WHDLoad viruses found with VirusZ III 1.04B Latest

[ahandyman59]

A few days ago I figured out how to update my virusZ to the latest files. I had been putting off the long scan of my games/demos drive, but finally did. It identified viruses on these 3 files.

StarRay/Disk.1
ChaseHQ2/Disk.2
CardinalOfTheKremlin/data/l/Disk-Validator

These were extracted from .lha files in the WHDLOAD game repository that I downloaded directly via a PC, not an amiga, then copied the files over to the amiga. My question is are these "false positives" or something to be concerned about? Can someone please confirm whether these are infected, and/or who to contact about this?

To me, computer viruses are pretty serious stuff, so I don't want to just delete these and ignore it...

[Lisko]

While technically they could be, if run through Whdload they should be harmless because it's a virtual environment and if you have a mmu it's even safer. Don't run that Disk-Validator from your workbench tho. Also wait for a definitive answer from more skilled people to be sure.

[daxb]

Disk-Validator can be deleted. If the install needs it just copy a clean Disk-Validator over it.

[dlfrsilver]

Quote:

Originally Posted by ahandyman59

A few days ago I figured out how to update my virusZ to the latest files. I had been putting off the long scan of my games/demos drive, but finally did. It identified viruses on these 3 files.

StarRay/Disk.1
ChaseHQ2/Disk.2
CardinalOfTheKremlin/data/l/Disk-Validator

These were extracted from .lha files in the WHDLOAD game repository that I downloaded directly via a PC, not an amiga, then copied the files over to the amiga. My question is are these "false positives" or something to be concerned about? Can someone please confirm whether these are infected, and/or who to contact about this?

To me, computer viruses are pretty serious stuff, so I don't want to just delete these and ignore it...

this would mean that those games have been mastered with viruses, since those like Chase HQ2 in original have a virus on the bootblock.

you need to ensure that the original disk image is clean. Use ADF workshop for that, it will show you the viruses.

[Retroplay]

These have already been cleaned in the pre-installed set on Turran FTP.
All except StarRay, that's a false positive.

Code:

Bootblock specification:
 - Autoboot 
 - OFS Original File System
 - Bootblock CRC32 : $E86B058D 
 - Identification with ABR v1 engine : <Virus> SCA Virus
 - Identification with ABR v2 engine : <Virus> SCA Virus
 - Identification with AWP v1 engine : Unknown bootblock!
 - Identification with AWP v2 engine : <False virus warning> Bootloader - StarRay (Logotron)

[ahandyman59]

That's why I posted this! If these are legit viruses, then the source in the repository are infected!

[butfluffy]

i'm only now getting back into playing amiga with real hardware.
just how much damage can viruses cause on an amiga.
viruses can be a nightmare for modern pc's but i don;t know anything about amiga viruses.

[Photon]

Quote:

Originally Posted by butfluffy

i'm only now getting back into playing amiga with real hardware.
just how much damage can viruses cause on an amiga.

Just as much as any platform, from incessant popups to disk/file corruption requiring a reinstall. If you produce a lot of work on your Amiga, do backups. It's easy. If you're just gaming, make a backup when the system is how you like it and you can reinstall easily.

Quote:

Originally Posted by butfluffy

viruses can be a nightmare for modern pc's but i don;t know anything about amiga viruses.

On PC the normal way to get a virus is from browser plug-ins or opening unknown files from the Web/email. For the most part, this doesn't happen while browsing/using email on Amiga. And the viruses you get if you download something on PC will be for PC.

Viruses are always about trusted sources, nothing else. Aminet is checked and yet probably has quite a few viruses in some lesser known packages. Most of the packages for general use though have been tested and true. Aminet is trusted.

Amiga websites with clearly a lot of dedication and work behind them are trusted. E.g. WHDLoad. WHDLoad and similar are trusted.

Emu websites with lots of mixed platforms, torrent sites, The Zone etc will likely fare much worse than WHDLoad. (Only two viruses is extremely impressive!)

Unknown eBay disks, garage/retro disk sales etc, "from the car trunk" goods are the most likely source of viruses.

Most are floppy viruses, and they're made to spread from floppy to floppy only. This means you're safe just by write-protecting disks, not running unknown files from the floppy, or turning off your Amiga when you've tested unknown disks and need to write enable floppies again.

But there are exceptions, and that's why VirusX, VirusZ etc. To go from floppy to harddisk, normally they must stay in memory. Again, turning off your Amiga after testing unknown disks is the solution.

After that, there's very few viruses left. Amiga is lucky in a way like Mac and Linux; it's not targeted like PC and smartphones. You must also be a very experienced Amiga dev to write one that doesn't Guru and make it fail. And most of the new stuff goes through checks before reaching users.

I think Amiga users are very safe from getting any virus these days. Granted, I'm not one to add every tool I find on Aminet to my tricked-out Workbench build, rather I'm quite conservative for performance reasons, but if it's any comfort I've used my Amigas since 2005, first on the same Zip disk and then on the same CF card as system disk, and not once have I been infected. I had no antivirus software installed. Pretty safe.

But I think the thing that tells most of Amiga being safe from viruses is the utter lack of "I got infected!" threads on EAB since the start around 2000. If there was even a very low chance of virus danger, we would get several virus threads per week.

[butfluffy]

that is kinda reassuring.
judging by what Lisko said "if run through Whdload they should be harmless because it's a virtual environment" then there would be no negative affects if running these WHDloadinstalls which have not been virus cleaned?
ChaseHQ2/Disk.2
CardinalOfTheKremlin/data/l/Disk-Validator
i got my cfcard with a ton of games already pre installed so i don't really know what versions i have.
if these WHDload installs are safe to run regardless then i will not bother figuring out how to test these two games for viruses.

[Photon]

Quote:

Originally Posted by butfluffy

that is kinda reassuring.
judging by what Lisko said "if run through Whdload they should be harmless

Oh yeah, as long as you don't run strange floppies and then reset onto your system disk you should be safe. I agree with daxb also, the Disk-Validator file itself doesn't really belong on any WHDLoad disk image, it doesn't do anything, the Workbench validator is the one executed (should you have a disk with errors in a floppy drive at the time).

As mentioned by Lisko you have to actually go into the WHDLoad disk image and actually run that version on the disk image to make anything bad happen. Could happen to WHDLoad testers I guess but not users realistically.

Quote:

Originally Posted by butfluffy

i got my cfcard with a ton of games already pre installed

That would fall under garage sale/eBay - if not for the fact the seller probably got them from the safe sites. So I deem WHDLoad packs from anywhere (if not ancient at least) a safe source. Garage sale/eBay = you know, boxes of floppy disks.

Doesn't mean you couldn't backup your preinstalled CF card just once so you don't have to buy it again, it's quick nowadays (emu+.HDF+reading tutorials) and also wards against write errors and unwanted updates/changes. But that's more under saving time/frustration than viruses.

[butfluffy]

yeah i intend to to purchase some cfcards to make backups.
i wont say any names but i got the card from someone well trusted and respected when it comes to all things amiga.
unless any of the whdload installs are out of date which that person could do nothing about after the fact i'm sure they are all good.

[Aardvark]

Just wanted to reiterate that Retroplay's WHDLoad installs stash is clean and up-to-date.

WHDownLoad.com on other hand hasn't been updated since 2019, and contains aforementioned viruses.

[butfluffy]

yeah i can see myself replacing some installs over time with some of retroplay's stash.
there is a lot to learn and i will have to figure out how to verify the WHDload versions i have are latest versions etc and what needs updating.

[ahandyman59]

I'm new to the actual process of converting game disks over to WHDLoad usable types of files, so if I'm completely misunderstanding, you are free to correct me... If a disk header is infected with a virus, don't you need some kind of program that knows exactly how to remove that specific virus from that specific disk header file? How do you "FIX" disks with headers that are infected with a virus?

I suppose another way of handling this is a way to either recreate the header file, or a collection of all possible disk header files?

[Superman]

I got similar results with a scan and also Megademo2 by Northstar apparently has a Northstar 2 virus.This sounds like a false positive to me on this one due to the names being the same.

[Jan-VHT]

You can send the files and bootblocks to me, and I will have a look at them.

E-mail: amigavirus@vht-dk.dk