Name         : IRQ 1 + 2

     Aliases      : No Aliases

     Clone        : No Clones

     Type/size    : Link/1060 

     Symptoms     : The actual window title will be changed.

     Discovered   : 19-10-92

     Way to infect: Link infection

     Rating       : Less Dangerous

     Kickstarts   : 1.2/1.3

     Damage       : Files can be defective (after infection). 

     Removal      : Use a good Viruskiller or delete file. 

     Comments     : The IRQ-Virus uses the Kick-Vectors to stay 
                    resident in memory. If you are starting a
                    infected programm, the virus decodes a text
                    and the string "dos.library.s:/startup-sequence"
                    with a simple eor-loop:

                    A infected program will be increased by 1060 
                    bytes. The virus patches the OldOpenLibrary-Vector
                    from the exec.library.

                    When you are booting with an unprotected disk, the
                    virus tries to open the actual startup-sequence.
                    If it exists, the virus infects the first file in
                    the startup-seq.

                    Sometimes (depending of $dff005) the virus change
                    the title of to actual window in:

                    "AmigaDOS presents: a new virus by the IRQ-TeamV41.0"
 
                    A file can`t be infected two times because the virus
                    searches for a hex-code:

                    CMP.L      #FFFE6100,$1E(A4,D6.L)

                    It exists another IRQ-variant (=IRQ2) which infects 
                    the first file in the startup-sequence till the
                    current disk is full !!
                    That means no check for infected files.


    SHI - A.D 02-94

[Go back]