All code and documentation is exclusively (C) Richard K. Lloyd 1990.
It is freely distributable.

Documentation for VKiller 1.10 - The Extend Virus killer/innoculator
--------------------------------------------------------------------

Introduction
------------

This is a virus warning to all Archimedes owners, especially those who favour
using the Desktop to run programs.

A virus has been written by an anonymous author to infect the !Boot file of
any application run by double-clicking on the application directory inside
the Desktop. It also claims, and never releases, 1K of RMA every time any
file or directory is double-clicked on. Hence, the system will eventually
crash with an RMA shortage.

Extend Virus technical information
----------------------------------

It's a module which can go under 8 different filenames (the name is picked at
random using the current time as a seed):

MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM or MemRM.

Nowever, the module itself has the following title string:

Extend 1.56 (08 Jul 1989)

and is always known as "Extend" in the module list. For reference purposes,
I shall refer to it as the "Extend Virus".

The date seems to imply that it has been around for some 16 months, which is
a worrying thought indeed. It is 940 (&3AC) bytes long and initialises itself
as a nameless Wimp task which then looks for Wimp Message 5 (double-click).
It attempts to either create an !Boot in the application directory or append
to an already existing one with the following lines:

IconSprites <Obey$Dir>.!Sprites<&0D>
RMEnsure Extend 0 RMRun <Obey$Dir>.ModName<&0D>
||<&FF>

The "IconSprites" line is omitted if it is appended to an existing !Boot.
"ModName" is one of the 8 possible filenames. The Extend Virus uses the <&FF>
(i.e. decimal 255) byte at the end as a self-check to see if has infected the
!Boot file already. Of course, it copies itself to the new name inside
the application directory as you would expect. Note the incorrect use of
<&0D> (decimal 13) to terminate the lines, rather than the more correct
<&0A> (decimal 10).

A shift-double-click does NOT cause an infection, but it DOES claim yet
another 1K of never-to-be-released RMA.

I have gone through the entire code and the only destructive thing it does,
apart from wasting disk space with copies of itself, is to claim the 1K of
RMA for every double-clicked file or directory (eventually crashing the
system).

Extend Virus Execution Count
----------------------------

There was one bit of the Extend Virus module code that perplexed me - why
would someone increment a memory location within the module and never use it ?
At first I skipped this code, but, remembering some viruses on the Amiga, I
suddenly realised that the incremented value would be copied whenever the
module duplicated itself during a new infection. Now if the original author
was smart, he would have incremented the counter IF AND ONLY IF there was
a completely successful new infection (in fact, he would have incremented it
prior to the new infection and decremented it if the infection failed).
However, the Extend Virus module actually increments the counter whenever it is
first started (usually via the *RMEnsure appended to the !Boot)...thus the
counter does not correlate to the number of infections so far. Because of this,
I've decided to call it the "Execution Count" from now on.

Deliberately faulty virus coding ?
----------------------------------

When the Extend Virus initialises itself as a nameless task, it does not save
its task handle. Hence, when it comes to execute Wimp_CloseDown (only via a
*RMKill - it cannot be killed by the Task Manager) it does NOT supply a valid
task handle. Thus, opening up the Task Manager afterwards causes it to fatally
crash...which isn't nice. I have managed to solve this problem 50% of the time,
but the other half is down to Acorn's omission of a way of getting a task
handle when supplied with a task name (null string in this case).

The upshot of this all is that if VKiller is run BEFORE the Extend Virus is,
then VKiller will patch the active virus in RMA so that it shuts down with a
proper task handle and the Task Manager can still be safely used. However,
should the Extend Virus already be present when VKiller is run, then the
Task Manager will fatally crash the Desktop if it is opened (or is already
open when VKiller is run).

The solutions to all this are simple:

1. Close the Task Manager before running VKiller.

2. Do not open the Task Manager after VKiller has RMKilled the Extend Virus.
   My advice is to scan/innoculate the infected disk or disks and then hard
   reset the machine.

Hopefully someone out there in the Public Domain will be able to fill in the
'missing' code - see the FNgettaskhand() function in the !RunImage source code
for more details. If this happens, then the precautions won't be so elaborate
in future releases.

Innoculation
------------

VKiller can innoculate a !Boot file. This involves fooling the Extend Virus
that it has already infected that !Boot file by attaching the following
to the end of the file:

IconSprites <Obey$Dir>.!Sprites<&0A>
| This file has been innoculated against the Extend Virus<&0A>
||<&FF>

The IconSprites line is only included if a new !Boot is created from scratch
AND if the application directory contains an !Sprites file with the Sprite
filetype. If the original !Boot was not properly terminated by a linefeed
(<&0A>), then a linefeed will be appended prior to the addition of any
innoculation lines. Note the critical difference between the Extend Virus
infection and the innoculation: the penultimate line is terminated by <&0A>
and not <&0D>. This is how VKiller can differentiate between innoculations
and infections.

Please note that creating new innoculated !Boot files from scratch will cause
the double-click action to open a directory window to take longer because the
applications inside that window have these new !Boot files.

How do I use VKiller ?
----------------------

Double-click on the !VKiller application icon to install an icon bar icon.
[N.B. The !Boot in the !VKiller directory has itself been innoculated
      to prevent infection of its own directory.]

Once the icon bar icon appears you may press the middle button to get the
usual Info and Quit options and the left or right button to display the
VKiller dialogue box. When VKiller is first installed, it checks for the
existence of the Extend Virus module in RMA. If found, it will kill it if
possible and warn you of the fact. The Execution Count for the module will
also be displayed. From then on, whenever an application is started with
a null task name the RMA is re-scanned for the Extend Virus module.

The dialogue box has the following options...

Filing System: Click on the yellow button to cycle through the available
               filing systems. VKiller will usually start up with adfs
               as the default, but the cycle order is in filing system
               number order.

Drive:  Click on one of the available drives to select it (shown with a
        yellow background). The drive is initially set to the default one
        (e.g. for adfs, it would be the *Configure Drive option).

Dir Scan: This line displays which directory the Drive Scan has got to.
          The only exception to this is when it is used to display the
          Execution Count when the Extend Virus module is found.

Status:   General brief messages are displayed here.

The next four fields are self-explanatory and are counters for the number
of times the Extend Virus was encountered in RMA or on disk, the number of
new innoculations and the number of Drive Scans so far.

Start Drive Scan: Clicking on this will start a Drive Scan (and the highlighted
                  button label becomes "Stop Drive Scan"). It may be stopped
                  at any time by clicking on the (relabelled) button again,
                  but this does not increment the Drive Scan counter.

Innoculate During Scan: Clicking on this will toggle the option to innoculate
                        ALL !Boot files with the Obey (&FEB) filetype
                        encountered during the scan. If it is not selected,
                        then any !Boot files infected with the Extend Virus
                        will still be innoculated anyway.

Notes about the Drive Scan
--------------------------

The Drive Scan is fully multi-tasking and the VKiller dialogue box does NOT
need to be open during the scan. If the dialogue box is closed during a scan,
then it will be automatically re-opened (or brought to the front if it is
already open) when an infection is found or the Drive Scan has finished.

If the Extend Virus module is run mid-way through a Drive Scan, then the
module will be automatically killed and the dialogue box will be re-opened
(as it would be if the Extend Virus module was run at any time) with a
suitable message. At the end of that Drive Scan, you are advised that the
drive may still be infected, in which case you should re-scan that drive
(and the drive that caused the infection in the first place).

Due to a bug in BASIC V (the space claimed by LOCALly DIMmed memory arrays
is not released when the procedure exits), I have had to impose the
following (very generous) restrictions:

!Boot (Obey) files longer than 5K will be skipped (a message is displayed).
Dirs nested deeper than 8 levels will be skipped (also displays message).

I have never come across any application that exceeds these values, but
if someone has one that does, please tell me, so I can modify the limits.

Request For Viruses
-------------------

Yes, this is a strange thing to ask, but could people in possesion of a virus
please send it to the address at the end of this document ? Please mark the
disc (or e-mail !) clearly that it contains a virus. I would like VKiller to
evolve to cope with other viruses (I know that there a few others floating
around, so I'd appreciate anyone's assistance in tracking them down).

Credits
-------

* Simon Burrows for supplying me with the Extend Virus module (and clearly
  marked as so, unlike certain other contacts I have :-) ).

Revision History of VKiller
---------------------------

V1.10 (December 1990)
---------------------

* Now multi-tasks with a dialogue box to select options. Code substantially
  reworked to support the WIMP (and it took longer than the guts of V1.00
  did !).

* New patch code to fix Extend Virus 'bug' - now provides safer Wimp_CloseDown
  calls for 50% of the time. Despite this, RMKilling the module is still
  riskier than it was with V1.00.

* !Boot files to be innoculated that are not terminated by a linefeed (<&0A>)
  now have that missing linefeed added prior to innoculation.

* Extend Virus Execution Count is now displayed just before the module is
  deleted from the infected disk or killed from the RMA.

* Only !Boot files that have the Obey (&FEB) filetype can now be innoculated
  against the Extend Virus because this is only filetype that makes any 'sense'
  in the context of the innoculation.

* If an innoculated !Boot file is being created from scratch and there is
  no !Sprites file in the directory (with the Sprite filetype), then the
  IconSprites <Obey$Dir>.!Sprites line is no longer added.

V1.00 (November 1990)
---------------------

* Written as a plain single-tasking BASIC program which could also innoculate
  !Boot files against the Extend Virus.

* Recurses down directories (to a maximum level of 8) and displays various
  messages in garish red, green or yellow.

* Can remove the Extend Virus RMA module, disk module or infection of an !Boot.

Future Enhancements to VKiller
------------------------------

* Find a way to get a task handle given that task's name (this will make the
  RMKilling of the Extend Virus module a lot safer from the Desktop).

* Add support for killing (or innoculating against) other viruses.

Where to send your viruses, bug reports, fixes, enhancements etc.
-----------------------------------------------------------------

Snail Mail:             JANET e-mail:

Richard K. Lloyd,       rkl@uk.ac.liv.cs.and
1, Banks Road,
Lower Heswall,
Wirral,
Merseyside,
Great Britain
L60 9JS
