English Amiga Board


Go Back   English Amiga Board > Coders > Coders. General

 
 
Thread Tools
Old 27 November 2019, 22:52   #1
LooZee
Registered User

 
Join Date: Nov 2016
Location: Black Forest / Germany
Posts: 9
Removing the HNY96 virus

Here's an example how to remove the HNY96 (Happy New Year 96) virus from an executable.

In this case I'm using "Demo Maniac v2.19 (19xx)(Nico Schmidtchen)(Disk 1 of 2).adf" and
scan it with VirusExecutor:

Demo Maniac v2_001.png

None of the anti-virus programs I tested are capable of removing this virus to restore
a working executable, although it's pretty easy to do.

Here's a hex view of the infected file. You're looking straight at the boil.

Demo Maniac v2_002.png

HNY is a link virus that attaches to a file by adding a code hunk to the beginning.
This is how it looks in Hunk Processor (Aminet: hunk.lha):

Demo Maniac v2_004.png

Hunk #0 is the virus. We can easily remove it with this program. Don't forget to save the file, of course.

Demo Maniac v2_005.png

Check again with a virus scanner to be sure and ...tadaaa...

Demo Maniac v2_006.png

Mission accomplished. Virus removed, executable restored.
Attached Thumbnails
Click image for larger version

Name:	Demo Maniac v2_001.png
Views:	101
Size:	9.7 KB
ID:	65342   Click image for larger version

Name:	Demo Maniac v2_002.png
Views:	98
Size:	41.9 KB
ID:	65343   Click image for larger version

Name:	Demo Maniac v2_004.png
Views:	93
Size:	13.2 KB
ID:	65344   Click image for larger version

Name:	Demo Maniac v2_005.png
Views:	86
Size:	12.9 KB
ID:	65345   Click image for larger version

Name:	Demo Maniac v2_006.png
Views:	91
Size:	19.9 KB
ID:	65346  

LooZee is offline  
Old 28 November 2019, 01:59   #2
Hedeon
PPC Hacker

 
Join Date: Mar 2012
Location: Leiden / The Netherlands
Posts: 1,153
Weird. VirusZ III with the latest xvs.library should just remove it.
Plus the real HNY is a link virus and links into the first hunk of the exe and does not add an extra hunk.


EDIT:

OIC, this is just an installer of the HNY virus.
Hedeon is offline  
Old 28 November 2019, 12:36   #3
daxb
Registered User
 
Join Date: Oct 2009
Location: Germany
Posts: 2,466
HNY96 info: https://www.vht-dk.dk/amiga/desc/txt/hny-9697.htm
Check out other viruses: https://www.vht-dk.dk/amiga/desc/virus.htm

If I remember right it was possible to remove this virus with VT, VirusExecutor or VirusZ.
daxb is online now  
Old 28 November 2019, 13:53   #4
zipper
Registered User
 
Join Date: Mar 2004
Location: finland
Posts: 1,571
I think I got over 700 infections and they were removed with VT without any problems.
zipper is offline  
Old 28 November 2019, 16:32   #5
grond
Registered User

 
Join Date: Jun 2015
Location: Germany
Posts: 701
I'm pretty sure the HNY96 virus was first distributed at The Party 5 in Denkmark where I got it from some guys who wanted to copy some floppy disks on my computer (I was too tired to wonder why the heck they couldn't do it on their own Amiga). I noticed rather quickly that it could be disabled quite easily by corrupting its string "dos.library". I think somebody in my group wrote a tool that would do this automatically. Of course, the virus code would remain in the files it had infected but it couldn't spread any further.
grond is offline  
Old 28 November 2019, 16:46   #6
Hedeon
PPC Hacker

 
Join Date: Mar 2012
Location: Leiden / The Netherlands
Posts: 1,153
Quote:
Originally Posted by daxb View Post
If I remember right it was possible to remove this virus with VT, VirusExecutor or VirusZ.
Yes, but this is not the 'wild' virus, but it was intentionally added as a hunk to the exe. That is why it is called an 'installer' by VT and most virus programs just delete installers and don't fix them. The 'wild' HNY96 virus puts itself at the end of the first hunk and changes some opcode in the code of this first hunk to jump to the virus part to activate the virus (if I remember correctly without looking at the links in your post).
Hedeon is offline  
Old 28 November 2019, 18:11   #7
LooZee
Registered User

 
Join Date: Nov 2016
Location: Black Forest / Germany
Posts: 9
Quote:
Originally Posted by Hedeon View Post
this is just an installer of the HNY virus.

OK, so my "tutorial" is about removing the HNY installer, not the activated virus. Thanks for all the feedback.


I didn't disassemble it in depth, just enough to understand that it didn't modify the other hunks and might be removed without damage.



I guess removing the original source of the virus isn't a bad thing either.
LooZee is offline  
Old 28 November 2019, 20:24   #8
Photon
Moderator

Photon's Avatar
 
Join Date: Nov 2004
Location: Eksjö / Sweden
Posts: 4,818
My friend Raylight/Powerline made a Happy New Year 96 viruskiller back in the day, this should be it. Aminet is down right now though, so you'd have to find it on a mirror.
Photon is offline  
Old 28 November 2019, 20:58   #9
DamienD
Global Moderator

DamienD's Avatar
 
Join Date: Aug 2005
Location: London / Sydney
Age: 43
Posts: 16,499
Quote:
Originally Posted by Photon View Post
Aminet is down right now though, so you'd have to find it on a mirror.
http://de.aminet.net/aminet/util/virus/killhappy.lha
DamienD is online now  
Old 28 November 2019, 21:28   #10
Photon
Moderator

Photon's Avatar
 
Join Date: Nov 2004
Location: Eksjö / Sweden
Posts: 4,818
Quote:
Originally Posted by DamienD View Post
Top man!
Photon is offline  
Old 27 January 2020, 15:24   #11
Crashdisk
Moderator

Crashdisk's Avatar
 
Join Date: Jun 2009
Location: France
Age: 42
Posts: 1,323
This version of Demo Maniac is just a trap and is not infected. It is based on a hack of Demo Maniac v1.23 and linked manually with the virus.

This set is considered as an installer because it was designed for that.
Disinfecting it has no interest, except for educational purposes
Crashdisk is offline  
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing the RF modulator Sim085 support.Hardware 1 22 October 2017 14:32
Removing Battery vim support.Hardware 6 20 December 2016 09:36
Removing cracktro KingNothing support.Games 13 17 November 2016 18:36
Removing OS 3.9 reset stefcep2 support.Hardware 10 30 November 2010 03:08
Removing RF Modulator (!?) adolescent support.Hardware 17 14 September 2002 22:35

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 19:03.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2020, vBulletin Solutions Inc.
Page generated in 0.08064 seconds with 16 queries