kingdom
Isolation Date:      1988 
Effective Length:    920 bytes
Virus Type:          Resident Absolute (FF8) file infector.
Symptoms:            May cause "Address exception" or "Undefined 
                     instruction" errors. Absolute files will grow 
                     in length.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     Scanner 1.02+                 Killer 1.17+ 

Removal   Media:     Killer 1.17+     Memory:      Killer 1.17+

---------------------------------------------------------------------------

General Comments:

This is a piece of ARM code that is appended to executables with 
the Absolute (&FF8) filetype. It is 920 (&398) bytes long and has 
a tell-tale 4-character string at the end of its code, "1210", which 
is used as an "already-infected" flag. The first instruction of the 
original executable is saved near the end of the virus code space 
and is replaced by a branch to the first instruction of the Archie 
virus code.

What Archievirus does when first run:

1.Attempts to infect executables (Absolute filetype) with the filespecs 
"@.*" and "%.*". In other words, all executables in the current and 
library directory are attacked.

2.Uses OS_File 36 as a "semaphore" to see if it is lodged in RMA. 
If a call to OS_File 36  returns with an error, then it hasn't infected 
the RMA yet, so it proceeds to claim 920  bytes of RMA, copy itself 
into there and points a claim of the OS_File vector to its new  RMA 
location.

3.The time is checked to see if it is the 13th of the month. If so, 
the code loops  indefinitely, displaying the 45-character message 
(in the virus, this message is EORed  with &64, and is therefore 
not easy to spot.):

Hehe...ArchieVirus strikes again...

4.Assuming it wasn't the 13th of the month (and NO, it doesn't check 
for a Friday!), then  the original first instruction of the executable 
is replaced and the original normal code  continues from &8000 onwards.

The OS_File vector claim is quite important, because this serves 
two purposes:

a.It allows OS_File 36 to return without an error, signalling that 
the RMA is already  infected. 

b.It checks for OS_Files 0 and 10 (Save memory to file), 11 (create 
empty file) and  12,14,16 and 255 (Load file). If any of these are 
encountered then an infection attack is  activated (see step 1 above).
                                               
Update: Nov '93. A case was reported of Archie instead an untyped 
file. It looks like it infected the file before its type was changed. 
From version 1.512 Killer will check for this. The other difference 
is that the routine responsible for displaying the message has been 
replaced by calls to move the disc head back and forth until the 
computer is reset.

(Source: Richard K. Lloyd)


###########################################################################

Arcuebus
===========================================================================

Last Updated:        25th October 1992
Aliases:             
Origin:              UK
Isolation Date:      October 1992
Effective Length:    9619 bytes
Virus Type:          Resident application infector
Symptoms:            Extra module files appear in applications

---------------------------------------------------------------------------

Detection Media:     Killer 1.381+    Memory:      Killer 1.381+
                     VProtect 1.24+

Removal   Media:     Killer 1.381+    Memory:      Killer 1.381+

---------------------------------------------------------------------------

General Comments:

This virus spreads as a module within applications. The module has 
eight possible names: ProgUtil, Resource, InfoFile, SystemRS, ModularR, 
PureMath, SoundMdl and GraphMdl. When loaded (from a !Boot file) 
it installs itself as a NetStatus 3.07 (15 Sep 1988).

A quick check for this virus is to press <F12> and type 'Help Virus'. 
The following text will be displayed:

Congratulations. Your system has the Arcuebus virus.
The following data may interest you:-
Virus generation number: Dnnn
This copy was born: <date/time>

At the same time a sound sample (loaded as a voice called Percussion-Bass) 
is played. This says 'I am a servant of the <???>'. If anyone who 
hears this has a good idea what the last word is - do tell us!

(Source: Paul Frohock)



###########################################################################

Axishack
===========================================================================

Last Updated:        13th September 1993
Aliases:             
Origin:              UK
Isolation Date:      September 1993
Effective Length:    2189 bytes
Virus Type:          Resident application infector
Symptoms:            File called 'hack' appears in applications

---------------------------------------------------------------------------

Detection Media:     Killer 1.501+    Memory:      Killer 1.501+
                     VProtect 1.43+

Removal   Media:     Killer 1.501+    Memory:      Killer 1.501+

---------------------------------------------------------------------------

General Comments:

This is a variant of Vigay which runs as a desktop task called Axis_Hack, 
and triggers on Saturdays rather than Thursday. See the entry for 
Vigay for more information.



###########################################################################

BBCEconet
===========================================================================

Last Updated:        29th June 1992
Aliases:              
Origin:              United Kingdom
Isolation Date:      April 1992
Effective Length:    5280 bytes
Virus Type:          Resident Absolute (FF8) file infector.
Symptoms:            Module "BBCEconet 0.09" resident in RMA (&018xxxxx) 
                     (see also Mode87!).

---------------------------------------------------------------------------

Detection Media:     Killer 1.33+     Memory:      Killer 1.33+
                     Scanner 1.33+                 Interferon 2.12+
                                                   Scanner 1.34+
                                                   VProtect 1.15+

Removal   Media:     Killer 1.33+     Memory:      Killer 1.33+
                                                   Scanner 1.34+

---------------------------------------------------------------------------

General Comments:    

The action of this virus bears a marked similarity to Link, i.e. 
it appends code to absolutes and uses a module to perform the infection 
(in this case BBCEconet, which it installs).
        
As with Link, it attempts to infect %.Squeeze. However, both viruses 
use the same check to see whether a file is infected so it is not 
possible to have an absolute simultaneously infected by Link and 
BBCEconet.
        
The majority of this virus is kept encrypted when it is not executing, 
and it also encrypts a segment at the beginning of the absolute file. 
The encryption key changes with each infection. In short, you need 
dedicated software to remove it.
        
The datestamp will not change, and as with Link, it temporarily patches 
Interferon to allow itself to infect without any alarms being given.

There are various date fired routines, outlined below.

Friday 13th:

It's Friday! Why are you working?
I first infected a commercial program with good help from
Dr. Blob.
Now you're infected too - and probably most of your penpals.
I've got more in store!
And... I've created XXXX copies of myself.
Good luck!

December 25th:

Merry Christmas!

April 1st:

E.T. phones home!
(It sends ATD 0749 679794 to the serial port, so if you have a Hayes 
compatible modem connected, it will dial this number - a well-known 
bulletin board service in Somerset.)

June 25th:

Ph'nglui mglw'nafh Chtulhu R'lyeh fthagn.
And... I've created XXXX copies of myself.

[The non-english part of this message was introduced by H.P. Lovecraft 
in his short story The Call of Cthulhu, where it translates to "In 
his house at R'lyeh, dead Cthulhu waits dreaming." Probably used 
by the virus writer as proof that he has read this book.]

All of these messages will appear in an error box titled "Ouch! You've 
been bitten!" It may also clear the screen and print the word "LOVE" 
in mode 12.

(Source: Alan Glover)



###########################################################################

Bigfoot
===========================================================================

Last Updated:        11th September 1992
Aliases:             
Origin:              United Kingdom
Isolation Date:      August 1992
Effective Length:    5535 or 5580 bytes
Virus Type:          Task. Stores code as separate file.
Symptoms:            Additional files with random names in capital 
                     letters appear in applications

---------------------------------------------------------------------------

Detection Media:     Killer 1.381+    Memory:      Killer 1.381+
                     Scanner 1.47+ (5580 byte strain only?)
                
Removal   Media:     Killer 1.381+    Memory:      Killer 1.381+ 
                                                   
                     delete named file, remove line from !Boot.

---------------------------------------------------------------------------

General Comments:
                                
This is a fairly simple BASIC program, which installs as a desktop 
task called Bigfoot.

It has messages for certain dates, namely:
  
25 Dec:

Happy Christmas from BigFoot ... The VIRUS

05 Nov:

"Wizz Bang! Its Guyfalks night  BigFoot Strikes again!
   
04 Jul:
  
"Hay there its the 4th of July ,American Independence! Best wishes 
from BigFoot

15 Mar:

This is a HOLD UP! Give me all the PD software you can get,,, Or 
you SYSTEM gets it!!!  By the way its the end of the fishing season.
 
It infects by creating or modifying the !Boot file, using a random 
name of 1-10 upper case characters. The virus is saved as a BASIC 
file of the same name. However the BASIC itself always has REM>Bigfoot 
on the first line.

Apart from spreading, it has no malicious code. 

The 5535 byte version can not be Quitted from the Task Manager.
 
(Source: Alan Glover, with thanks to Paul Frohock and David Cox for 
initial analysis)


###########################################################################

BooHoo
===========================================================================

Last Updated:        6th December 1992
Aliases:             
Origin:              UK
Isolation Date:      December 1992
Effective Length:    1104 bytes
Virus Type:          Resident module infector
Symptoms:            Modules grown by 1104 bytes and are datestamped

---------------------------------------------------------------------------

Detection Media:     Killer 1.382+    Memory:      Killer 1.382+
                     VProtect 1.25+

Removal   Media:     Killer 1.382+    Memory:      Killer 1.382+

---------------------------------------------------------------------------

General Comments:

Like Module, this virus operates by merging with relocatable modules. 
However its infection method is somewhat more efficient than Module 
with the result that it will probably spread faster when left unchecked.

Infected modules can be identified quickly by looking for the text 
'VIRU' at the end of an infected module (this is the marker it uses 
to avoid reinfection).

RMkilling an infected module will result in the message 'Wah, boo 
hoo!", but the module (and the virus) will close down.

On the 23rd October initialising the virus will result in the message 
'Happy Birthday!' being displayed.

The module also returns to SWI &98000, returning R0 pointing to 'I'm 
alive and well, thank you!'.
 
(Source: Alan Glover, with thanks to Craig Murphy)



###########################################################################

Breakfast
===========================================================================

Last Updated:        21st January 1993
Aliases:              
Origin:              Belgium
Isolation Date:      January 1993
Effective Length:    6688 bytes
Virus Type:          Resident Absolute (FF8) file infector.
Symptoms:            Module "BBCEconet 0.09" resident in RMA (&018xxxxx) 
                     (see also BBCEconet & Mode87!).

---------------------------------------------------------------------------

Detection Media:     Killer 1.391+    Memory:      Killer 1.391+
                                                   VProtect 1.29+

Removal   Media:     Killer 1.391+    Memory:      Killer 1.391+

---------------------------------------------------------------------------

General Comments:    

The action of this virus bears a marked similarity to Link & BBCEconet, 
i.e. it appends code to absolutes and uses a module to perform the 
infection (in this case BBCEconet, which it installs).
        
As with Link, it attempts to infect %.Squeeze. However, both viruses 
use the same check to see whether a file is infected so it is not 
possible to have an absolute simultaneously infected by this virus 
and Link/BBCEconet.
        
The majority of this virus is kept encrypted when it is not executing, 
and it also encrypts a segment at the beginning of the absolute file. 
The encryption key changes with each infection. In short, you need 
dedicated software to remove it.
        
The datestamp will not change, and as with Link/BBCEconet, it temporarily 
patches Interferon to allow itself to infect without any alarms being 
given.

There are various date fired routines, outlined below.

Friday 13th:

Have a nice day. You have been infected by copy #


July 21st

Cheer up, the worst is yet to come. I think. You have been infected 
by copy #


November 5th:
  
...Remember, Remember, the 5th of November - Gunpowder, Treason and 
Plot... You have been infected by copy #
  

January 1st:
  
A contest of skill and cyberprank... Who can be the unspoken Maestro? 
I know Dr. Blob is quite good, but can he dig this one? You have 
been infected by copy #

April 1st:

<More details will be added when this routine has been analysed>

(Source: Alan Glover)



###########################################################################

CeBIT
===========================================================================
      
Last Updated:        21st April 1992
Aliases:             Lord of Darkness, TlodMod
Origin:              Germany
Isolation Date:      March 1991
Effective Length:    1240 bytes
Virus Type:          Resident !Boot file infector, stores code as 
                     separate file.
Symptoms:            File "TlodMod" in application directories.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     Scanner 1.23+                 Killer 1.17+ 
                     VProtect 1.06+                Scanner 1.20+
                
Removal   Media:     Killer 1.17+     Memory:      Killer 1.17+ 
                     delete named file, remove last line from !Boot.

---------------------------------------------------------------------------

General Comments:

This is a module called "TlodMod" with the following title string:

TlodMod 1.11 (11 Nov 1990) by Devil the LORD OF DARKNESS

It is 1240 (&4D8) bytes long and hooks itself into UpCallV. It then 
activates once a minute and first checks for the existence of <Obey$Dir>.TlodMod. 
If this already exists, then no further action is taken. If it doesn't, 
however, it then attempts to append the following line to <Obey$Dir>.!Boot:

rme. TlodMod 0 rml. <Obey$Dir>.TlodMod

If it succeeds at this, a counter is incremented and the module is 
replicated as <Obey$Dir>.TlodMod. Every 16th successful infection 
will trip the virus into issuing a "*Wipe $.path.file*" (which will 
inevitably fail!) and then displaying a message accompanied by a 
simple graphic.

The message displayed is thus:

This is a warning to all Users,
I am back on the Archimedes ...

Your Archie is infected now and
with him most of your programms.

Don't worry, nothing is damaged,
but keep in mind the protection!

And always think about the other
side of THE LORD OF DARKNESS ...

Virus generation is <counter>

(Source: Richard K. Lloyd)


###########################################################################

Code
===========================================================================                     

Last Updated:        11th September 1992
Aliases:              
Origin:              UK
Isolation Date:      June 1992
Effective Length:    2251 bytes
Virus Type:          Resident !Boot file infector, stores code as 
                     separate file.
Symptoms:            File "Code" in application directories.

---------------------------------------------------------------------------

Detection Media:     Killer 1.360+    Memory:      Killer 1.360+
                     Scanner 1.42+                 VProtect 1.17+

Removal   Media:     Killer 1.360+    Memory:      Killer 1.360+
                     Scanner 1.42+

---------------------------------------------------------------------------

General Comments:

This virus installs itself as a desktop task called "Window Manager". 
The 'Code' file is filetyped as &FF8, but is actually plain BASIC. 


The virus can either extend a !Boot or create one - if one is created 
it will be 44 bytes long. 

The only effects from this virus will be the the loss of sprites 
for some applications, since the !Boot file it creates does not contain 
an IconSprites statement to load the sprites. 

(Source: Alan Glover)



###########################################################################

Diehard
===========================================================================                     

Last Updated:        21st November 1993
Aliases:             Icon (2173 byte)
Origin:              UK
Isolation Date:      October 1993
Effective Length:    2173 bytes
Virus Type:          Resident !Boot file infector, stores code as 
                     separate file.
Symptoms:            File "Setup" in application directories

---------------------------------------------------------------------------

Detection Media:     Killer 1.504+    Memory:      Killer 1.504+
                                                   VProtect 1.49+

Removal   Media:     Killer 1.504+    Memory:      Killer 1.504+
                     Scanner 1.42+

---------------------------------------------------------------------------

General Comments:                                                
               
Strictly speaking, this is an Icon variant. Please see the entry 
for it under the Icon section.



###########################################################################

Ebenezer
===========================================================================
      
Last Updated:        19th February 1993
Aliases:             
Origin:              United Kingdom
Isolation Date:      February 1993
Effective Length:    2400 bytes
Virus Type:          Resident task. Stores code as separate file.
Symptoms:            File Run2 in application directory.

---------------------------------------------------------------------------

Detection Media:     Killer 1.393+    Memory:      Killer 1.393+
                     VProtect 1.31+
                
Removal   Media:     Killer 1.393+    Memory:      Killer 1.393+

---------------------------------------------------------------------------

General Comments:

This is basically the Vigay virus, with amendments to the original 
program to make it slightly different.

The changes are:
  
Triggers on Friday rather than Thursday
The virus is in a file called Run2
The desktop task is called "Filer" (which will show up as an application 
task, not a module task like the real Filer).



###########################################################################

EMod
===========================================================================
      
Last Updated:        31st March 1993
Aliases:             
Origin:              United Kingdom
Isolation Date:      March 1993
Effective Length:    1686 bytes
Virus Type:          Resident task. Stores code as separate file.
Symptoms:            Spurious files inside application directories

---------------------------------------------------------------------------

Detection Media:     Killer 1.400+    Memory:      Killer 1.400+
                     VProtect 1.33+
                
Removal   Media:     Killer 1.400+    Memory:      Killer 1.400+

---------------------------------------------------------------------------

General Comments:
                                                                 
                      
This virus is written in BASIC and uses an insertion in a !Boot file 
to load itself, whereupon it initialises as an application task called 
" ", which cannot be quitted from the Task Manager.

The virus has no malicious code, however its coding is such that 
it may well generate errors whilst trying to infect something.

The virus code is stored in one of the following names, chosen at 
random. If a file already exists with that name in the application 
it will choose again.

!ReadMe (text),!Help (text),menus (text),Script (text),MemAlloc (module),!Run2 
(obey),!RunImage (basic),messages (text),FPE (module),!Sprites23 
(sprite),Windows (template),Templates (template),Scrap (data),KeyUtil 
(utility),Chars (bbcfont),Font (font),Subscripts (absolute),Palette 
(palette),Protect (module), WimpMan2 (module),Settings (data),Configure 
(utility),init (utility),!RunImage2 (basic),Choices (data)


###########################################################################

Ex_port
===========================================================================

Last Updated:        6th December 1992
Aliases:             
Origin:              UK
Isolation Date:      November 1992
Effective Length:    1282 bytes
Virus Type:          Resident application infector
Symptoms:            Modules grown by 1104 bytes and are datestamped

---------------------------------------------------------------------------

Detection Media:     Killer 1.382+    Memory:      Killer 1.382+
                     VProtect 1.25+

Removal   Media:     Killer 1.382+    Memory:      Killer 1.382+

---------------------------------------------------------------------------

General Comments:

This is written in BASIC, and always has the filename Ex_port, though 
the filetype maybe Sprite, Template, Text, Command, Data, Absolute, 
Module, Font or BBCFont.

It installs itself as a nameless desktop task, so earlier versions 
of !Killer may detect it as the Extend virus.

There are no messages or overtly malicious code, however its infection 
technique can cause problems.

(Source: Alan Glover, with thanks to Toby Smith)



###########################################################################

Extend
===========================================================================
      
Last Updated:        21st November 1993
Aliases:             
Origin:              United Kingdom
Isolation Date:      October 1990
Effective Length:    940 bytes
Virus Type:          Resident task. Stores code as separate file.
Symptoms:            File "MonitorRM", "CheckMod", "ExtendRM", "OSextend", 
                     "ColourRM",  "Fastmod", "CodeRM" or "MemRM" in 
                     application directory. Each time the code is 
                     executed it grabs 1k of RMA - this will eventually 
                     lead to a system crash.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     VProtect 1.06+                Killer 1.17+
                     Hunter 1.00+                  Scanner 1.20+
                     Scanner 1.36+
                
Removal   Media:     Killer 1.17+     Memory:      Killer 1.17+
                     delete named file, remove extra lines from !Boot.

---------------------------------------------------------------------------

General Comments:

It's a module which can go under 8 different filenames (the name 
is picked at random using the current time as a seed):

MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM 
or MemRM.

However, the module itself has the following title string:

Extend 1.56 (08 Jul 1989)

It is 940 (&3AC) bytes long and initialises itself as a nameless 
Wimp task which then looks for Wimp Message 5 (double-click). It 
attempts to either create an !Boot in the application directory or 
append to an already existing one with the following lines:

IconSprites <Obey$Dir>.!Sprites [0D]        
RMEnsure Extend 0 RMRun <Obey$Dir>.ModName [0D]
||[FF]

The "IconSprites" line is omitted if it is appended to an existing 
!Boot. "ModName" is one of the 8 possible filenames. The Extend Virus 
uses the &FF (i.e. decimal 255) byte at the end as a self-check to 
see if has infected the !Boot file already. Of course, it copies 
itself to the new name inside the application directory as you would 
expect. Note the incorrect use of &0D (decimal 13) to terminate the 
lines, rather than the more correct &0A (decimal 10).            
          

A shift-double-click does NOT cause an infection, but it DOES claim 
yet another 1K of never-to-be-released RMA.

There is no damage apart from the claiming of RMA (which will eventually 
lead to a system crash).
                                               
Two variants have appeared during October/November 1993. Both are 
malformed, so that the filenames have an additional character at 
the beginning. Killer/VProtect are aware of both of these from version 
1.511. One has the module name as HLCC12, the other as Ohshit.

(Source: Richard K. Lloyd)


###########################################################################

ExtendV2
===========================================================================

Last Updated:        16th January 1993
Aliases:             
Origin:              UK
Isolation Date:      December 1992
Effective Length:    1878 bytes
Virus Type:          Resident application infector
Symptoms:            Module file called 'ExtendV2'

---------------------------------------------------------------------------

Detection Media:     Killer 1.391+    Memory:      Killer 1.391+
                     VProtect 1.27+

Removal   Media:     Killer 1.391+    Memory:      Killer 1.391+

---------------------------------------------------------------------------

General Comments:

This is an Icon variant, but has its own entry because it inserts 
a line in !Boot files saying 'Yes Extend Strikes Again !!!!'. It 
is filetyped as a module, using the filename 'ExtendV2'.



###########################################################################

FCodex
===========================================================================

Last Updated:        16th May 1993
Aliases:             
Origin:              UK
Isolation Date:      May 1993
Effective Length:    1994 bytes
Virus Type:          Non-resident application infector
Symptoms:            Absolute file called FCodex

---------------------------------------------------------------------------

Detection Media:     Killer 1.405+    Memory:      Killer 1.405+
                     VProtect 1.27+

Removal   Media:     Killer 1.405+    Memory:      Killer 1.405+

---------------------------------------------------------------------------

General Comments:
                                               
This is a non-resident BASIC program which infects applications via 
their !Run file (which should help to limit its spread somewhat).

This virus is capable of wiping the contents of a disc, so handle 
with extreme care!

The message below is displayed when it completes wiping a disc:
  
 HI! You have been virus
 infected! Aren't you happy?
 No! Well I've got more good
 news, if you have a hard
 disc then that is blank and
 your floppy disc is blank
 aswell, if it is not then
 you had the disc read tab
 on, LUCKY!! Bye for now....



###########################################################################

Funky
===========================================================================

Last Updated:        25th October 1992
Aliases:             
Origin:              UK
Isolation Date:      October 1992
Effective Length:    1308 bytes
Virus Type:          Resident application infector
Symptoms:            Sprite file called 'Funky!', application task 
                     called 'Window Dude'

---------------------------------------------------------------------------

Detection Media:     Killer 1.381+    Memory:      Killer 1.381+
                     VProtect 1.24+

Removal   Media:     Killer 1.381+    Memory:      Killer 1.381+

---------------------------------------------------------------------------

General Comments:

In common with the Icon family, this is a BASIC program hidden under 
a Sprite filetype. It initialises as a desktop task called 'Window 
Dude' and infects by saving copies of itself and amending !Boot files.

(Source: Paul Frohock)



###########################################################################

Garfield_I
===========================================================================

Last updated:        11th September 1992
Aliases:              
Origin:              United Kingdom
Isolation Date:      June 1992
Effective Length:    1640, not including the files "!Boot", "!Run" 
                     and "!Sprites".
Virus Type:          Resident application infector.
Symptoms:            Directory "!Pic" with files "!Boot", "!Run", 
                     "!Mod" (module) and "!Sprites". Recursive infections 
                     possible.

---------------------------------------------------------------------------

Detection Media:     Killer 1.362+    Memory:      Killer 1.362+
                     Scanner 1.42+                 VProtect 1.20+
                                                   Scanner 1.47+
                     
Removal   Media:     Killer 1.362+    Memory:      Killer 1.362+
                     Scanner 1.42+                 Scanner 1.47+

---------------------------------------------------------------------------

General Comments:

Garfield_I is a resident virus, lodging itself in the RMA as a module 
"IconManager". When active, it creates a directory inside an application 
called "!Pic" with the files "!Boot", "!Run", "!Mod" and "!Sprites". 
The virus code is contained in "!Mod". It then proceeds to add the 
following lines to the infected application's "!Boot" file: 

RMEnsure IconManager 1.27 <obey$dir>.!pic
        
Garfield_I uses the default Acorn sprite file sprite, so a casual 
glimpse in an application folder will not reveal it unless you a) 
use a different sprite for sprite files or you b) open the folder 
with "full info". 

It does not check for multiple infections. Infected applications 
will, more often than not, contain "!Pic" directories inside "!Pic" 
directories. 

Garfield_I activates on the first Monday of any month, displaying

"The Garfield Virus is here to stay"

then repeatedly

"Don't you just hate Mondays?"

until the machine is reset or switched off.

(Source: Alan Glover)



###########################################################################

Garfield_W
===========================================================================

Last Updated:        11th September 1992
Aliases:              
Origin:              United Kingdom
Isolation Date:      June 1992
Effective Length:    1480, not including the files "!Boot", "!Run" 
                     and "!Sprites".
Virus Type:          Resident application infector.
Symptoms:            Directory "!Obey" with files "!Boot", "!Run", 
                     "!Mod" (module) and "!Sprites". Recursive infections 
                     possible.

---------------------------------------------------------------------------

Detection Media:     Killer 1.360+    Memory:      Killer 1.360+
                     Scanner 1.41+                 Scanner 1.41+
                     VProtect 1.17+                Interferon 2.00+
                                           
Removal   Media:     Killer 1.360+    Memory:      Killer 1.360+ 
                                                   
                                                   Scanner 1.41+

---------------------------------------------------------------------------

General Comments:

Garfield_W is a resident virus, lodging itself in the RMA as a module 
"WimpAIDS". When active, it creates a directory inside an application 
called "!Obey" with the files "!Boot", "!Run", "!Mod" and "!Sprites". 
The virus code is contained in "!Mod". It then proceeds to add the 
following lines to the infected application's "!Boot" file: 

<Obey$Dir>.!Obey
|Above line is inoculation for the wimp virus
        
Garfield_W uses the default Acorn Obey file sprite, so a casual glimpse 
in an application folder will not reveal it unless you a) use a different 
sprite for obey files or you b) open the folder with "full info". 


Garfield_W does not check for multiple infections. Infected applications 
will, more often than not, contain "!Obey" directories inside "!Obey" 
directories. 

Garfield_W activates on the first Monday of any month, displaying

"The Garfield Virus is here to stay"

then repeatedly

"Don't you just hate Mondays?"

until the machine is reset or switched off.

[ Note: Although both Garfield_I and Garfield_W call themselves Garfield, 
and give the same message, we have given them separate entries since 
certain items differ between them - notably application and module 
names. ]

(Source: Alan Glover)



###########################################################################

Handler
===========================================================================

Last Updated:        25th October 1992
Aliases:             
Origin:              UK
Isolation Date:      October 1992
Effective Length:    1532 bytes
Virus Type:          Resident application infector
Symptoms:            Desktop Task called 'Task Handler'.

---------------------------------------------------------------------------

Detection Media:     Killer 1.381+    Memory:      Killer 1.381+
                     VProtect 1.24+

Removal   Media:     Killer 1.381+    Memory:      Killer 1.381+

---------------------------------------------------------------------------

General Comments:

This virus is loaded by a !run file, so is likely to spread slower 
than most. It renames the original !Run file to Obey. The virus itself 
is in an absolute called Handler.

It may display a message:

You have been infected with the Handler VIRUS
The Virus is just to see how good a program can infect
Sorry if it has up set you in any way, Thats about all i can
say!
Generation :
Press any key to change the channel.


(Source: Paul Frohock)



###########################################################################

Icon
===========================================================================

Last Updated:        6th January 1994
Aliases:             Icon-A, Filer, Poison, NewVirus
Origin:              United Kingdom
Isolation Date:      1990?
Effective Length:    5498 bytes in base version
Virus Type:          Task. Stores code as separate file.
Symptoms:            Nameless wimp task on the Task Manager (sometimes). 
                     Silly error messages may appear without reason 
                     (sometimes). See below for likely additional 
                     files appearing inside applications

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Killer 1.17+
                     Scanner 1.32+                 Scanner 1.32+
                     IVSearch 2.05+ (note 1)
                     VProtect 1.06+ 
                     Hunter 1.00+ (note 1)
                
Removal   Media:     Killer 1.17+     Memory:      Killer 1.17+ 
                     delete named file, remove last line from !Boot.

---------------------------------------------------------------------------

General Comments:

The Icon virus family is a type of very contagious viruses. They 
are harmless to that extent that they do not destroy files. However, 
they are very annoying (although I must admit some of the messages 
were quite amusing!). Common for all the viruses in the Icon family 
is that the virus is an unnamed wimp task written in BASIC. It spreads 
by adding a few lines to the !Boot file of an application (without 
checking for multiple infections), and then saving the code as a 
file as with filetype sprite.

<set the wimpslot>
BASIC -quit <obey$dir>.<virusfile>

The original virus displayed a stupid error message on start-up, 
and then every so often after that. Commonly also called the Filer 
virus as the error message header claims that it's from the Filer. 
Here are a few examples of what type of error messages which might 
appear:

".desreveR maertS tuptuO"
"This error should not occur."
"Previous error did not occur."
"Could not reach top of stack."

Known variant(s) of the Icon virus are:

Icon-1170

Filename: Sprites. This variant sets the system date to 1939.

Icon-1668

Filenames: !Runimage2, memaloc, mouserm, screen, prntdata, sys_pal, 
new_arc, drawfile, oldboot, oldrun, template, bbc_data and hd_cat.

Squeezed BASIC version using various filenames/filetypes. No silly 
messages.
(this strain added: 16th January 1993)

Icon-1687

Filename: Icon

No other effects.

Icon-1988

Filename: YUKOHNO!, no filetype.

Icon-1992

Filename: Wraith

Icon-2096

Filename: Poison

Random error code replaced with a *I am stuck - which might log the 
user on to a network if they're very unfortunate!

Icon-2120

Filename: OldCMOS                         

Icon-2158

Filename: Spr

This one is nasty! Aside from usual Icon tricks it *replaces* the 
!Run file of an application with a command to format drive 0, so 
running the application will format the disc (... that it is on, 
in the worst case).
   
Icon-2173

Filename: Setup (filetype Data)

Versions of VProtect before 1.46 will not detect this virus, allowing 
it to remove VProtect and delete <Killer$dir>. Aside from this anti-social 
behaviour it is unremarkable.

Icon-2285

Filename: !Spritey (untyped)

Unremarkable.

Icon-2616

Filename: Icon

No silly messages from this version - also has the name of the person 
who modified it  (yes, the UK Computer Crimes Unit have acted on 
this!).
         
Icon-2622

Filename: Wright

Icon-2631

Filename: Splodge

Identical to 2616, except the change of name.   

Icon-2651

Filename:Options, desktop task called Options. No malicious code.

Icon-2696

Filename:wallace, filetype module. Otherwise as 2616.

Icon-2948

Filenames: pic, newfile, READER, LOK, INTERACT

Icon-2963

Can use one of the following names. Produces messages on Fri 13th 
& 5th November: AnimMod, FCoreFix, Modes, Overscan, Monitor, 3dIcons, 
ScrapMod, SysMod, Patch, Padfile, Compact, UtilMod, FreeMem, Graphics, 
Music, Support, WimpIcons, Taxan, Cambridge, VigayMod, SmiggyMod, 
ASCIIConv, StripLine, Redirect.
                             
Icon-2977

Dangerous variant sent anonymously to Pineapple Software. It is not 
yet known whether this strain is also in the wild. However, given 
it's date fired routines it has been added to VProtect & Killer's 
repertoire.

Fri 13th: configure spritesize 512K, ramdisc 0K, and the message 
"Palette Strikes Again!!!"

Apr 1st: configure idediscs 0, configure hardiscs 0, and the message 
"Palette has wiped your Hard Drive" (of course it hasn't).

30 minutes past the hour: configure floppies 2, configure idediscs 
2, and the message "Your Floppy Drive Has Got An Erection"

Jul 4th: configure tv 0,0 and the message "***SHAKES***"

Dec 25th: *drive 0, *wipe *.* f ~c and the message "The AVRD doesn't 
know about this one."

Feb 14th: *SET System$Dir <Obey$Dir>.^ and the message "Alan G 4 
Tor H"

Dec 26th: *unplug desktop, and the message "Sorry to wreck your new 
pressy but this *is* a virus."

Jan 1st before 10am: *configure noscroll, *configure mousestep 20, 
and the message "Got over your hangover already?"

Icon-3077

Filenames and filetype chosen at random from:
  
Filenames:
  
Anim,FCoreFix,Modes,OverDo,Monitor,3dIcons,Scrap,Sys,Patch,Padfile,Compact,Util,FreeMem,GraTask,Music,Support,WimpIcons,TaxMontr, 
Script,Preview,Reloc,Runtime,StripLine,ErrorGen,CLib,ABCLib,FPEmulator,Colours
                    
Icon-4508

Filename: Code 32, filetype Data. May cause unexpected colour changes 
in the desktop.

Icon-5498 

Filename: Icon, though the in-core name is 'Extra'. 

Does have silly messages.

Icon-5574      

Filename: Icon

As 5498 with missing Hourglass_On call added. Silly message less 
likely to appear when it is loaded.

Icon-5737

Filename: NewVirus

As 5574, but with a three-key sequence to exit the program. High 
likelihood of a silly error at startup. Insignificant changes to 
!Boot save routine.

Icon-5742

Filename: Icon

Bugfix of 5737. Less likely to give silly errors when loaded.

(Source: Alan Glover)


###########################################################################

Image
===========================================================================

Last Updated:        21st April 1992
Aliases:             
Origin:              Northern Ireland ?
Isolation Date:      Jan. 1992 by Svlad Cjelli
Effective Length:    512 bytes
Virus Type:          Resident, although not in RMA
Symptoms:            Files "Image" and "!Spr" in application directories. 
                     The file "image" has no filetype, but !Spr has 
                     the type Obey.

---------------------------------------------------------------------------

Detection Media:     Killer 1.26+     Memory:      Killer 1.26+
                     Scanner 1.13+
                     VProtect 1.07+ 
                
Removal   Media:     Killer 1.26+     Memory:      Killer 1.26+ 
                     Scanner 1.15+
                     delete "Image". If there is a "!Spr" file, delete 
                     !Run and rename !Spr as !Run, otherwise delete 
                     !Boot.

---------------------------------------------------------------------------

General Comments:

This virus carries no payload, but spreads VERY fast, to the extent 
that you can delete the file, only to see it instantly re-appear 
again if it is in memory!

It loads its code into the OS workspace, at &5500, it is therefore 
liable to crash the machine should the OS use that area of workspace.

The !Run or !Boot file looks like this:

LOAD <OBEY$DIR>.IMAGE 5500[0d]GO 5500[0d]

Its action on infection is to save <Obey$Dir>.Image, and then either 
to create a !Boot file if one does not exist, or if it does, rename 
the !Run file to !Spr and then create a new !Run file.

(Sources: Alan Glover, Svlad Cjelli)


###########################################################################

Image2
===========================================================================

Last Updated:        29th October 1993
Aliases:             
Origin:              
Isolation Date:      October 1993
Effective Length:    320
Virus Type:          Resident in RMA
Symptoms:            Files "Image" and "!BootFAT" in application 
                     directories. The file "image" has filetype &FFC, 
                     but !Spr has the type Obey.

---------------------------------------------------------------------------

Detection Media:     Killer 1.509+    Memory:      Killer 1.509+
                     VProtect 1.50+ 
                
Removal   Media:     Killer 1.509+    Memory:      Killer 1.509+ 
                                                   

---------------------------------------------------------------------------

General Comments:

This virus carries no payload, but spreads VERY fast, to the extent 
that you can delete the file, only to see it instantly re-appear 
again if it is in memory!

It loads its code into the RMA, but will not appear as a module of 
any sort.

Its action on infection is to save <Obey$Dir>.Image, and then either 
to create a !Boot file if one does not exist, or if it does, rename 
the !Run file to !BootFat.



###########################################################################

Increment
===========================================================================

Last Updated:        18th September 1992
Aliases:             
Origin:              UK, Cornwall ?
Isolation Date:      September 1992
Effective Length:    464 bytes
Virus Type:          Resident
Symptoms:            CMOS configuration settings seem to change randomly

---------------------------------------------------------------------------

Detection Media:     Killer 1.375+    Memory:      Killer 1.375+
                     Scanner 1.49+                 Scanner 1.49+
                     VProtect 1.23+

Removal   Media:     Killer 1.375+    Memory:      Killer 1.375+

---------------------------------------------------------------------------

General Comments:

The virus appends itself to existing !boot files. The virus may not 
be immediately obvious when an infected !boot file is viewed in !Edit 
because it inserts 28 or more line feeds between the legitimate file 
and the viral appendage. However CTRL-Down Arrow will move down to 
the bottom of the file and expose the telltale signs of a machine 
code appendage on the end of the file.

On each infection the virus will increment a CMOS RAM location - 
the location is incremented too on each infection with the effect 
of seemingly random problems appearing (including ROM modules becoming 
unplugged for example).

(Source: Alan Glover, with thanks to Lee Davies)


###########################################################################

Irqfix
===========================================================================
      
Last Updated:        14th September 1992
Aliases:             
Origin:              United Kingdom
Isolation Date:      September 1992
Effective Length:    940 bytes
Virus Type:          Resident task. Stores code as separate file.
Symptoms:            File "RiscExtRM", "WimpPoll", "OSSystem", "MiscUtil", 
                     "FastRom", "IRQFix" or "AppRM" in application 
                     directory. Each time the code is executed it 
                     grabs 1k of RMA - this will eventually lead to 
                     a system crash.

---------------------------------------------------------------------------

Detection Media:     Killer 1.374+    Memory:      Killer 1.374+
                     Scanner 1.48+                 Scanner 1.48+
                     VProtect 1.22+

Removal   Media:     Killer 1.374+    Memory:      Killer 1.374+
                     Scanner 1.48+
                     delete named file, remove extra lines from !Boot.

---------------------------------------------------------------------------

General Comments:
                                                                 
                         
This is a variant of Extend which uses IRQFix as the module name, 
and different filenames. In all other respects the code is identical 
to Extend.

(Source: Alan Glover, with thanks to Alex Belton)


###########################################################################

Link
===========================================================================

Last Updated:        21st April 1992
Aliases:             
Origin:              United Kingdom
Isolation Date:      January 10th, 1992
Effective Length:    1416 bytes
Virus Type:          Resident Absolute file infector. Also a Trojan 
                     Horse.
Symptoms:            Module 'BSToDel' in module list. Files are re-stamped.

---------------------------------------------------------------------------

Detection Media:     Killer 1.27+     Memory:      Interferon 2.10+
                     Scanner 1.03+                 Killer 1.27+
                     Hunter 1.16+                  Hunter 1.16+
                                                   Scanner 1.20+

Removal   Media:     Killer 1.27+     Memory:      Killer 1.27+ 
                     Hunter 1.16+                  Inteferon 2.10+
                     Scanner 1.20+                 Hunter 1.16+
                                                   Scanner 1.20+

---------------------------------------------------------------------------

General Comments:

The reason why I found the Link virus was because of the module 'BSToDel' 
appearing in the module list. Also, suddenly Killer 1.17 didn't work 
(It gave an "Integrity check failed" and refused to load)! As I already 
have made my own 'backspace to delete' utility as a module, I wondered 
where that module came from! (It certainly wasn't as a separate module 
on the disc.)

Before installing itself as a module, it infects %.Squeeze (if there 
is a library directory, and if Squeeze is indeed in it) - just in 
case there wasn't enough room in the RMA. Then it hooks onto the 
FSControlV and InsV vectors. The latter so that it can do what the 
module title expects it to do: convert backspace (&08) to delete 
(&7F) (the reason why I also typed it as a Trojan Horse).

The FSControl vector is used so that it can look for certain actions 
- namely *Run and *Copy. When it detects one of these, it does the 
following.

Replaces the first three instructions in the file with its own, making 
an absolute branch to the end of the file. The rest of the module 
is then stored here, with the original three instructions too. To 
make
detection a bit more difficult, it encrypts itself with an EOR variant 
(different key each time).

On any Friday the 13th, it will display the message

Message from LINK: Active since 30-Nov-91

every time it infects a program. [As Alan pointed out, this date 
is fixed, so meaning that it bears no relationship to the time which 
a system became infected.]

The virus does no damage apart from attaching itself to files. Files 
infected by the Link virus are re-stamped to the date they were infected. 
Also, at the end of the module (and effectively each infected file 
- although encrypted) the word  'LINK' appears. I first thought this 
was used as an 'already infected' flag, but this is not so. What 
it does is check the second instruction in the file, and if this 
is 'MOV PC,R0' (probably reckons that few programs have this as their 
second instruction) it recognizes it as infected. If not, the file 
is infected. This method of checking the file might add to the difficulty 
of making an inoculator.

Why didn't Interferon detect this virus?

At first, I thought that there might be a bug in Interferon, but 
as I found out, the Link virus checks to see if Interferon is in 
memory by using OS_Module 18 (look-up module name). By doing this, 
it also finds where the module code is. Then, it changes a CMP instruction 
within the code so that Interferon never detects OS_GBPB. After the 
infection is finished, the Link virus changes the code back to what 
it was.  [I'm working on a CRC routine for a future version of Interferon 
at the moment, so Interferon should be 100% operational 'real soon 
now'.]


###########################################################################

Mode87
===========================================================================

Last Updated:        11th September 1992
Aliases:              
Origin:              Unknown. UK?
Isolation Date:      Unknown - possibly autumn 1991
Effective Length:    848 bytes
Virus Type:          Resident !Boot file infector.
Symptoms:            Module 'Mode87' in application directories. 
                     

---------------------------------------------------------------------------

Detection Media:     Killer 1.360+    Memory:      Killer 1.360+
                     Scanner 1.41+                 Interferon 1.10+
                     VProtect 1.17+

Removal   Media:     Killer 1.360+    Memory:      Killer 1.360+
                     Scanner 1.41+

---------------------------------------------------------------------------

General Comments:

Mode87 installs itself in the RMA as "BBCEconet". The way to tell 
the difference from this and the original Acorn network module, is 
that the address of where the module lies is at &01xxxxxx instead 
of a ROM address (&03xxxxxx) by typing *Modules. If Acorn's original 
module is not *Unplugged, it will install itself on top of this, 
and not easily seen in the module list. 

Mode87 is not malevolent. Although it destroys the original !Boot 
file of an application, it is not treated as a virus with serious 
damage potential. Mode87 simply overwrites any !Boot file already 
there (and if there isn't one, it creates a new one) with: 

| Boot file
IconSprites <Obey$Dir>.!Sprites
RMLoad <Obey$Dir>.Mode87


Then it proceeds to save itself as a module with the filename "Mode87". 
If it has reached an infection count of 256, an expanding circle 
(black, if you are using the standard desktop palette) will "eat" 
your screen. Control will then return to normal. 

Mode87 releases its vector claim on OS_FSControl, so it is quite 
safe to *RMKill it. 

(Source: Tor Houghton)


###########################################################################

Module
===========================================================================

Last Updated:        11th September 1992
Aliases:             Illegal, ModVir
Origin:              Unknown
Isolation Date:      October 1991
Effective Length:    956 bytes
Virus Type:          Resident module infector.
Symptoms:            Modules grow by approx. 1k, and are re-datestamped. 
                     May cause system crashes when accessing files 
                     (load, save, etc.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     Hunter 1.00+                  Killer 1.17+ 
                     Scanner 1.14+                 Hunter 1.00+
                     VProtect 1.10+                 
                
Removal   Media:     Killer 1.26+     Memory:      Killer 1.26+
                     Hunter 1.00+                  Hunter 1.00+
                     Scanner 1.46+

--------------------------------------------------------------------------- 

General Comments:

This is a very nicely written virus which appends itself to modules, 
redirecting three module entry points to pass through itself before 
being handed on to the module's original entry point. It spreads 
by infecting a module as it is loaded, and then the newly loaded 
module infects the next one loaded, and so on...

This virus is likely to be very widespread, since it was distributed 
on the Archimedes World February 1992 cover disc in the MicroDrive 
demo (in it, several modules were infected). It does nothing until 
6th September 1992, when it will display the message:

Your computer has been virus infected. This is intended to be a friendly 
virus, and hasn't done any damage to your disc as is  possible now, 
but it isn't active anymore from now on. Be more careful with illegal 
software next time!

[Along with a generation counter. Another interesting observation 
is that it does not infect locked modules. Infects whenever it notices 
a RUN or LOAD action on a module. As a result, THIS VIRUS IS EXTREMELY 
CONTAGIOUS.]

The message that it isn't active anymore is not true! It ALWAYS (even 
after 06-Sep-1992) attaches itself to the OS_File (FileV) vector.

The virus first calls the previous owner of the OS_File vector (FileSwitch?). 
This means that the module will be loaded and initialised. If the 
length of the module minus the initialise word of the module is equal 
to 956 (i.e. the length of the virus), then the module is already 
infected and the virus deactivates itself (the newly loaded module 
has already attached itself to the OS_File vector). If the module 
isn't infected, the virus attaches itself at the end of the module, 
overwriting the init/final/service words in the module header, preserving 
the original 3 words.

(Source: Alan Glover, Michel Fasen)


###########################################################################

MonitorDat
===========================================================================
      
Last Updated:        24th November 1993
Aliases:             
Origin:              United Kingdom
Isolation Date:      November 1993
Effective Length:    2355 bytes
Virus Type:          Resident task. Stores code as separate file.
Symptoms:            File MonitorDat in application directory.

---------------------------------------------------------------------------

Detection Media:     Killer 1.512+    Memory:      Killer 1.512+
                     VProtect 1.52+
                
Removal   Media:     Killer 1.512+    Memory:      Killer 1.512+

---------------------------------------------------------------------------

General Comments:

This is basically the Vigay virus, with amendments to the original 
program to make it slightly different.

The changes are:
  
Triggers on Monday rather than Thursday
The virus is in a file called MonitorDat



###########################################################################

MyMod
===========================================================================

Last Updated:        21st April 1992
Aliases:             Silicon Herpes
Origin:              United Kingdom
Isolation Date:      June-August 1991
Effective Length:    2948 bytes
Virus Type:          Resident
Symptoms:            Additional files "SSLM" (filetype Module) and 
                      "SSLF" in application directories. Message on 
                     every Friday the 13th. Module "MyMod" in module 
                     list.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     Scanner 1.15+                 Killer 1.17+
                     VProtect 1.10+                Scanner 1.20+ 
                                                   
                     Hunter 1.16+                  Hunter 1.16+
                
Removal   Media:     Killer 1.17+     Memory:      Killer 1.17+ 
                     Scanner 1.16+                 Hunter 1.16+
                                                   Interferon 2.10+
                                                   Scanner 1.20+
                     delete "SSLM", rename "SSLF" to !Boot.

---------------------------------------------------------------------------

General Comments:

This works by redirecting the Alias$@RunType for Obey files, so spreads 
very fast.

Once on each Friday 13th you'll get this message: 
                                                                 
 

Hi there. It's me, with my latest addition to the ARCHIMEDIES range 
of computer programs. This one's called silicon herpes. It's  annoying 
but DOES NO REAL DAMAGE!!! 

Anyway, it's Friday the 13th, and what can you expect. Acorn state 
that RISC OS has high protection against programs of this nature. 
I can't call it a virus, as a virus does damage

With Acorn making these bold statements about RISC OS I decided to 
 write a demonstration to disprove their theories. I must admit  
though, it was quite difficult. 

Anyway, I don't want to keep you so I'd like to say, have a very 
 happy Christmas, Easter, Summer or what ever, and hang kickin


There's a likelihood of various spurious errors from one of the variants 
(both are the same length) since it addresses application memory 
directly!

(Source: Alan Glover)


###########################################################################

NetManager
===========================================================================

Last Updated:        11th September 1992
Aliases:             
Origin:              United Kingdom
Isolation Date:      June-August 1991
Effective Length:    900 bytes
Virus Type:          Resident !Boot file infector
Symptoms:            Module 'NetManager' in module list.

---------------------------------------------------------------------------

Detection Media:     Killer 1.17+     Memory:      Interferon 2.00+
                     VProtect 1.10+                Killer 1.17+
                     Scanner 1.40+                 Scanner 1.20+
                
Removal   Media:     Killer 1.17+     Memory:      Killer 1.17
                     Scanner 1.40+                 Scanner 1.20+
                                                   Interferon 2.10+
                     delete !Boot.                 RMKill NetManager

---------------------------------------------------------------------------

General Comments:

I believe this to be the prototype for, or maybe the inspiration 
for, the TrapHandler virus. Although the coding is quite different 
in places, there's quite a similarity in the design.
 
There are a number of coding errors in the virus, most notably around 
the time bomb area, making it harmless in this form. The intention 
of the code is to check for Friday 13th, and display a message, however 
it will never detonate (... unless there's a fixed version in circulation 
... though that's what I believe TrapHandler is).  It's fortunate 
that it never displays the message, because there's another coding 
error and the message isn't actually there!

(Source: Alan Glover)


###########################################################################

NetStatus
===========================================================================

Last Updated:        21st April 1992
Aliases:             Boot
Origin:              Norway or Belgium
Isolation Date:      October 1991
Effective Length:    2048 or 2072 bytes
Virus Type:          Resident !Boot file infector
Symptoms:            !Boot filelength increase.

---------------------------------------------------------------------------

Detection Media:     Killer 1.27+     Memory:      Interferon 1.10+
                     Scanner 1.02+                 Killer 1.27+
                     VProtect 1.10+                Scanner 1.20+
                     Hunter 1.16+                  Hunter 1.16+
                     VirusKill 1.00+ 
                
Removal   Media:     Killer 1.27+     Memory:      Killer 1.27+ 
                     Scanner 1.17+                 Hunter 1.16+
                     Hunter 1.16+                  Interferon 1.10+
                                                   Scanner 1.20+
                                                   RMKill NetStatus

---------------------------------------------------------------------------

General Comments:

NetStatus is written as a module, and in many ways it functions exactly 
the same way as the TrapHandler virus, as it saves all of its code 
in an application's !Boot file. It differs strongly from from this 
one, however, as NetStatus does not overwrite the !Boot file. The 
original !Boot instructions are executed after the virus has been 
loaded, making it more difficult to spot than TrapHandler.

Some times a message will appear (after a mode change):

Hello, there.
Just a little message.
The infection count is: <infection count>
This program is harmless
10 Jun 1991

[This message is encrypted, and will neither show up in memory nor 
in the infected !Boot file.]

One might think that NetStatus should be placed as a 'variant' of 
TrapHandler, as the way the two viruses work are so similar (both 
viruses work by loading the !Boot file into memory below &8000 and 
then jumping to the code). However, seeing that the code itself was 
so different, I chose to let it have its own entry. Also, NetStatus 
infects the !Boot file instead of overwriting it! If you think you 
might have been infected by this virus, do *Help NetStatus to see 
if it is version 2.00, and if it is, do a *Modules to check where 
it resides. If the address is 018xxxxx then you are infected, if 
not, the address should be 038xxxxx. [This virus has the potential 
to cause chaos on Econet networks, where it will replace the real 
NetStatus module - causing anything that relies on it to fail.]

Known variant(s) of the NetStatus virus are:

NetStatus-2048

This appears to be an earlier version of NetStatus. Some code is 
missing in this version, but they appear identical in operation. 
Please note that not many virus killers are aware of both versions. 
If it understands only one strain, the !Boot file will become corrupt.


###########################################################################

NewDesk
===========================================================================

Last Updated:         3rd March 1993
Aliases:             
Origin:              UK
Isolation Date:      March 1993
Effective Length:    2439 bytes
Virus Type:          Resident !Boot file infector
Symptoms:            !Boot filelength increase.

---------------------------------------------------------------------------

Detection Media:     Killer 1.375+    Memory:      Killer 1.375+
                     VProtect 1.32+
                
Removal   Media:     Killer 1.375+    Memory:      Killer 1.375+ 
                                                   

---------------------------------------------------------------------------

General Comments:
This is a BASIC program filetyped as a Sprite. It is loaded by !Boot 
and runs as a desktop task choosing one of the following names at 
random:
  
"HandyHint", "Desktop X-tras", "Help", "Clock", "VProtect", "adfs 
2", "RamFiler", "FormEd" or "Editor"
                                                                 
                 
(note: VProtect as used by this virus will show up as an application 
task. The real VProtect from Pineapple Software  shows up as a module 
task)

On April 1st or any Friday 13th it will *unplug Desktop, ADFS, BASIC 
and TaskManager.


###########################################################################

Parasite
===========================================================================

Last Updated:        21st April 1992
Aliases:             
Origin:              UK, Cheshire?
Isolation Date:      January 1992 by S. Haeck
Effective Length:    6K & 7K
Virus Type:          Resident application infector, stores code as 
                     separate file.
Symptoms:            Additional modules appearing within applications

---------------------------------------------------------------------------

Detection Media:     Killer 1.27+     Memory:      Killer 1.27+
                     Scanner 1.23+                 Scanner 1.20+
                     VProtect 1.12+ 
                
Removal   Media:     Killer 1.27+     Memory:      Killer 1.27+ 

---------------------------------------------------------------------------

General Comments:

This is a **very** nasty virus. Handle any infections with care!

The parasite virus was first discovered by S. Haeck in January 1992.

The two strains are identical, except that the first always uses 
the same name for its module, and the second has a random choice 
of 20 (twenty) filenames. It will only activate on machines whose 
network station number is <80 - which will include non-networked 
machines, which typically have 0 or 1 in the CMOS. Do NOT try to 
RMKill the module - a delayed action machine crash will result. It 
will *wipe any of the following file/directory names - !vkiller, 
vir, shield, prot and !guardian - this points at a UK origin since 
it is not aware of Scanner.

It has a whole repertoire of dirty tricks, which are time triggered:

- Corruption of the net printer name (it uses this as workspace)
- Midnight, and xx:13: crash the computer
- Before 07:00: crash the computer 300-900 seconds later
- 00:00 to 00:59 on 1st Jan: crash the computer
- 1st of any month: claim 16K of RMA (not used)
- 21st June: set MouseStep to 1
- 21st December: set MouseStep to 127 (fast!)
- 29th February: Set MouseStep to -5 (fast, and reversed)
- If there is a 0 in the time, and the virus loaded from SCSI:*unplug 
the Podule Manager (disabling the SCSI disc)  - At 0x and x0 seconds, 
if the module came from IDEFS: alias the IconSprites command so that 
no further sprites are cached

Furthermore, there are some which can be fired at any time:

1 in 50: Change sound settings
1 in 25: Redefine character set to all spaces after 60-240 seconds
1 in 60: Corrupt the disc in drive 0

Lastly, there are a group of serious actions (which are limited so 
only a certain number occur within a given period):

 - Before 08:00 (14:00 Sundays): configure number of hard and floppy 
drives to zero.

 - Mondays: Configure Fontsize 0K, SpriteSize 512K, which will cripple 
a 1Mb machine!

 - 25th December: Configure MonitorType 3, Sync 0

 - A 7 in the time: Configure Country to Greece

 - 1 in 4: Configure ADFS, Harddiscs 2, Drive 5 (very tricky if you 
don't happen to have two ST506 drives)

The module names which it can use are:

FontLibrary, CodeLibrary, ScreenObjct, PromptsPick, HPIBIntMngr, 
PRomModules, BasicCryptr, ChrSelecter, WimpModMake, PaletteUtl2, 
ModeUtility, FontUtility, TempManager, ColourConvt, IndexReader, 
ArthurImage, SyncUtility, VIDCManager, FontPalette, HugoFiennes.

The first (6435 byte) strain always uses the name FontLibrary.

Note that Hugo Fiennes, whose name appears at several points in the 
code, as well as being one of the module filenames, has much better 
things to do than write viruses, and has no known connection with 
this virus!

(Source: Alan Glover, with thanks to Geoff Riley for much of the 
decoding)


###########################################################################

Penicillin
===========================================================================

Last Updated:        6th December 1992
Aliases:             
Origin:              UK
Isolation Date:      December 1992
Effective Length:    7306 bytes
Virus Type:          Resident application infector
Symptoms:            Data file called Penicillin in application directories

---------------------------------------------------------------------------

Detection Media:     Killer 1.382+    Memory:      Killer 1.382+
                     VProtect 1.25+

Removal   Media:     Killer 1.382+    Memory:      Killer 1.382+

---------------------------------------------------------------------------

General Comments:
                                               
This is basically speaking an Icon variant, and therefore bears common 
features with the base Icon strain. However, it is one of the more 
malicious variants, with tricks including:
  
- Configuring FontSize to 128K
- Altering the mouse step settings, and causing pseudo random movement
- Configure TV 0,0 which will turn interlace on (screen shakes)
- Makes a noise
- Reads &12000 bytes from ADFS::0 to address 0 - this will almost 
certainly crash the machine
- Configure the machine for no floppy drives
- Change the mouse rectangle settings

On the 13th of any month there is a random chance that it will:
  
- Create a random mouse rectangle and enter an endless loop
