I think I will start with a little back story for this one. Back in the late 2000s I got my hands on an old Amiga computer and got involved with a community of so called "Amigans" which was a jocular reference to the term "vegan" to describe so called "Amiga fanboys". It was fun times. One day I discovered that the system had been infected by the so called "Happy New Year 96" virus which probably is the most malicious virus I have encountered so far in terms of the damage that it caused on my system. It basically corrupted any binary by tainting them with random data and you could not spot it simply by opening them in a binary editor and no fsck or scandisk like tool would detect any disk corruption asssociated with it. The computer ended up being a total mess. It was a special kind of virus called "link virus"*. But that was ok because I managed to remove the virus and repair the damage it did without reinstalling anything. One of the Amigan friends was very impressed by this as to him with such an infection, the only option is to reinstall everything from scratch.
I'm now tempted to say that now I'm going to reveal my secret on how I fixed this, but the truth is I never made a secret out of what I did. For the Amiga there were a bunch of tools that you could use to trace every event occuring within the system. The type of event I was particularly interested in were events related to read and write access to disk. There were two programs that were particularly good at this; SnoopDOS and DOSTrace. In that software you could even adjust the granularity of the logging down to every disc block read and written. If a program tried to access a file that didn't exist, then it would also be detected in the log. I used DOSTrace to trace out all the damage the Happy New Year Virus caused me and fixed it. It took me maybe a couple of hours and that's it.
Recently I was infected by a malware after visiting a website and none of the well-known anti-virus software were able to detect it. So what I'm asking for here if there is some generic tool that can trace all changes made to the system in connection to the software, kind of like the DOSTrace or something. What I would like at the very least is some tool that scans the entire file system and system registry and dumps it to a file. Then I could infect the computer and then do another scan and then compare the before and after. Sure, things change all the time so perhaps I can filter them out easily and then pinpoint what the malware has done exactly to the system.
Perhaps are there some VM images with Windows 10/11 that I can copy to VirtualBox or VMWare with Chrome installed and perform this procedure as a "safe evironment"?
Then the next step when the binaries involved have been found is to try to reverse engineer them with software such as Ghidra and/or Ida Pro. This could be a lengthy process but perhaps at a higher level it may be possible to quickly determine what API calls are involved to see whether it communicates with internet, tries to access stored passwords within Chrome and other sensitive files?
* The term "link" is in reference to the process of building and compiling binaries ( https://www.cprogramming.com/compilingandlinking.html ) where the virus latches onto the executable at the "link level". It was so clever that it even preserved the file size of the executable down to every byte while injecting itself into the binary and you could not detect it by inspecting the binary. I was no stranger to opening binaries in the hex editor during those times and sometimes I could easily spot when certain system files had been modified with viruses such as the "saddam-virus"
I'm now tempted to say that now I'm going to reveal my secret on how I fixed this, but the truth is I never made a secret out of what I did. For the Amiga there were a bunch of tools that you could use to trace every event occuring within the system. The type of event I was particularly interested in were events related to read and write access to disk. There were two programs that were particularly good at this; SnoopDOS and DOSTrace. In that software you could even adjust the granularity of the logging down to every disc block read and written. If a program tried to access a file that didn't exist, then it would also be detected in the log. I used DOSTrace to trace out all the damage the Happy New Year Virus caused me and fixed it. It took me maybe a couple of hours and that's it.
Recently I was infected by a malware after visiting a website and none of the well-known anti-virus software were able to detect it. So what I'm asking for here if there is some generic tool that can trace all changes made to the system in connection to the software, kind of like the DOSTrace or something. What I would like at the very least is some tool that scans the entire file system and system registry and dumps it to a file. Then I could infect the computer and then do another scan and then compare the before and after. Sure, things change all the time so perhaps I can filter them out easily and then pinpoint what the malware has done exactly to the system.
Perhaps are there some VM images with Windows 10/11 that I can copy to VirtualBox or VMWare with Chrome installed and perform this procedure as a "safe evironment"?
Then the next step when the binaries involved have been found is to try to reverse engineer them with software such as Ghidra and/or Ida Pro. This could be a lengthy process but perhaps at a higher level it may be possible to quickly determine what API calls are involved to see whether it communicates with internet, tries to access stored passwords within Chrome and other sensitive files?
* The term "link" is in reference to the process of building and compiling binaries ( https://www.cprogramming.com/compilingandlinking.html ) where the virus latches onto the executable at the "link level". It was so clever that it even preserved the file size of the executable down to every byte while injecting itself into the binary and you could not detect it by inspecting the binary. I was no stranger to opening binaries in the hex editor during those times and sometimes I could easily spot when certain system files had been modified with viruses such as the "saddam-virus"
Last edited:
