Desert Dreams by Kefrens contains a VIRUS on DISK 2

[Torti-the-Smurf]

Hi Demo maniacs

I did a Virus check on my whole drives and all is clean

BUT, there is a VIRUS in
Desert Dreams by Kefrens (Disk2)

https://www.pouet.net/prod.php?which=1483


VirusZ said:
Contains ´SCA`and 1 other Virus


(You have to mark "Scan files for bootblocks" in the setting of File Check Preferences.
Only make 2 checkmarks !!! Scan files for bootblocks & ask before deleting files)

I did some research on the Amiga Computer Virus Encyclopedia
https://www.vht-dk.dk/amiga/desc/virus.htm

The "good news" is that it can´t do harm in an WHDLoad environment,
BUT if you load it from Floppy Disk then be warned !!!
(always write protect your disks !!!!!!!!!)

Kefrens did not create this Virus....
(but spread them ?? & did modifications to it ?? aka Kefrens Viruses )

The SCA is the first known Virus for the Amiga and was created by
the Swiss Cracking Association (Bastards !! )

http://virus.wikidot.com/sca

[StingRay]

There is no virus on disk 2, bootblock contains custom code for the hidden part. It doesn't even remotely look like any known bootblock virus code!

[Torti-the-Smurf]

Good

VirusZ III and VT Schutz see it as a SCA Virus.

So it is a dud ? ; and why are there Kefrens1 & Kefrens2 Viruses ?
You can see them here in the Encyclopedia ....
https://www.vht-dk.dk/amiga/desc/virus.htm

I am curious now

[Dan]

It is easy to check if you have an emulator.

Make a config for a bootable a500 machine, if you have the action replay 3 rom, insert it.

Create an empty adf file, and make a copy of it.
Boot from the suspicious adf file. Press cartridge freeze button.
Usually the ar3 will tell you that a residend program is found in memory.
(not every resident program is a virus) but in case of sca and few others, it will recognize it.

If you do not have the ar3 cartridge, then boot from the suspicious file, then insert an empty adf file.
A bootblock virus will try to spread itself. Wait a minute or two, then end the emulation and use some comparison tools.

WinMerge or HxD hex editor can do the hex-byte comparisons on files.
You compare the empty adf with the copy.

If it is a virus, then something will be changed.

Alternatively, on windows, you can use the https://www.tosecdev.org/downloads/c...5-adf-workshop

to check files for different kind of things, including bootblock and some file viruses.


I have just downloaded the disk2 dms from the pouet.net, booted it, and ar3 does not report a resident program.
Neither does adf workshop.

I have, for testing purposes, booted up an sca infected adf, and both ar3 and adf workshop display the infection.

[chip]

I can confirm, with ADF-Workshop no viruses on disk 2

[Torti-the-Smurf]

So, VirusZIII and VT-Schutz are wrong !!!

Good to know Thank you Guys

But on another note; why are there "Kefrens Viruses" ? (i dont get that)

Like this:
https://www.vht-dk.dk/amiga/desc/txt/scakefrens1.htm

But it was never detected ??? ; yet there is a screenshot of it ??

That stuff gets super confusing

A very special thanks to all "Dr. Mario´s" out there; i feel alot saver now

[hooverphonique]

Quote:

Originally Posted by StingRay

There is no virus on disk 2, bootblock contains custom code for the hidden part. It doesn't even remotely look like any known bootblock virus code!

I interpret "Scan files for bootblocks" as looking for bootblock viruses contained in files, i.e. the contents of a virus which must be written to bootblock to be active, is present in a file on disk.. This doesn't mean that the bootblock on the disk currently contains the virus.


But it's probably a misdetection anyway, though.

[Crashdisk]

Quote:

Originally Posted by Torti-the-Smurf

So, VirusZIII and VT-Schutz are wrong !!!

Beware of jumping to conclusions. It is quite possible to find the SCA virus on any disk. If VirusZ III sees the SCA virus, it is most likely that there is a virus on YOUR disk.

Pouët's disk 2 does not contain a virus in the bootblock (SCA is a bootblock type).

Quote:

Originally Posted by Torti-the-Smurf

But on another note; why are there "Kefrens Viruses" ? (i dont get that)


Like this:
https://www.vht-dk.dk/amiga/desc/txt/scakefrens1.htm

But it was never detected ??? ; yet there is a screenshot of it ??

I have a copy of this virus but I doubt that it has really spread. I have examined over 300000 ADFs and have never seen it on a disk. It is one of the many SCA virus hacks where someone just changed some text in the bootblock. I've seen clones that didn't even have a corrected checksum so it doesn't launch at disk boot...that some antivirus authors have added to their databases in case it is circulating and above all, it increases the stats of the number of detected viruses.
Why do this? Probably to sully the reputation of the group.

[ma693541]

When we are talking about virus here. What are the best virus detector from VHT for HD on an AmigaOS3.2.1 A1200 emulated thru WinUAE?

[Crashdisk]

Quote:

Originally Posted by ma693541

When we are talking about virus here. What are the best virus detector from VHT for HD on an AmigaOS3.2.1 A1200 emulated thru WinUAE?

Knowing that the latest antivirus software uses the xvs.library, that the latest antivirus is VirusZ III and that they are both maintained by Georg Wittmann and that he is still an active developer, I think you get my point

[ma693541]

Yes, I know Crashdisk, but what I want running on the HD are a scanner in real time that can detect virus and then let VirusZ III kill them if or when a virus accidently infect the HD or some of the files on it.

[klx300r]

@ Torti-the-Smurf


thanks for the reminder it's been a long time that I haven't fully scanned my Amiga systems

[Torti-the-Smurf]

Quote:

Originally Posted by Crashdisk

Beware of jumping to conclusions. It is quite possible to find the SCA virus on any disk. If VirusZ III sees the SCA virus, it is most likely that there is a virus on YOUR disk.

Pouët's disk 2 does not contain a virus in the bootblock (SCA is a bootblock type).

I don´t use Disks at all (only if there is no install / WHDLoad for a certain Demo; like the new Batman Rises for example)

You can download disk 2 straight from Pouet and VirusZIII will give you the SCA message.

(the option "Scan Files for Bootblocks" have to be checked tho)

If you check the Disk itself you get an Read ErrorMessage on the File "BootGirl.data" but if installed with the WHDload installer
the file can be read by VirusZ and this is where you get that Message "SCA found and 1 other Virus".

But StingRay says there is none and i trust him 100 %.

It´s still odd that there are Kefrens Virues out there arcording to the Virus Encyclopedia.

Hmmm,... i trust StingRay 100% and in WHDLoad SCA can´t do no harm ;
Still interesting tho that VirusZ says "there is SCA and one other Virus on disk 2" .

What is the "other " virus then ? .. Tell me VirusZIII !!!!

Very odd stuff indeed.

I just wanted you guys to know that !!!

Thats why i made this thread; just so you guys know of this oddity!

I want you folks to be safe !!! and your beloved software collection !!!

Greetings, your always careful friendly Smurf,
Torti

[Crashdisk]

Quote:

Originally Posted by Torti-the-Smurf

I don´t use Disks at all (only if there is no install / WHDLoad for a certain Demo; like the new Batman Rises for example)

You can download disk 2 straight from Pouet and VirusZIII will give you the SCA message.

(the option "Scan Files for Bootblocks" have to be checked tho)

If you check the Disk itself you get an Read ErrorMessage on the File "BootGirl.data" but if installed with the WHDload installer
the file can be read by VirusZ and this is where you get that Message "SCA found and 1 other Virus".

But StingRay says there is none and i trust him 100 %.

The confusion arises because VirusZ does not detect the virus on the disk but on the disk image, i.e. as a file.
This is subtle and indeed painless

[Torti-the-Smurf]

Good to know.

The Message is a bit odd because of the ....

"SCA found and 1 other Virus" ... what a tease

Quote:

Originally Posted by klx300r

@ Torti-the-Smurf


thanks for the reminder it's been a long time that I haven't fully scanned my Amiga systems

you're welcome ; better safe then sorry