Virus-Interceptor

Virus-Interceptor was a program I developed for the Amiga platform during 1992-1993.

Excerpt from the manual:

“Virus-Interceptor is an utility designed to protect you against file- viruses. The program is designed to be small, safe, and easy to use.

When Virus-Interceptor is installed in memory, it will constantly check programs that are run for virus-infection. If a virus is detected in the code, the program will be aborted before it had a chance to start!

Virus-Interceptor will also check the memory at regular intervals. If a virus is detected in memory it will be removed in a safe way.”
That sums it up pretty nicely. Virus-Interceptor, or “VI” for short, was an anti-virus, and more specifically it was an antivirus designed to deal with “link-viruses” and other file-viruses. The last release of VI, version 1.15, could detect and disinfect 85 of those viruses. Not an impressive number today, but back then that was basically all of them (not counting boot-viruses).

What sets VI apart from other anti-viruses was that VI detected those viruses when they were about to be executed, and stopped the execution before they even had a chance to do any harm. Not an unique idea, there was another program, “Link Virus Detector” or “LVD”, created by Peter Stuer that did the same thing. VI was influenced by LVD. LVD however, was not regularly updated and neglected. With VI I wanted to do what LVD did and much more. LVD was discontinued shortly after VI was published.

A link-virus is a virus that attaches (links) itself to a legitimate executable file, thus effectively hiding itself from view. A common way to do that on the Amiga was to add an extra code hunk in the beginning of the file, containing the virus code. When the file was loaded into memory it will start executing at the first code hunk, the virus. The virus would install itself into the memory by allocating some memory and copy itself to that memory, then pass on execution to the next code hunk which would be the beginning of the real program.

What VI did was to patch the functions in the AmigaOS that loaded the executables, (LoadSeg(), NewLoadSeg() and InternalLoadSeg() in the dos.library), and after the code was loaded into memory, but before it was executed, check it for known virus signatures. If such a signature was detected, it would alert the user with a DisplayAlert(), mostly known as “Guru Meditation”, giving the user the choice to allow the execution or to terminate it.

VI would also periodically scan the memory for viruses and terminate those if found. There were several methods a virus could use to make itself “resident” in the Amiga memory. Resident means surviving a reboot. One common method was to use the “CoolCapture vector”. VI would detect and prevent attempts to use those methods.

VI had unique methods to detect unknown link-viruses. I called this heuristic analysis. One method would recognize certain code hunks such as those of the PowerPacker or Imploder programs, legitimate hunks in an executable that must be the first to execute. When those hunks were found to be the second hunk in the executable instead of the first it was a sure sign that I was dealing with an unknown link-virus. VI was the first anti-virus software that used heuristic analysis for virus detection.

VI worked on Amiga OS 2.0, OS 2.1 or OS 3.0. And it worked on all the processors up to 040.


Notes on the development:

Virus-Interceptor was my very first C-program. Why start with “Hello world!”-exercises when you can dive head first into a real project… and joining the fight against the virus menace was as exciting as it could get!

When I had first version up and running I contacted the Safe Hex International organization, aka SHI. It was based in Denmark and was the main Amiga anti-virus organisation. In fact, it was the only one. Among other things, SHI distributed a floppy disk on a subscription basis to Amiga users around the world, containing the latest anti-virus programs and virus definitions.

The coordinator, Erik Loewendahl, approved of the program and sent me a whole bunch of viruses that I immediately set about to analyze. I quickly sent him an updated version and he included Virus-Interceptor on the SHI disk. SHI would somewhat regularly send me a check of 50 dollars. I started getting feedback from around the world. People sent me postcards and floppy disks with suspected viruses, and occasionally donations. It was exciting times. School work really seemed quite.. uninteresting, in comparison.

One major concern in those days was memory. A typical Amiga 500 had 512 KB memory. VI was designed from start to be very memory-efficient. I took every step possible to save a few extra bytes here and there. The last version was 15 KB.

One big problem during development was the patching of the dos.library functions. The dos.library could not be patched like the other .libraries using the SetFunction() method. It was unique in the way it passed the arguments in certain registers. (I don’t remember the details). I had to code a “bridge” in assembler, between the code that did the patching and the rest of the program. Assembler was not a language I was proficient in and this code caused a lot of headaches for me, and a lot of crashes.

Another concern was the viruses themself. I had a special testing environment that I would infect with every new virus and study the effects. I had to detect the methods it used to stay resident, to infect files and so on, and devise anti-measures. At one time, due to carelessness and a new way to stay resident, I accidentally infected my live environment causing some damage to my system.

In late 1993 I tired of the project and donated the sourcecode to SHI. SHI was unable to found someone willing to maintain it, so 1.15 was to be the final release.

These are the credits for the last release of Virus-Interceptor: Virus-Interceptor Credits

Leave a Reply

Your email address will not be published. Required fields are marked *