All code and documentation is exclusively (C) Richard K. Lloyd 1990.
It is freely distributable.

Documentation for VKiller 1.10 - The Extend Virus killer/innoculator
--------------------------------------------------------------------

Introduction
------------

This is a virus warning to all Archimedes owners, especially those who
favour using the Desktop to run programs.

A virus has been written by an anonymous author to infect the !Boot file of
any application run by double-clicking on the application directory inside
the Desktop. It also claims, and never releases, 1K of RMA every time any
file or directory is double-clicked on. Hence, the system will eventually
crash with an RMA shortage.

Extend Virus technical information
----------------------------------

It's a module which can go under 8 different filenames (the name is picked
at random using the current time as a seed):

MonitorRM, CheckMod, ExtendRM, OSextend, ColourRM, Fastmod, CodeRM or MemRM.

However, the module itself has the following title string:

Extend 1.56 (08 Jul 1989)

and is always known as "Extend" in the module list. For reference purposes,
I shall refer to it as the "Extend Virus".

The date seems to imply that it has been around for some 16 months, which is
a worrying thought indeed. It is 940 (&3AC) bytes long and initialises
itself as a nameless Wimp task which then looks for Wimp Message 5
(double-click). It attempts to either create an !Boot in the application
directory or append to an already existing one with the following lines:

IconSprites <Obey$Dir>.!Sprites<&0D>
RMEnsure Extend 0 RMRun <Obey$Dir>.ModName<&0D>
||<&FF>

The "IconSprites" line is omitted if it is appended to an existing !Boot.
"ModName" is one of the 8 possible filenames. The Extend Virus uses the
<&FF> (i.e. decimal 255) byte at the end as a self-check to see if has
infected the !Boot file already. Of course, it copies itself to the new name
inside the application directory as you would expect. Note the incorrect use
of <&0D> (decimal 13) to terminate the lines, rather than the more correct
<&0A> (decimal 10).

A shift-double-click does NOT cause an infection, but it DOES claim yet
another 1K of never-to-be-released RMA.

I have gone through the entire code and the only destructive thing it does,
apart from wasting disk space with copies of itself, is to claim the 1K of
RMA for every double-clicked file or directory (eventually crashing the
system).

Extend Virus Execution Count
----------------------------

There was one bit of the Extend Virus module code that perplexed me - why
would someone increment a memory location within the module and never use it
? At first I skipped this code, but, remembering some viruses on the Amiga,
I suddenly realised that the incremented value would be copied whenever the
module duplicated itself during a new infection. Now if the original author
was smart, he would have incremented the counter IF AND ONLY IF there was a
completely successful new infection (in fact, he would have incremented it
prior to the new infection and decremented it if the infection failed).
However, the Extend Virus module actually increments the counter whenever it
is first started (usually via the *RMEnsure appended to the !Boot)...thus
the counter does not correlate to the number of infections so far. Because
of this, I've decided to call it the "Execution Count" from now on.

Deliberately faulty virus coding ?
----------------------------------

When the Extend Virus initialises itself as a nameless task, it does not
save its task handle. Hence, when it comes to execute Wimp_CloseDown (only
via a *RMKill - it cannot be killed by the Task Manager) it does NOT supply
a valid task handle. Thus, opening up the Task Manager afterwards causes it
to fatally crash...which isn't nice. I have managed to solve this problem
50% of the time, but the other half is down to Acorn's omission of a way of
getting a task handle when supplied with a task name (null string in this
case).

The upshot of this all is that if VKiller is run BEFORE the Extend Virus is,
then VKiller will patch the active virus in RMA so that it shuts down with a
proper task handle and the Task Manager can still be safely used. However,
should the Extend Virus already be present when VKiller is run, then the
Task Manager will fatally crash the Desktop if it is opened (or is already
open when VKiller is run).

The solutions to all this are simple:

1. Close the Task Manager before running VKiller.

2. Do not open the Task Manager after VKiller has RMKilled the Extend Virus.
   My advice is to scan/innoculate the infected disk or disks and then hard
   reset the machine.

Hopefully someone out there in the Public Domain will be able to fill in the
'missing' code - see the FNgettaskhand() function in the !RunImage source
code for more details. If this happens, then the precautions won't be so
elaborate in future releases.

Innoculation
------------

VKiller can innoculate a !Boot file. This involves fooling the Extend Virus
that it has already infected that !Boot file by attaching the following to
the end of the file:

IconSprites <Obey$Dir>.!Sprites<&0A>
| This file has been innoculated against the Extend Virus<&0A>
||<&FF>

The IconSprites line is only included if a new !Boot is created from scratch
AND if the application directory contains an !Sprites file with the Sprite
filetype. If the original !Boot was not properly terminated by a linefeed
(<&0A>), then a linefeed will be appended prior to the addition of any
innoculation lines. Note the critical difference between the Extend Virus
infection and the innoculation: the penultimate line is terminated by <&0A>
and not <&0D>. This is how VKiller can differentiate between innoculations
and infections.

Please note that creating new innoculated !Boot files from scratch will
cause the double-click action to open a directory window to take longer
because the applications inside that window have these new !Boot files.

How do I use VKiller ?
----------------------

Double-click on the !VKiller application icon to install an icon bar icon.
[N.B. The !Boot in the !VKiller directory has itself been innoculated
      to prevent infection of its own directory.]

Once the icon bar icon appears you may press the middle button to get the
usual Info and Quit options and the left or right button to display the
VKiller dialogue box. When VKiller is first installed, it checks for the
existence of the Extend Virus module in RMA. If found, it will kill it if
possible and warn you of the fact. The Execution Count for the module will
also be displayed. From then on, whenever an application is started with a
null task name the RMA is re-scanned for the Extend Virus module.

The dialogue box has the following options...

Filing System: Click on the yellow button to cycle through the available
               filing systems. VKiller will usually start up with adfs
               as the default, but the cycle order is in filing system
               number order.

Drive:  Click on one of the available drives to select it (shown with a
        yellow background). The drive is initially set to the default one
        (e.g. for adfs, it would be the *Configure Drive option).

Dir Scan: This line displays which directory the Drive Scan has got to.
          The only exception to this is when it is used to display the
          Execution Count when the Extend Virus module is found.

Status:   General brief messages are displayed here.

The next four fields are self-explanatory and are counters for the number of
times the Extend Virus was encountered in RMA or on disk, the number of new
innoculations and the number of Drive Scans so far.

Start Drive Scan: Clicking on this will start a Drive Scan (and the
                  highlighted button label becomes "Stop Drive Scan"). It
                  may be stopped at any time by clicking on the (relabelled)
                  button again, but this does not increment the Drive Scan
                  counter.

Innoculate During Scan: Clicking on this will toggle the option to
                        innoculate ALL !Boot files with the Obey (&FEB)
                        filetype encountered during the scan. If it is not
                        selected, then any !Boot files infected with the
                        Extend Virus will still be innoculated anyway.

Notes about the Drive Scan
--------------------------

The Drive Scan is fully multi-tasking and the VKiller dialogue box does NOT
need to be open during the scan. If the dialogue box is closed during a
scan, then it will be automatically re-opened (or brought to the front if it
is already open) when an infection is found or the Drive Scan has finished.

If the Extend Virus module is run mid-way through a Drive Scan, then the
module will be automatically killed and the dialogue box will be re-opened
(as it would be if the Extend Virus module was run at any time) with a
suitable message. At the end of that Drive Scan, you are advised that the
drive may still be infected, in which case you should re-scan that drive
(and the drive that caused the infection in the first place).

Due to a bug in BASIC V (the space claimed by LOCALly DIMmed memory arrays
is not released when the procedure exits), I have had to impose the
following (very generous) restrictions:

!Boot (Obey) files longer than 5K will be skipped (a message is displayed).
Dirs nested deeper than 8 levels will be skipped (also displays message).

I have never come across any application that exceeds these values, but if
someone has one that does, please tell me, so I can modify the limits.

Request For Viruses
-------------------

Yes, this is a strange thing to ask, but could people in possesion of a
virus please send it to the address at the end of this document ? Please
mark the disc (or e-mail !) clearly that it contains a virus. I would like
VKiller to evolve to cope with other viruses (I know that there a few others
floating around, so I'd appreciate anyone's assistance in tracking them
down).

Credits
-------

* Simon Burrows for supplying me with the Extend Virus module (and clearly
  marked as so, unlike certain other contacts I have :-) ).

Revision History of VKiller
---------------------------

V1.10 (December 1990)
---------------------

* Now multi-tasks with a dialogue box to select options. Code substantially
  reworked to support the WIMP (and it took longer than the guts of V1.00
  did !).

* New patch code to fix Extend Virus 'bug' - now provides safer
  Wimp_CloseDown calls for 50% of the time. Despite this, RMKilling the
  module is still riskier than it was with V1.00.

* !Boot files to be innoculated that are not terminated by a linefeed (<&0A>)
  now have that missing linefeed added prior to innoculation.

* Extend Virus Execution Count is now displayed just before the module is
  deleted from the infected disk or killed from the RMA.

* Only !Boot files that have the Obey (&FEB) filetype can now be innoculated
  against the Extend Virus because this is only filetype that makes any
  'sense' in the context of the innoculation.

* If an innoculated !Boot file is being created from scratch and there is
  no !Sprites file in the directory (with the Sprite filetype), then the
  IconSprites <Obey$Dir>.!Sprites line is no longer added.

V1.00 (November 1990)
---------------------

* Written as a plain single-tasking BASIC program which could also
  innoculate !Boot files against the Extend Virus.

* Recurses down directories (to a maximum level of 8) and displays various
  messages in garish red, green or yellow.

* Can remove the Extend Virus RMA module, disk module or infection of an
  !Boot.

Future Enhancements to VKiller
------------------------------

* Find a way to get a task handle given that task's name (this will make the
  RMKilling of the Extend Virus module a lot safer from the Desktop).

* Add support for killing (or innoculating against) other viruses.

Where to send your viruses, bug reports, fixes, enhancements etc.
-----------------------------------------------------------------

Snail Mail:             JANET e-mail:

Richard K. Lloyd,       rkl@uk.ac.liv.cs.and
1, Banks Road,
Lower Heswall,
Wirral,
Merseyside,
Great Britain
L60 9JS
