Amiga Plus Special 25

home *** CD-ROM | disk | FTP | other *** search

/ Amiga Plus Special 25 / AMIGAplus Sonderheft 25 (2000)(Falke)(DE)(Track 1 of 4)[!].iso / Updates / Virus / VirusWarning.Guide (.txt) < prev next >

Wrap

Amigaguide Document | 2000-04-09 | 303KB | 5,473 lines

@database VirusWarning.guide @master VirusWarning.guide @$VER: VirusWarning.Guide v3.0 (2000.04.09) - Virus Help Denmark. @author "Jan Andersen" @(c) "Virus Help Danmark 1994-2000" @node main " VirusWarning.Guide v3.0 - 9 April 2000 - Size 303.128 unpacked" ***** VIRUS HELP DENMARK ***** *** PRESENTS *** * * ***** ***** @{fg shine}VirusWarning.Guide v3.0@{fg text} ***** ***** *** *** 9 April 2000 *** *** * * * *@{ub} >>>>>>>>>>>>>>>>>>>>>>>>>--------------------<<<<<<<<<<<<<<<<<<<<<<<<<< @{b}VirusWarning.Guide@{ub} @{" New warnings in this update of the guide " link News } - New's. @{" Virus/Trojan names in alfabetic order " link warnings } - Names list. @{" Virus/Trojan archives in alfabetic order " link archive } - Names List. @{" Virus/Trojan/Archives that we are looking for! " link wanted } - Help Us. @{" Copyright 1994-2000 " link copyright } - Copyright. @{" About Virus Help Denmark " link teamdk } - Who are we? @{" My PGP public key " link PGPkey } - PGP Key. @{" Thanks list corncerning VirusWarning.guide " link thanks } - Thanx list. @{" The newest versions of the Amiga Antivirus programs " link new } - AV Updates. This guide was made to give you a better look of the files that we have written warnings about. @endnode @Node new " The newest updates of the Amiga AntiVirus programs" The newest updates of the Amiga AntiVirus programs -------------------------------------------------- @{b}(9 April 1999)@{ub} VirusExecutor v2.03............. (01.04.2000) By Jan Erik Olausen. xvs.library v33.21.............. (08.03.2000) By Alex van Niel. VirusZ III v0.94b............... (07.03.2000) By Dirk Stoecker. VirusChecker II v2.5............ (03.10.1999) By Alex van Niel. VirusChecker.brain v3.0......... (03.10.1999) By Alex van Niel. VT v3.16........................ (16.08.1999) By Heiner Schneegold. VirusZ II v1.44................. (06.09.1998) By Georg Hoermann. NOTE: We know that a neu update of VirusZ can be found on Aminet, but the code in v1.45, is really a fixed release of v1.40, both made by Georg Hoermann. So from my point, use the 1.44 version of VirusZ, until Dirk Scoecker has updated VirusZ 3 to a fully working release. Please remember to support the antivirus programmers, after all they are helping you....... @{b}PS :@{ub} If you find a new virus or trojan, @{b}please@{ub} upload it to our @{" BBS " link supportbbs } then we will send it to all the anti-virus programmers that will accept new stuff from us. (use my @{" public PGP Key " link pgpkey }) You can get all the latest versions on our homepage, here is the adress: @{b}www.vht-dk.dk@{ub} @Endnode @node Copyright " Copyright Information" @{b}Copyright 1994-2000 - Information@{ub} This guide is written and @{b} Copyrighted 2000@{ub}, by @{b}Jan Andersen@{ub} of @{i}Virus Help Denmark@{ui} using the warnings that we have been writing and send out on the Net's, with the exceptions of the virus warnings that @{b}Markus Schmall@{ub} has written. But we have his permission to use them. No part of the guide may be altered in any way, without a written permission from @{" Virus Help Denmark " link TeamDK }. This Guide will be spread every 2 month, with all the new warnings by @{b}Markus Schmall@{ub} and @{b}Virus Help Denmark@{ub}. We will at that time have sent the new Warnings out on all the Nets and BBS'es, that we have access to (InterNet, FidoNet, AmyNet etc.). If you want to use this guide or some of the warnings, please contact one of us and get a written permisssion to do it. If you want to use the warnings that @{b}Markus Schmall@{ub} has written, please contact him to get his permission. This Guide is free to spread in any way, as long as nothing is altered in any way. @Endnode @Node teamdk " Virus Help Denmark - Copyright 2000 - v3.0" @{b}Who are Virus Help Danmark:@{ub} -------------------------------- @{" We are 5 guys " link team } who earlier worked for Safe Hex International to prevent the spreading of virus. But as our policy couldn't fit SHI's, we decided to step out from the 31 dec.1994 to start on our own. Our objectives are: @{b}1)@{ub} To fight and prevent the spreading of computervirus. @{b}2)@{ub} To aid users with virus related problems. @{b}3)@{ub} To support all wellknown antivirus programmer with virus. We will coorporate with @{b}ALL@{ub}, who support our sake. We simply don't care if they are Germans, Americans or wherefrom, as long as we can aid the Amiga users in the best possible way... @{i}For more info, please contact:@{ui} @{b}Jan Andersen - VHT Denmark@{ub} @{b}Lars P. Kristensen - VHT Denmark@{ub} --------------------------- -------------------------------- Fido...: @{b}2:237/38.100@{ub} E-Mail.: @{b}famkri@post4.tele.dk@{ub} VirNet.: @{b}9:451/247.0@{ub} AmyNET.: @{b}39:140/127.100@{ub} E-Mail.: @{b}vht-dk@post4.tele.dk@{ub} @{b}By snail-mail@{ub} ------------- Jan Andersen Lars P. Kristensen Charlottegaardsvej 131 or Safirvej 25 2640 Hedehusene 3650 Oelstykke DK-Denmark DK-Denmark @{b}Virus Help Denmark on Internet@{ub} ------------------------------ Homepage....: www.vht-dk.dk @{b}New Updates on VirusWarning.Guide can be found on these places:@{ub} --------------------------------------------------------------- (Send me an email if you have VirusWarning guide on your homepage) @endnode @node supportbbs "Virus Help Denmark's Support BBS'es" @{b}Virus Help Denmark's Support BBS'es@{ub} ----------------------------------- BBS Name....: XPoint BBS Phone Number: +45 6381 8005 Country.....: Denmark Open........: 24 Hours Modem.......: 56.200 X2 & ISDN BBS Name....: Kaleidoscope BBS Phone Number: +44 (0)151 474 1183 Country.....: England Open........: 24 Hours Modem.......: 56.600 BBS Name....: Thunderdome BBS. BBS Name....: ABBS Support BBS Phone Number: +46 171 20586 Phone Number: +47 6935 3097 Country.....: Sweden Country.....: Norway Open........: 24 Hours Open........: 24 Hours Modem.......: 33.600 v34+ Modem.......: 33.600 v34+ @Endnode @node team " The guys behind Virus Help Denmark" @{b}The guy's behind Virus Help Denmark.@{ub} ----------------------------------------- @{b}Jan Andersen@{ub}........: VHT-DK's InterNet support, Virus-Hunter, Contact to Anti-virus programmers. @{b}Lars P. Kristensen@{ub}..: VHT-DK's PR-man, Translator, Virus help. Virus Help Team's World support, BBS support. @{b}Henrik Lauridsen@{ub}....: VHT-DK's InterNet support, Virus help. @{b}Torben Danoe@{ub}........: VHT-DK's translator, Virus help. @{b}Jan Nielsen@{ub}.........: VHT-DK's translator, Virus help. We have no leades of VHT-Denmark, no one is the Boss. We all deside what we do, and how. That is why we are working as a @{b}TEAM@{ub}. @endnode @Node thanks "Thanks list corncerning VirusWarning.guide" @{b}Thanks list corncerning VirusWarning.guide@{ub} @{b}Markus Schmall........:@{ub} For letting us use his warnings in this guide Thanks must also go to: Jan-Jan, Lars, Henrik, Georg, Heiner, John, Torben, Soenke, Per, Kim B, Enzo, Deliveryman, Martin, Flemming S, Jan, Thomas, Hee-Mann, Ib, Dave, Ramon, Harry, Alex, Cor and Zbigniew for collecting trojans and viruses for us. Speciel thanx to the Virus Test Center in Hamburg. @{b}(Sorry if I forgot you)@{ub} All the guys that is helping us collecting the new virus, and the few ones that are helping everybody, by programming a viruskiller. @endnode @node pgpkey " My public PGP key" @{"Please send me" link teamdk } the new viruses that you find, so we can keep the support to the anti-virus programmers. You can encrypt it with my public PGP key, in that way the archive/file won't get spread if it ends up in the wrong place. Type Bits/KeyID Date User ID pub 1024/E7B1A755 1999/01/09 Jan Andersen <vht-dk@post4.tele.dk> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQCNAzaX6BIAAAEEANnkhochSsPthVhFlRLPiCCndozo0h2g1RUQXTt4vSEvOpfs j9wTv6hZKeXsi1kE+5UKM/Xt9S+/eftKw+6oiWKyqB2dZqeLtLt5Uj1TXViMygye a0nDSFhub02NXTDehzgnhzO9kE/toqhTzyizygZYXrUD+Onp/CSq+InnsadVAAUR tCNKYW4gQW5kZXJzZW4gPHZodC1ka0Bwb3N0NC50ZWxlLmRrPokAlQMFEDaX6BQk qviJ57GnVQEBkGIEAIyaaerRR7kjLVmW1cshu6VHxq5uRVqg87M9qMTWJf0EfCgI yj5aJODqsjc36DPyW5AJuUgB1nDKPgvjCBCQp27PEvu61+a0S0Cat6sK65S5dxQE O92jtF/VPpaYy0nDsDoQemcFrggGVXxFTlstjNOk1GxatUIvGugBlcETUGO2 =kLIO -----END PGP PUBLIC KEY BLOCK----- @endnode @Node news " New warnings in this update of the guide" @{b}New warnings in this update of the guide@{ub} @{i}New warnings in alfabetic order Warning Name@{ui} ------------------------------------------------------------------------- @{" YAM Patcher Trojan (PatchYamPPC12.lha) " link vht-dk87.lha } - (vht-dk87.lha) @{" Sniper (HH Infected) (Sniper.lzh) " link vht-dk86.lha } - (vht-dk86.lha) ------------------------------------------------------------------------- @{b}!!!!! @{" We are looking for a lot of Viruses. please help us! " link missing } !!!!!@{ub} ------------------------------------------------------------------------- New warnings in VirusWarning.guide ---------------------------------- @{" v1.0 " link 1.0 } @{" v1.1 " link 1.1 } @{" v1.2 " link 1.2 } @{" v1.3 " link 1.3 } @{" v1.4 " link 1.4 } @{" v1.5 " link 1.5 } @{" v1.6 " link 1.6 } @{" v1.7 " link 1.7 } @{" v1.8 " link 1.8 } @{" v1.9 " link 1.9 } @{" v2.0 " link 2.0 } @{" v2.1 " link 2.1 } @{" v2.2 " link 2.2 } @{" v2.3 " link 2.3 } @{" v2.4 " link 2.4 } @{" v2.5 " link 2.5 } @{" v2.6 " link 2.6 } @{" v2.7 " link 2.7 } @{" v2.8 " link 2.8 } @{" v2.9 " link 2.9 } @endnode @node 1.0 " New in VirusWarning.Guide v1.0" New in VirusWarning.Guide v1.0 ------------------------------ @{" Strange Atmosphere LinkVirus (srn-db33.lha) " link srn-db33.lha }....: (Flake023.txt) @{" VirusMemKill v1.2 Trojan (VMK12.LHA) " link VMK12.lha }....: (Flake022.txt) @endnode @node 1.1 " New in VirusWarning.Guide v1.1" New in VirusWarning.Guide v1.1 ------------------------------ @{" Ebola 2 Link-Virus " link Ebola2 }....: (Flake024.txt) @{" BBS Traveller Virus (lop_mi2.lha) " link Lop_mi2.lha }....: (Flake025.txt) @{" Hitch Hiker 1.10 link virus " link HitchHiker }....: (Flake026.txt) @endnode @node 1.2 " New in VirusWarning.Guide v1.2" New in VirusWarning.Guide v1.2 ------------------------------ @{" Mutation Nation linkvirus " link Mutation }....: (Flake027.txt) @{" Hitch Hiker 3.00 link virus " link HitchHiker3 }....: (Flake028.txt) @{" Hitch Hiker 3.00 link virus Installer " link HitchHiker3ins }....: (Flake029.txt) @endnode @node 1.3 " New in VirusWarning.Guide v1.3" New in VirusWarning.Guide v1.3 ------------------------------ @{" HitchHiker 3.00 linkvirus (patchhh.lzx) " link patchhh.lzx }....: (Flake-28.txt} @{" Voxel_Svind.exe (dph-vos.lha) " link Voxel }....: (Vhelp-35.txt) @{" HF-Intro.exe (hf-vc24.lha) " link hf-vc24.lha }....: (Vhelp-36.txt) @{" Happy New Year 96' Infected (ABC14.DMS) " link happy } @endnode @node 1.4 " New in VirusWarning.Guide v1.4" New in VirusWarning.Guide v1.4 ------------------------------ @{" CygnusEd v4.0 Trojan (HF-CED40.LHS) " link vhelp-39.txt } (VHelp-39.txt) @{" HD Protect v6.24 trojan (HDPRO624.LHA) " link vhelp-38.txt } (VHelp-38.txt) @{" Tetris Attack Full Release Disk 1 (HF-TETA1.LHA) " link Vhelp-37.txt } (VHelp-37.txt) @{" Tetris Attack Full Release Disk 2 (HF-TETA2.LHA) " link Vhelp-37.txt } (VHelp-37.txt) @{" The Black Lotus 'Abduction' demo (TBL-ABDU.LHA) " link VHELP-40.txt } (VHelp-40.txt) @endnode @node 1.5 " New in VirusWarning.Guide v1.5" New in VirusWarning.Guide v1.5 ------------------------------ @{" Happy New Year 97' virus (DARKFUCK.LHA) " link darkfuck.lha } (VHelp-40.txt) @{" HNY 97' infected archive (TBF-F175.LHA) " link TBF-F175.LHA } (VHelp-41.txt) @{" HitchHicker 4 infected archive (MAPUS200.LZX) " link MAPUS200.LZX } (VHelp-42.txt) @endnode @node 1.6 " New in VirusWarning.Guide v1.6" New in VirusWarning.Guide v1.6 ------------------------------ @{" IBrowse v2.0 Trojan (DNC-IB2.LHA) " link DNC-IB2.LHA } @{" HNY 97' infected archive (AMN-PAS1.LHA) " link happy } @{" HNY 97' infected archive (DXP_LW2R.LHA) " link happy } @endnode @node 1.7 " New in VirusWarning.Guide v1.7" New in VirusWarning.Guide v1.7 ------------------------------ @{" Ibrowse v2.0 (DCN-IB2.LHA) " link DNC-IB2.LHA } @{" Maups v2.0 (HitchHicker 4 Infected) (MAPUS200.LZX) " link vhelp-43.txt } @{" Intel Outside 4 Trojan (IO4-INVI.LHA) " link vhelp-44.txt } @{" Xtruder v3.5 Trojan (XTRUDE35.LHA) " link vhelp-45.txt } @endnode @node 1.8 " New in VirusWarning.Guide v1.8" New in VirusWarning.Guide v1.8 ------------------------------ @{" Ibrowse v2.0 (DCN-IB2.LHA) " link vhelp-46.txt } - VHelp-46.txt @{" Happy New Year 97' new string (MUI020.LHA) " link vhelp-47.txt } - VHelp-47.txt @{" AmixHack Trojan (DEC-SCP.LHA) " link vhelp-48.txt } - VHelp-48.txt @{" HitchHicker v4.23 Link-Virus " link vhelp-49.txt } - VHelp-49.txt @endnode @node 1.9 " New in VirusWarning.Guide v1.9" New in VirusWarning.Guide v1.9: ------------------------------- @{" Lisa FuckUp v3.0 (SEBOLA97.LHA) " link vhelp-50.txt } - VHelp-50.txt @{" HitchHicker v4.11 infected (NUP-SLOS.LHA) " link vhelp-51.txt } - VHelp-51.txt @{" Ebola infected (PSY-HAL.LHA) " link vhelp-52.txt } - VHelp-52.txt @{" ZIB linkvirus found " link vhelp-53.txt } - VHelp-53.txt @endnode @node 2.0 " New in VirusWarning.Guide v2.0" New in VirusWarning.Guide v2.0: ------------------------------- @{" Happy New Year 98 Infcted archive (w9-sex.lzx) " link vhelp-58.txt } - VHelp-58.txt @{" Happy New Year 98 linkvirus " link vhelp-57.txt } - VHelp-57.txt @{" Happy New Year 96 Infected archive (org3_3.lha) " link vhelp-56.txt } - VHelp-56.txt @{" Ebola infected archive (d-s_zw2.lha) " link vhelp-56.txt } - VHelp-56.txt @{" Ebola infected archive (d-s_mk2.lha) " link vhelp-56.txt } - VHelp-56.txt @{" Ebola infected archive (cpu-mv31.lha) " link vhelp-55.txt } - VHelp-55.txt @{" Happy New Year 96 Infected archive (modtime.lzx) " link happy } - @{" Hitch Hiker v2.11 installer (kilhitch.lha) " link kilhitch.lha } - @{" ZIP linkvirus installer (opus566p.lzx) " link vhelp-54.txt } - VHelp-54.txt @endnode @node 2.1 " New in VirusWarning.Guide v2.1" New in VirusWarning.Guide v2.1: ------------------------------- @{" Miami Keyfile checker Trojan (PHK-MKEY.lzx) " link vht-dk67.lha } - vht-dk67.lha @{" ReOrgIt Trojan (ReOrgIt.lha) " link vht-dk66.lha } - vht-dk66.lha @{" Max BBS trojan Type D (Mpeopledemo.lha) " link vht-dk65.lha } - vht-dk65.lha @{" Max BBS trojan Type C (SPICE_POWER.lha) " link vht-dk64.lha } - vht-dk64.lha @{" Max BBS trojan Type B (nce-tri9.lha) " link vht-dk63.lha } - vht-dk63.lha @{" Max BBS trojan Type A (JC_SpiceGirls.LHA) " link vht-dk62.lha } - vht-dk62.lha @{" Happy New Year 96 Infected archive (CBS-ETIT.LZX) " link vht-dk61.lha } - vht-dk61.lha @{" Happy New Year 98 Infected archive (CNS-BGE.LHA) " link vht-v059.lha } - vht-v059.lha @endnode @node 2.2 " New in VirusWarning.Guide v2.2" New in VirusWarning.Guide v2.2 ------------------------------ This was a 'buggy' release, sorry for that......... @endnode @node 2.3 " New in VirusWarning.Guide v2.3" New in VirusWarning.Guide v2.3 ------------------------------ @{" Happy New Year 96' Infected (PHT-Suns.lzx) " link vht-dk68.lha }....: (vht-dk68.lha) @{" Happy New Year 96' Infected (FFFF.LHA) " link vht-dk69.lha }....: (vht-dk69.lha) @endnode @node 2.4 " New in VirusWarning.Guide v2.4" New in VirusWarning.Guide v2.4 ------------------------------ @{" Happy New Year 96' Infected (WinTool.lha) " link vht-dk70.lha } - (vht-dk70.lha) @{" Max BBS #4 trojan (maxsafe.lha) " link vht-dk71.lha } - (vht-dk71.lha) @endnode @node 2.5 " New in VirusWarning.Guide v2.5" ' New in VirusWarning.Guide v2.5 ------------------------------ @{" Fungus/lsd installer (m31h_crk.lha " link vht-dk75.lha } - (vht-dk75.lha) @{" Fungus/lsd file virus " link vht-dk74.lha } - (vht-dk74.lha) @{" PolishPower link virus (AMFTP 1.91) " link vht-dk73.lha } - (vht-dk73.lha) @{" New Max BBS trojan (UnpackJPEG) " link vht-dk72.lha } - (vht-dk72.lha) @endnode @node 2.6 " New in VirusWarning.Guide v2.6" New in VirusWarning.Guide v2.6 ------------------------------ @{" Birthday Trojan & Dropper (birthday.lha) " link vht-dk77.lha } - (vht-dk77.lha) @{" datatypes.library v45.5 Trojan (dtypes455upd.lha) " link vht-dk76.lha } - (vht-dk76.lha) @endnode @node 2.7 " New in VirusWarning.Guide v2.7" New in VirusWarning.Guide v2.7 ------------------------------ @{" Miami DeLuxe v0.9c fake (mdlx09c.lha) " link vht-dk79.lha } - (vht-dk79.lha) @{" CygnusEd v4.17 fake (hf-cd417.lha) " link vht-dk78.lha } - (vht-dk78.lha) @endnode @node 2.8 " New in VirusWarning.Guide v2.8" New in VirusWarning.Guide v2.8 ------------------------------ @{" FastIPrefs 40.37 trojan (FastIPrefs4037.lha) " link vht-dk80.lha } - (vht-dk80.lha) @{" Patch CopyMem Trojan (CMQ060.lha) " link vht-dk81.lha } - (vht-dk81.lha) @{" PoolMem v1.45 Trojan (Poolmem.lha) " link vht-dk82.lha } - (vht-dk82.lha) @endnode @node 2.9 " New in VirusWarning.Guide v2.9" New in VirusWarning.Guide v2.9 ------------------------------ @{" MUI v4.0 Fake (mui40usr.lha) " link vht-dk85.lha } - (vht-dk85.lha) @{" Amos Joshua Clone Trojan (SonicII.lha) " link vht-dk84.lha } - (vht-dk84.lha) @{" Amos Joshua Trojan (msxR.lha) " link vht-dk83.lha } - (vht-dk83.lha) @endnode @node Warnings " Virus and Trojan warnings! - Copyright M.Schmall & Virus Help DK" @{i}All warnings in alfabetic order Warning Name@{ui} ------------------------------------------------------------------------ @{" Abase infected Saddam Archiv (ABASE.DMS) " link ABASE }....: (Vhelp-15.txt) @{" Achtung.exe Trojan. (GATH95-!.LHA) " link Gath95 }....: (Vhelp-05.txt) @{" Achtung.exe Trojan (Gath95-!.lha) " link Gath95-!.lha }....: (Flake005.lha) @{" Addy v0.99 Trojan. (ADDY099.LHA) " link Addy }....: (Vhelp-02.txt) @{" Alfons Eberg 2.0 (Wireface) (hf-vc24.lha) " link hf-vc24.lha }....: (VHelp-36.txt) @{" AMFTP v1.75 Infected (TBF-F175.LHA) " link TBF-F175.LHA }....: (VHelp-42.txt) @{" AmiBlank Trojan (ABLANK11.LHA) " link ABLANK11.LHA }....: (Flake021.txt) @{" AmiExpress v5.0 Trojan (PSG-AE5.LHA) " link Amiekspress }....: (Vhelp-18.txt) @{" AmixHack Trojan (DEC-SCP.LHA) " link vhelp-48.txt }....: (Vhelp-48.txt) @{" Amos Joshua Trojan (msxR.lha) " link vht-dk83.lha }....: (vht-dk83.lha) @{" Amos Joshua Clone Trojan (SonicII.lha) " link vht-dk84.lha }....: (vht-dk84.lha) @{" BBS Traveller Virus (lop_mi2.lha) " link Lop_mi2.lha }....: (Flake025.txt) @{" Birthday Trojan & Dropper (birthday.lha) " link vht-dk77.lha }....: (vht-dk77.lha) @{" Callerslog v1.2 Trojan (MST-CA12.LHA) " link MST-CA12.LHA }....: (Vhelp-20.txt) @{" CarlingCard Hacker Trojan (CCHACK2.exe) " link CCHack }....: (Vhelp-17.txt) @{" Commander link-virus Infector. (dpl-mam1.dms) " link Commander2 }....: (Vhelp-04.txt) @{" Commander link-virus Infector. (Denistro.exe) " link Commander }....: (Vhelp-00.txt) @{" ConMan Trojan (hackt.lha) " link hackt.lha }....: (Flake006.txt) @{" ConMan 1995 link-virus (M-hac.lha) " link M-hac.lha }....: (Flake016.txt) @{" CoP Killer v1.1 Trojan (COPKILL1.LHA) " link Copkill }....: (Vhelp-19.txt) @{" Creator v1.0 Trojan (CREATOR.LHA) " link Creator }....: (Vhelp-12.txt) @{" CygnusEd v4.00 Trojan. (CED4.LHA) " link CED4 }....: (Vhelp-08.txt) @{" CygnusEd v4.0 Trojan (HF-CED40.LHS) " link vhelp-39.txt }....: (VHelp-39.txt) @{" CygnusEd v4.17 fake (hf-cd417.lha) " link vht-dk78.lha }....: (vht-dk78.lha) @{" DancePoolModTro.exe Infected (SIGN.LHA) " link SIGN.LHA }....: (Vhelp-32.txt) @{" datatypes.library v45.5 (dtypes455upd.lha) " link vht-dk76.lha }....: (vht-dk76.lha) @{" DirectoryOpus v5.00. (OPUS5.LHA) " link opus5 }....: (Vhelp-09.txt) @{" DiskMaster v5.1 Trojan " link DM51 }....: (Vhelp-25.txt) @{" DMS v2.06 Trojan (cry_206.lha) " link Cry_206.lha }....: (Flake003.lha) @{" dpl-dc99.lha trojan (dpl-dc99.lha) " link dpl-dc99.lha }....: (Flake004.lha) @{" Ebola 2 Link-Virus " link Ebola2 }....: (Flake024.txt) @{" FastIPrefs 40.37 trojan (FastIPrefs4037.lha) " link vht-dk80.lha }....: (vht-dk80.lha) @{" FileGhost 3 LinkVirus " link Fileghost3 }....: (Flake009.txt) @{" Flake013.txt Fake (BIO-WARN.LHA) " link BIO-WARN.LHA }....: (Flake014.txt) @{" Fungus/lsd virus " link vht-dk74.lha }....: (vht-dk74.lha) @{" Fungus/lsd installer (m31h_crk.lha) " link vht-dk75.lha }....: (vht-dk75.lha) @{" Futuretracker Trojan (TRSI-FT.LHA) " link Futuretracker }....: (Vhelp-14.txt) @{" Happy_New_Year_96' link virus " link HappyNew }....: (Flake017.txt) @{" Happy New Year 96' New String (CBS-ETIT.LZX) " link vht-dk61.lha }....: (vht-dk61.lha) @{" Happy_New_Year_97' link virus (DARKFUCK.LHA) " link darkfuck.lha }....: (VHelp-41.txt) @{" Happy_New_Year_97' New String (MUI020.LHA) " link vhelp-47.txt }....: (VHelp-47.txt) @{" Happy New Year_98' link virus " link vhelp-57.txt }....: (VHelp-57.txt) @{" Happy New Year 98 Infcted archive (CNS-BGE.LHA) " link vht-v059.lha }....: (vht-v059.lha) @{" HardDiskSpeeder v1.5 GVP Inc. (GVP-HS15.lha) " link GVP-HS15.lha }....: (Flake012.txt) @{" HD Protect v6.24 trojan (HDPRO624.LHA) " link vhelp-38.txt }....: (VHelp-38.txt) @{" HF-Intro.exe (hf-vc24.lha) " link hf-vc24.lha }....: (VHelp-36.txt) @{" Hitch Hicker 1.10 link virus " link HitchHiker }....: (Flake026.txt) @{" Hitch Hicker 2.11 Installer (kilhitch.lha) " link kilhitch.lha }....: @{" Hitch Hicker 3.00 link virus " link HitchHiker3 }....: (Flake028.txt) @{" Hitch Hicker 3.00 link virus Installer " link HitchHiker3ins }....: (Flake029.txt) @{" Hitch Hicker 4.00 link virus " link MAPUS200.LZX}....: (VHelp-42.txt) @{" Hitch Hicker 4.23 link virus " link vhelp-49.txt }....: (VHelp-49.txt) @{" Ibrowse v2.0 (DCN-IB2.LHA) " link DNC-IB2.LHA }....: (VHelp-46.txt) @{" Ibrowse v2.0 (New warning update) (DCN-IB2.LHA) " link VHELP-46.txt }....: (VHelp-46.txt) @{" Intel Outside 4 Trojan (IO4-INVI.LHA) " link vhelp-44.txt }....: (VHelp-44.txt) @{" IStrip v2.1 Trojan (Istrip21.lha) " link Istrip21.lha }....: (Flake002.lha) @{" KillHitch Trojan (kilhitch.lha) " link kilhitch.lha }....: @{" LHA v3.0 Trojan. (LHA30.LHA) " link lha30 }....: (Vhelp-07.txt) @{" Lisa FuckUp v3.0 Trojan (SEBOLA97.LHA) " link vhelp-50.txt }....: (VHelp-50.txt) @{" LZX v1.30 Trojan (CoP Type F) (LZX130.lha) " link LZX130.lha }....: (Flake007.txt) @{" MakeKey v1.10 For Virus_Checker (VcKey110.lha) " link VcKey110.lha }....: (Flake013.txt) @{" Maups v2.0 (HH 4 Infected) (MAPUS200.LZX) " link vhelp-43.txt }....: (VHelp-43.txt) @{" Max BBS trojan Type A (JC_SpiceGirls.LHA) " link vht-dk65.lha }....: (vht-dk65.lha) @{" Max BBS trojan Type B (nce-tri9.lha) " link vht-dk64.lha }....: (vht-dk64.lha) @{" Max BBS trojan Type C (SPICE_POWER.lha) " link vht-dk63.lha }....: (vht-dk63.lha) @{" Max BBS trojan Type D (Mpeopledemo.lha) " link vht-dk62.lha }....: (vht-dk62.lha) @{" Max BBS trojan Type E (unpackjpeg) " link vht-dk72.lha }....: (vht-dk72.lha) @{" Miami DeLuxe v0.9c Fake (mdlx09c.lha) " link vht-dk79.lha }....: (vht-dk79.lha) @{" Miami Keyfile checker Trojan (PHK-MKEY.lzx) " link vht-dk67.lha }....: (vht-dk67.lha) @{" MUI v4.0 Fake (mui40usr.lha) " link vht-dk85.lha }....: (vht-dk85.lha) @{" MultiView v3.1 (Ebola infected) (CPU-MV31.LHA) " link vhelp-55.txt }....: (VHelp-55.txt) @{" Mutation Nation linkvirus " link Mutation }....: (Flake027.txt) @{" NC210.LHA and NC210.LZX Infected (NC210.LHA/LZX) " link NC210.LHA }....: (Vhelp-31.txt) @{" NComm v3.2 Trojan. (NCOMM32.LHA) " link NComm }....: (Vhelp-06.txt) @{" No Sense Diskmagazine Infected (C!S-NS1.DMS) " link C!S-NS1.DMS }....: (Vhelp-33.txt) @{" Patch CopyMem Trojan (CMQ060.lha) " link vht-dk81.lha }....: (vht-dk81.lha) @{" Pestilence Bootblockvirus 1.15 " link Pestilence }....: (Flake001.lha) @{" PolishPower link virus (amftp 1.91) " link vht-dk73.lha }....: (vht-dk73.lha) @{" PoolMem v1.45 Trojan (Poolmem.lha) " link vht-dk82.lha }....: (vht-dk82.lha) @{" Phenomena DOS-Extender V1.1 (PHA-XMAS.lha) " link PHA-XMAS.lha }....: (Flake019.txt) @{" Quarterback Tools Trojan (ORS-QBD.LHA) " link ORS-QBD.LHA }....: (Vhelp-24.txt) @{" Removcmd.lha Trojan (Removcmd.lha) " link Removcmd.lha }....: (Flake000.lha) @{" ReOrgIt Trojan (ReOrgIt.lha) " link vht-dk66.lha }....: (vht-dk66.lha) @{" SInfo v1.00 Trojan (SINFO10.LHA) " link Sinfo }....: (Vhelp-11.txt) @{" Surprise Trojan at 'TP 4'. (SURPRISE.DMS) " link surprise }....: (Vhelp-01.txt) @{" Susi_Drive_Stepper Trojan " link SusiStepper }....: (Flake018.txt) @{" Strange Atmosphere LinkVirus (srn-db33.lha) " link srn-db33.lha }....: (Flake023.txt) @{" Tetris Attack Full Release Disk 1 (HF-TETA1.LHA) " link Vhelp-37.txt }....: (vhelp-37.txt) @{" Tetris Attack Full Release Disk 2 (HF-TETA2.LHA) " link Vhelp-37.txt }....: (vhelp-37.txx) @{" The Black Lotus 'Abduction' demo (TBL-ABDU.LHA) " link VHELP-40.txt }....: (VHelp-40.txt) @{" TMTC90.LHA Virus Infected (TMTC90.LHA) " link TMTC90.LHA }....: (Vhelp-30.txt) @{" TP-5 Andromeda Demo Trojan (TP5-ANDR.LHA) " link TP5-ANDR.LHA }....: (Vhelp-27.txt) @{" TP-5 Parallax Demo Trojan (TP5-PRLX.LHA) " link TP5-PRLX.LHA }....: (Vhelp-29.txt) @{" TP-5 Silents DK Trojan (TP5-TSL.LHA) " link TP5-TSL.LHA }....: (Vhelp-28.txt) @{" TP-5 Spaceballs Demo Trojan (TP5-SPAC.LHA) " link TP5-SPAC.LHA }....: (Vhelp-26.txt) @{" TP-5 TRSI Trojan (TP5-TRSI.LHA) " link TP5-TRSI.LHA }....: (Flake020.txt) @{" TRSi Installer Trojan (TRSI-INS.LHA) " link TRSI-INS.LHA }....: (Vhelp-21.txt) @{" TRSi Installer Trojan (TRSI-INS.LHA) " link Flake011.txt }....: (Flake011.txt) @{" Voxel_Svind.exe (dph-vos.lha) " link Voxel }....: (Vhelp-35.txt) @{" Virus_Checker v6.60 Trojan (VCHCK660.lzx) " link VCHCK660.lzx }....: (Vhelp-23.txt) @{" VirusWorkshop v5.0 Trojan (TRSI-VW5.LHA) " link VWS50 }....: (Vhelp-15.txt) @{" VirusZ II v1.14 - Fake (VZII_114.LHA) " link VirusZII114 }....: (Vhelp-03.txt) @{" VirusZ II v1.19 - Fake (VZII_119.LHA) " link VZII_119.lha }....: (Flake010.txt) @{" VirusMemKill v1.2 Trojan (VMK12.LHA) " link VMK12.lha }....: (Flake022.txt) @{" WireFace Trojan Type G (chkmount.lha) " link chkmount.lha }....: (Flake015.txt) @{" Xtruder v3.5 Trojan (XTRUDE35.LHA) " link vhelp-45.txt }....: (VHelp-45.txt) @{" ZAP v1.1 Unpacker virus infected (TXC-Z11.LHA) " link TXC-Z11.LHA }....: (VHelp-34.txt) @{" ZIB linkvirus found " link vhelp-53.txt }....: (VHelp-53.txt) @{" ZIB linkvirus installer (opus566p.lzx) " link vhelp-54.txt }....: (Vhelp-54.txt) ---------------------------- @{b}End of list@{ub} ------------------------------- @endnode @Node archive " Find an Archive by name" @{b}Virus/Trojan Archives In Alfabetic Order@{ub} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Archive Name - Archive infected With ! --------------------------------------------------- @{" !ansianim!.lha - Trojan " link untested } @{" 10000.lha - Ebola Infected Archive " link Ebola } @{" a!a-pp2.dms - HNY 96' Infected archive " link happy } @{" ABASE.DMS - Abase infected Saddam Archiv " link ABASE } @{" ABC14.DMS - HNY 96' Infected archive " link happy } @{" ABLANK11.LHA - AmiBlank Trojan (Kuk Crew) " link ABLANK11.LHA} @{" ac0396_1.DMS - HNY 96' Infected archive " link happy } @{" ACID05.LHA - HNY 96' Infected archive " link happy } @{" ACID06.LHA - HNY 96' Infected archive " link happy } @{" ADDY099.LHA - Addy v0.99 Trojan " link Addy } @{" aframe01.lha - Ebola Infected Archive " link Ebola } @{" aga_italy2.lzx - Trojan " link untested } @{" agt-cbsc.lha - HNY 96' Infected archive " link happy } @{" agt-cowz.lha - HNY 96' Infected archive " link happy } @{" apt-40kb.lha - HNY 96' Infected archive " link happy } @{" asp-fx13.lha - HNY 96' Infected archive " link happy } @{" ASTMA!.LHA - HNY 96' Infected archive " link happy } @{" ATW-MOD.LHA - HNY 96' Infected archive " link happy } @{" Birthday.lha - Birthday Trojan & Dropper " link vht-dk77.lha } @{" C!S-NS1.DMS - No Sense Diskmagazine Infected " link C!S-NS1.DMS } @{" CBS-ETIT.LZX - HNY 96' New String (hunk 11) " link vht-dk61.lha } @{" CCHACK2.exe - CarlingCard Hacker Trojan " link CCHack } @{" cdrplay.lha - Ebola Infected Archive " link Ebola } @{" CED4.LHA - CygnusEd v4.00 Trojan (CoP) " link CED4 } @{" chkmount.lha - WireFace Trojan Type G " link chkmount.lha } @{" CNS-BGE.LHA - Happy New Year 98 Infcted " link vht-v059.lha } @{" cpu-mv31.lha - Ebola infected archive " link vhelp-55.txt } @{" cpu-nfot.lha - Trojan " link untested } @{" cpucache.lha - Trojan " link untested } @{" XMQ060.lha - Patch CopyMem Trojan " link vht-dk81.lha } @{" CREATOR.LHA - Creator v1.0 Trojan " link Creator } @{" cry_206.lha - DMS v2.06 Trojan " link Cry_206.lha } @{" D-S_MK2.LHA - Ebola Infected archive " link vhelp-56.txt } @{" D-S_ZW2.LHA - Ebola Infected archive " link vhelp-56.txt } @{" Darkfuck.lha - HNY 97' Infected archive " link darkfuck.lha } @{" dat_ho1.lha - HNY 96' Infected archive " link happy } @{" dat_ho2.lha - HNY 96' Infected archive " link happy } @{" dat_ho3.lha - HNY 96' Infected archive " link happy } @{" dat_ho4.lha - HNY 96' Infected archive " link happy } @{" dat_ho5.lha - HNY 96' Infected archive " link happy } @{" dat_ho6.lha - HNY 96' Infected archive " link happy } @{" dat_ho7.lha - HNY 96' Infected archive " link happy } @{" dat_ho8.lha - HNY 96' Infected archive " link happy } @{" dat_ho9.lha - HNY 96' Infected archive " link happy } @{" dat_h10.lha - HNY 96' Infected archive " link happy } @{" dcodes1_4.lzx - HNY 96' Infected archive " link happy } @{" dec-scp.lha - AmixHack trojan " link vhelp-48.txt } @{" Denistro.exe - Commander link-virus Infector " link Commander } @{" detag063.lha - HNY 96' Infected archive " link happy } @{" diceroll.lha - HNY 96' Infected archive " link happy } @{" digital.lha - HNY 96' Infected archive " link happy } @{" dive-ing.lzx - HNY 96' Infected archive " link happy } @{" dop-dm1.dms - HNY 96' Infected archive " link happy } @{" dlm_prim.dms - Ebola Infected Archive " link Ebola } @{" dc-amftp.lha - Hitch Hicker v4.23 Infected arc. " link vhelp-49.txt } @{" dcn-db3p.dms - Trojan " link untested } @{" dcn-ib2.lha - Ibrowse v2.0 " link DNC-IB2.LHA } @{" dcn-ib2.lha - Ibrowse v2.0 (Update warning) " link vhelp-46.txt } @{" dph-vos.lha - Voxel_Svind trojan " link Voxel } @{" dpl-dc99.lha - dpl-dc99.lha trojan " link dpl-dc99.lha } @{" dpl-mam1.dms - Commander link-virus Infector " link Commander2 } @{" dsy-bul1.lha - HNY 96' Infected archive " link happy } @{" dtypes455upd.lha - Datatypes.library v45.5 Trojan " link vht-dk76.lha } @{" dvd!-def.lha - Ebola Infected Archive " link Ebola } @{" ed-psyo3.lha - HNY 96' Infected archive " link happy } @{" eft_cc14lha - HNY 96' Infected archive " link happy } @{" etc!hd.lha - Trojan " link untested } @{" evilcomm.lha - Trojan " link untested } @{" FastIPrefs4037.lha - FastIPrefs 40.37 Trojan " link vht-dk80.lha } @{" FFFF.lha - HNY 96' Infected archive " link vht-dk69.lha } @{" flt1996.lha - Trojan " link untested } @{" GATH95-!.LHA - Achtung.exe Trojan " link Gath95 } @{" GVP-HS15.lha - HardDiskSpeeder v1.5 GVP Inc. " link GVP-HS15.lha } @{" h&w-woda.dms - Trojan " link untested } @{" hackt.lha - ConMan Trojan " link hackt.lha } @{" hdpro624.lha - HD Protect v6.24 trojan " link vhelp-38.txt } @{" hf-cd417.lha - CygnusEd v4.17 fake " link vht-dk78.lha } @{" hf-ced40.lha - CygnusEd v4.0 Trojan " link vhelp-39.txt } @{" hf-lopi1.dms - HNY 96' Infected archive " link happy } @{" hf-teta1.lha - Cop Trojan (Tetris Attack) " link Vhelp-37.txt } @{" hf-teta2.lha - Cop Trojan (Tetris Attack) " link Vhelp-37.txt } @{" hf-vc24.lha - Vinci v2.4 (HF intro infected) " link hf-vc24.lha } @{" hf-wttr.lha - Ebola Infected Archive " link Ebola } @{" ht-stag1.dms - HNY 96' Infected archive " link happy } @{" ht-stag2.dms - HNY 96' Infected archive " link happy } @{" idefix191.lha - Hitch Hicker v4.23 Infected arc. " link vhelp-49.txt } @{" Ins-blf.lha - HNY 96' Infected archive " link happy } @{" Int-ap21.lha - HNY 96' Infected archive " link happy } @{" io3-64k.lha - HNY 96' Infected archive " link happy } @{" IO4-INVI.LHA - Intel Outside 4 Trojan " link vhelp-44.txt } @{" Istrip21.lha - IStrip v2.1 Trojan " link Istrip21.lha } @{" JC_SpiceGirls.LHA - Max BBS trojan Type A " link vht-dk62.lha } @{" kewlcd.lha - HNY 96' Infected archive " link happy } @{" kilhitch.lha - Hitch Hiker v2.11 Installer " link kilhitch.lha } @{" LHA30.LHA - LHA v3.0 Trojan. " link lha30 } @{" lop_mi2.lha - BBS Traveller Virus " link Lop_mi2.lha } @{" lzx121crk.lha - Trojan " link untested } @{" LZX130.lha - LZX v1.30 Trojan (CoP Type F) " link LZX130.lha } @{" M31H_CRK.LHA - Fungus/lsd installer " link vht-dk75.lha } @{" MAPUS200.LZX - HitchHicker v4.00 Infected " link MAPUS200.LZX } @{" mdlx09c.lha - Miami DeLuxe v0.9c fake " link vht-dk79.lha } @{" miamic.lha - HNY 96' Infected archive " link happy } @{" Modti541.lha - HNY 96' Infected archive " link happy } @{" modtime.lzx - HNY 96' Infected archive " link happy } @{" Mpeopledemo.lha - Max BBS trojan Type D " link vht-dk65.lha } @{" msr-a71p.lha - Hitch Hicker v4.23 Infected arc. " link vhelp-49.txt } @{" MST-CA12.LHA - Callerslog v1.2 Trojan " link MST-CA12.LHA } @{" msxR.lha - Amos Joshua Trojan " link vht-dk83.lha } @{" mth-gd10.lzx - Ebola Infected Archive " link Ebola } @{" MUI020.LHA - Happy New Year 97' New string " link vhelp-47.txt } @{" mui40usr.lha - MUI v4.0 Fake " link vht-dk85.lha } @{" Nbk-fkt.lha - HNY 96' Infected archive " link happy } @{" NC210.LHA - Happy New Year 96' Infected " link NC210.LHA } @{" NC210.LZX - Happy New Year 96' Infected " link NC210.LHA } @{" nce-tri9.lha - Max BBS trojan Type B " link vht-dk63.lha } @{" NCOMM32.lha - NComm v3.2 Trojan (CoP) " link NComm } @{" nhp122.lha - Ebola Infected Archive " link Ebola } @{" NUP-SLOS.LHA - HitchHiker v4.11 infected " link vhelp-51.txt } @{" OPUS5.LHA - DirectoryOpus v5.00 (CoP) " link opus5 } @{" opus566p.lzx - ZIB linkvirus Installer " link vhelp-54.txt } @{" orb!mk.dms - HNY 96' Infected archive " link happy } @{" ORG3_3.LHA - HNY 96' Infected archive " link vhelp-56.txt } @{" ORS-QBD.LHA - Quarterback Tools Trojan (CoP) " link ORS-QBD.LHA } @{" otl-db1d.dms - Ebola Infected Archive " link Ebola } @{" patchhh.lzx - HitchHiker 3.00 linkvirus " link patchhh.lzx } @{" pet-sus5.dms - Ebola Infected Archive " link Ebola } @{" PHA-XMAS.lha - Phenomena DOS-Extender V1.1 " link PHA-XMAS.lha } @{" PHK-MKEY.lzx - Miami Keyfile checker Trojan " link vht-dk67.lha } @{" PHT-Suns.lzx - HNY 96' Infected archive " link vht-dk68.lha } @{" phonebook.lha - HNY 96' Infected archive " link happy } @{" plo-dm1.dms - HNY 96' Infected archive " link happy } @{" Plo-dm2.dms - HNY 96' Infected archive " link happy } @{" PoolMem.lha - PoolMem v1.45 Trojan " link vht-dk82.lha } @{" PSG-AE5.LHA - AmiExpress v5.0 Trojan " link Amiekspress } @{" psp-64k.lha - HNY 96' Infected archive " link happy } @{" PSY-HAL.LHA - Ebola infected " link vhelp-52.tx } @{" Removcmd.lha - Removcmd.lha Trojan " link Removcmd.lha } @{" ReOrgIt.lha - ReOrgit Trojan " link vht-dk66.lha } @{" scansys.lha - Trojan " link untested } @{" scm-bps1.lha - HNY 96' Infected archive " link happy } @{" SEBOLA97.LHA - Lisa fuckup v3.0 trojan " link vhelp-50.txt } @{" SIGN.LHA - DancePoolModTro.exe Infected " link SIGN.LHA } @{" SINFO10.lha - SInfo v1.00 Trojan " link Sinfo } @{" slt-m21g.lha - Hitch Hicker v4.23 Infected arc. " link vhelp-49.txt } @{" SonicII.lha - Amos Joshua Clone Trojan " link vht-dk84.lha } @{" SPICE_POWER.lha - Max BBS trojan Type C " link vht-dk64.lha } @{" srn-db33.lha - Strange Atmosphere LinkVirus " link srn-db33.lha } @{" Strip64.lha - HNY 96' Infected archive " link happy } @{" SURPRISE.DMS - Surprise Trojan at 'TP 4' " link surprise } @{" TBF-F175.LHA - AMFTP v1.75 HNY 97' Infected " link TBF-F175.LHA } @{" TBL-ABDU.lha - The Black Lotus 'Abduction' demo " link VHELP-40.txt } @{" Timezone.lha - HNY 96' Infected archive " link happy } @{" toolsd26.lha - CoP Trojan " link untested } @{" TP5-ANDR.lha - TP-5 Andromeda Demo Trojan " link TP5-ANDR.LHA } @{" TP5-PRLX.lha - TP-5 Parallax Demo Trojan " link TP5-PRLX.LHA } @{" TP5-SPAC.lha - TP-5 Spaceballs Demo Trojan " link TP5-SPAC.LHA } @{" TP5-TSL.lha - TP-5 Silents DK Trojan " link TP5-TSL.LHA } @{" TP5-TRSI.lha - TP-5 TRSI Trojan " link TP5-TRSI.LHA } @{" trc-resc.lha - Trojan " link untested } @{" TRSI-BV1DMS - Ebola Infected Archive " link Ebola } @{" TRSI-FT.LHA - Futuretracker Trojan " link Futuretracker } @{" TRSI-INS.lha - TRSi Installer Trojan " link Flake011.txt } @{" TRSI-vw5.lha - VirusWorkshop v5.0 Trojan (CoP) " link VWS50 } @{" TXC-Z11.lha - ZAP v1.1 Unpacker virus infected " link TXC-Z11.LHA } @{" USX-SCFN.lha - HNY 96' Infected archive " link happy } @{" VCHCK660.lzx - Virus_Checker v6.60 Trojan " link VCHCK660.lzx } @{" VcKey110.lha - MakeKey v1.10 For Virus_Checker " link VcKey110.lha } @{" VMK12.lha - VirusMemKill v1.2 Trojan " link VMK12.lha } @{" VZII_114.lha - VirusZ II v1.14 (Fake) " link VirusZII114 } @{" VZII_119.LHA - VirusZ II v1.19 (Fake) " link VZII_119.lha } @{" w9-sex.lzx - Happy New Year 98' Infected " link vhelp-58.txt } @{" XTRUDE35.LHA - Xtruder v3.5 Trojan " link vhelp-45.txt } @Endnode @node missing " Viruses that Virus Help Denmark is looking for!" After a big HD-Crash in October 1998, a lot of the viruses that Virus Help Denmark has been collecting over the years was lost. We use the viruses for testing of antivirus programs. Please help us.... If you find some of these viruses/trojans then, @{" Please mail them to us " link teamdk } or please upload them to one of our @{" Support BBS'es " link supportbbs }, the sysop will see that it get to us. We have recived a lot of the missing viruses, but we still need your help with the last viruses. Thanx must go to these fine guy's/girls' for sending a lot of the viruses: @{b}Dave, Torsten, Dennis, Morten, Buzz, Michael, Martin, Ram, VTC, Soenke, Jan, Markus, Georg@{ub} Here is a list of the missing viruses: Link-Virus: ----------- EF67A3C3 Irak 3 GlobVec LOBO Weird Prometheus Starcom 1 WECH Xeno 1 File Viruses: ------------- Aibon 2 Installer 2 Alien Life Form 1 Alien Life Form 3 BootJob Exe-BB BootShop Installer 2 Butonics 3,2 Centurions 2 Circle Of Power 10 (ToolsDeamon) Disk-Killer 1,0 General Hunter 3,2 H.N.Y. Clone H.N.Y. Clone Inst. Lha-Check 1,1 Nano 1 NoGuru 2,0 SehrJung LoadWB Str.Atmosphere Inst. 2 SysInfo 2,2 Tai-Pan BB Installer TFC Revenge LoadWB Timedate Installer Vera 2,3 XPR-Speeder 3,2 Send these viruses to @{" Virus Help Denmark " link teamdk } or Upload them to one of our @{" Support BBS'es " link supportbbs } around the world. @endnode @node wanted " Virus/Trojan/Archives that we are looking for!" @{b}Virus/Trojan/Archives we are looking for, help us!@{ub} ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you have some of these archives, please @{" send them to us " link teamdk}. Archive name - Kind - Size - Program info ----------------------------------------------------------------------------- aga_italy2.lzx Trojan 117026 Demo from AGA Italy, ruins rdb on hd's. etc!hd.lha Trojan ? Is said to be some kind of trojan. evilcomm.lha Trojan 40044 For Daydream BBS, corrupts hd's & fd's. flt1996.lha Trojan ? Fairlight 1996 production, Trojan. h&w-woda.dms Trojan ? Warrior of darkness AGA, hd formatter. patchhh.lzx Virus ? Install the Hitch Hiker virus. scansys.lha Trojan 12508 Fast optimizer for 68020-68030. srn-db33.lha Virus ? Contains a new link-virus. toolsd26.lha Trojan ? ToolsDeamon v2.6, COP Trojan. ----------------------------------------------------------------------------- Thanx to these guys/girls for sending archives: Ramon for cpu-nfot.lha, John for kilhitch.lha, Bruce for trc-resc.lha. @endnode @node untested " This Virus/Trojan has not been tested - Sorry" Hi All....... This trojan or virus has @{b}NOT@{ub} been tested. The reason for this is that we do not have this file/archive in our collection. Please mail it to us if you have it. No names will be written down, unless you want credit for it. It is only the virus that we are looking for. Name and adress will be in the trachcan, if you want it. @{b}Please... Help us to support the anti-virus programmers@{ub}. You can contact Virus Help Denmark, at @{" this adress " link teamdk}. -- Thanx for your help... Jan Andersen @endnode @node Ebola " Ebola linkvirus - Analysis By Markus Schmall"" This archive in infected with the @{b}Ebola@{ub} linkvirus, please read this analysis that @{i}Markus@{ui} has done: Entry...............: Ebola Virus Alias(es)...........: E1116 (to stay CAROconform) Virus Strain........: - Virus detected when.: 9/1995 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1116 Bytes 2. Length in RAM: 3300 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. Self-identification method in memory: - Checks for $213f at offset -2 of the loadseg() function System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Exec FindTask() and Exec OpenResource() Infection preconditions: - File to be infected is bigger then 2500 bytes and smaller then 130000 bytes - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found Infection Trigger...: Accessing files via LoadSeg() Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - None Transient damage: - none Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some simple retro technics to stop viruskillers searching for Draco and possible for the HochOfen (Trabbi) Virus. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus Stealth.............: No stealth abilities Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code based on the position of the rasterbeam. Comments............: The name EBOLA is the name of a virus, which humans can get infected with. CARO rules say, that no names of persons etc. may be used to call a virus, but I spoke to other persons and they already recognized this virus in this way. --------------------- Agents ------------------------------------------- Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 03.09.1995. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: September,03. 1995 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of EBOLA Virus ========================= @endnode @NODE Happy Entry...............: H.N.Y.96. / H.N.Y 97 Alias(es)...........: Happy_New_Year_96, Happy_New_Year_97 Known clones........: Aram Doll Virus detected when.: 11/1995 where.: Austria, Germany, Holland, Poland and USA Classification......: Link virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 540 Bytes 2. Length in RAM: 540 Bytes Happy New Year97 uses Filepart() instead of LoadSeg infection and the static length 628 bytes. All other commands are 100% equal. --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96" Type of infection...: Self-identification method in files: - Searches for $65772059 in the first Hunk. Self-identification method in memory: - Checks for $2f08 in the LoadSeg function System infection: - RAM resident, infects the LoadSeg() code of DOS library Infection preconditions: - device has more than 4 free sectors - file is longer than $960 bytes and shorter than $1e460 bytes - Hunk_Code is found in the area behind the HUNK_ header (NO CHECK FOR RUNAWAYS!!!) - The filename contains this not a "-" and does not contains ".l". This is probably to be secure no to infect a library. - $4e75 is found at the end of the first CODEHUNK or $4e75 is in the last $3f words of this hunk. Infection Trigger...: Accessing the volume Storage media affected: all DOS-devices Interrupts hooked...: LoadSeg() of DOS will be used for the infection code. The routine is a little bit buggy and trashes the a1 register. Damage..............: Permanent damage: - None Transient damage: - None Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: This virus uses no encryption routines to hide it`s code. The LoadSeg() patch isn`t 100% clear and trashes the adress register A1. Similarities........: Link-method is comparable to the Crime series. End of the first hunk will be the loc. for the virus and the last "RTS" will be replaced. Stealth.............: no stealth abilities found Armouring...........: The virus uses only some special adresscommands to confuse the AV people. Installers..........: DemoManiac 2.19 fake (dop-dm1.dms) DeTag0.63 (detag063.lha) --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.79, VW 5.8 Countermeasures successful: all of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: (C) Markus Schmall, Hannover, Germany Classification by...: Markus Schmall Documentation by....: Markus Schmall Date................: November,24. 1995 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to use this document in their libraries. SHI is forbidden to use this document in any form. ===================== End of H.N.Y.96. Virus ============================ Notes about the known clones: Aram Doll is a normal linkvirus with 560 byte length. It`s not crypted and uses the LastAlert pointer of Execbase for the selfrecognition in memory. The LoadSeg patch differs a little bit. @ENDNODE @node Commander " Commander Infector" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!!WARNING !!! WARNING !!!WARNING !!!@{ub} We have nok found the file that infects your systems with the Commander virus. The infector program is called: @{b}DENISTRO.EXE@{ub} I have two versions of this file, but they both installs the virus: 1.. It has a size of 66592 bytes. 2.. It has a size of 71800 bytes. Do not start this program, it will install the link part of Commander virus, and add 1664 bytes to your LoadWB command. This Virus has now been around for a few month, but now we know. Over 60 BBS'es in scandinavia has now been infected with this new virus. But thanx to the AntiVirusProgrammers that has updated there killers fast, to try and stop this virus. Thanx to: Kim B. Jensen - For sending my the 'Denistro.exe'. The installer of Commander is now on it's way to every well known anti-virus programmer. Regards _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/ @endnode @node Surprise " Surprise Trojan at The Party 4" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}TROJAN FROM 'THE PARTY 4' CALLED SURPRISE.EXE@{ui} --------------------------------------------- There is a new warning about a demo that damages your RDB Boot. (Great way of starting the new year) :-((((((((( This demo is called '@{b}SURPRISE.exe@{ub}', and has a size of 39296 bytes. It makes all your partitions on your HD into, one partition and calls it 'SUCK ME ORGANIZERS'. We think that it only makes damages on SCSI devices, but we are not sure about that. The demo was made at the 'PARTY 94' in Herning, Denmark. And was given to the organizers to compeat in the contest of the best demo. It did do some damage to there HD, but a guy (Benny) did restore there HD. We do not know if it was spred at the party. But if it was, please take care of this demo. This demo is on it's way to every wellknown antivirus programmer. Regards.... __ __ /// Jan Andersen FidoNet: 2:236/116.1 \\\/// VIRUS HELP AmyNet : 39:141/142.0 \XX/ DENMARK @endnode @node Addy " Addy v0.99 trojan" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT EXECUDE THE FILES FROM ADDY099.LHA@{ui} ----------------------------------------- Do NOT start the '@{b}ADDY0.99.Exe@{ub}', it will replace your startup-sequence and shell-startup, and add 656 bytes to your c:Dir command. Spread in the archive '@{b}ADDY099.LHA@{ub}'. It will change your startup.sequence with a new small one: Prompt "AfraId ?..tHe fReAk wAs hEre 2 dEvEstAte NDOS:>" Every time you run a shell it will add a line in your user-startup "Wait 5" and you will the the text above when you are rebooting. I do not know what it does to your 'C:Dir command', but if you have started this program up, the replace the 'c:Dir command', with a new clean one, form your WB disk's. It will work under KS 2.0 and 3.0, have not tested it under KS 1.3 yet. There is a "Readme" text in the archive, this is what is says: ///////////////////////// Addy Ver. 0.99 \\\\\\\\\\\\\\\\\\\\\\\\ WHAT THE FUCK IS IT ? A small BBS Add maker, for you guys to put in your .lha's :) This Programme is made by me, if you like it, tell me cause i've JUST started learning how to do make small programmes, if there are any bugs in it, please let me know, i can be found at the coolest bbs'es in Sw. ( Sorry about the lame doc, but i just can't wait to release my first programme ). Usage: If you cant figure this one out, you never will. Simply double click And follow the instructions. Easy Huh ? Known Bugs: NONE.. at all.. tested very well.. Wouldent want my first release to be crap.. would I ? Written By The Freak ! \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\//////////////////////////////// There is a FILE ID.DIZ to, here is the text: _________________________ : : | _____________________ | | \\\\\\\\\\/////////// | | \\Addy\ver./0.99/// | | \\\\\my\FIRST//// | | \\Release EVER/ | | \\\\\\/////// | | ~~~~~~~~~~~ | | - bY tHe FreAk - | | SysOp at | | Money Talks | | +44 ELITE ONLY | _________________________: ------ END ------- The archive is on it's way to every well known antivirus programmer in the world, thanx guys for the great job you are doing..... Thanx to Morph, for sending me this new 'Thing'. Regards _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/ @endnode @node VirusZII114 " Fake VirusZ II v1.14" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}FAKE VIRUSZ II v1.14@{ui} ====================== On Thursday 2-2-95, one of my users from Sweden uploaded a new version of @{b}VirusZ II v1.14, Released 2-2-95@{ub}, and it has a size of @{b}64664 bytes@{ub}. But it is a FAKE VERSION. In the doc' there was added new virus, but they was the same as in version 3.06 of the old VirusZ, and there was some new virus and here is a quote from the FAKE guide: - Added Commander2, Saur nh, and Recycle viruses! Thanks to Markus Schmall for sending them. - Added Big Bug, MixiMaxiMum '93, BootX Kisser and The Amiga Fucker 15.3 bootviruses. Thanks to Markus Schmall for sending them, as always!. I have called Markus on the phone, and he has never heard of these virus, But he told me that there has been a new release of VirusZ II, but the new original release is v1.13. Remember to check the 'ABOUT' gadget,the size of the file is stated there if the size is not right, do not use that version of VirusZ II. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/ @endnode @node commander2 " Commander Infector #2" @{b}VIRUS WARNING !!! - VIRUS WARNING !!! - VIRUS WARNING !!!@{ub} @{b}VIRUS WARNING !!! - VIRUS WARNING !!!@{ub} @{i}ANOTHER COMMANDER LINK-VIRUS INFECTOR@{ui} ------------------------------------- We have now found another program, that infects your systems with the Commander virus. The infector program is a Demo or an Intro. If someone knows the name and adress of the programmer of this program, please contact me. The name of the second installer is: @{b}"MY MAMA IS A VAMPIRE"@{ub} It can be found at two archives with the name: Title : @{b}dpl-mam1.dms@{ub} Size : 523162 Desc. : DuPlO DeMo DiViSiOn PrEsEnTs: - --> mY mAMA iS a vAMPiRE! (aGA oNLY) <-- - - --- * Version 3.0 (100% working!)-[1/2]- - Awesome texture effect! - Released 30 Oct 94 Title : @{b}dpl-mam2.dms@{ub} Size : 602250 Desc. : - --> mY mAMA iS a vAMPIRE! (aGA oNLY) <-- - - ---------- * Version 3.0 * ------------- - - - (100% bugfixed and fully working ----- - - -- version, packed in a NON corrupted -- - - --- archive this time!) ---------------- - ------------------------------------[2/2]- - Do not start this program, it will install the Commander virus, and add 1664 bytes to your LoadWB command. And infect everything that you will try to execute. Thanx to: Steffen Rabenborg - For telling me about the new installer. Peter Klein - For finding the new installer to me. The installer of Commander is now on it's way to every well known anti-virus programmer. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/ @endnode @node gath95 " Achtung.exe trojan (09.02.95)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START 'ACHTUNG.EXE' FROM THE ARCHIVE 'GATH95-!.LHA'@{ui} ---------------------------------------------------------- There has just been released a archive called '@{b}GATH95-!.LHA@{ub}', there are one dectructiv program in the archive: Achtung 14032 Bytes Achtung.exe 14032 Bytes The FILE_ID.DIZ looks like this: +------------------------------------------+ |Virtual Dreams, Melon and Rage's New Intros +------------------------------------------+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] THE GATHERING PARTY INVETATIONS. 3 OF THEM [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] +------------------------------------------+ |The BEST CODE of 1994/95. Defintly! Get it! +------------------------{ cSo/ 'g5! }---+ This has @{b}NOTHING@{ub} to do with the 'Gathering 95' in Oslo.... Do not start the program 'Achtung.exe' and 'Achtung', will search for DH0:, and then make a lot of files starting with this: LAMER.AAAAAAAA 10240 Bytes (and then change the last letter B) LAMER.AAAAAAAB 10240 Bytes (and then change the last letter C) LAMER.AAAAAAAC 10240 Bytes (and then change the last letter D) And keep doing that until your HD is full. I have talked to a guy in Denmark, that has lost everything on his DH0 drive, and there was some damage to a lot of files, and the name of his system was renamed to 'LAMER:!!!!' due to this little sucker. And I have other reports about HD craches due to 'Achtung.exe'. I have tried it on floppy disks, and the one a called 'DH0:' was filled up with all of these 'LAMER.AAAAAAAA' 880 kb of them. I'm not gonna lose my HD trying to find out some more about this thing. The most improtant thing is: @{b}DON'T START THIS SUCKER !!!!!!!!@{ub} But this little thing is on it's to every wellknown antivirus programmer. Thanx to Brian Overby for the help.... Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/ @endnode @node NComm " NComm v3.2 Trojan (23.03.95)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START 'NComm v3.2' FROM THE ARCHIVE 'NCOMM32.LHA'@{ui} ---------------------------------------------------------- There has just been released a archive called '@{b}NCOMM32.LHA@{ub}', there are a dectructiv program in the archive: NComm 121896 Bytes (Packed with Stonecracker 4.04) NComm 226116 Bytes (Unpacked) The FILE_ID.DIZ looks like this: ******************************************** NCOMM V3.2 *CRACKED* KEYFILE CHECK REMOVED! ******************************************** The 'Sucker' started in the S: directory replacing the data's in EVERY file with the text '@{b}CIRCLE OF POWER 1995@{ub}', so the startup-sequence and rest of the files in the S dir was totally destroyed. All .info files will be replaced in the same way The archive is now on it's way to every wellknown anti-virus programer. Thanx to Jan Ravn, for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node lha30 " LHA v3.0 Trojan (27.03.95)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'LHA v3.0' FROM THE ARCHIVE 'LHA30.LHA'@{ui} ---------------------------------------------------------- There has just been released a archive called '@{b}LHA30.LHA@{ub}', and there are a dectructiv program in the archive: "LHA3.0 69888 bytes (Packed with Stonecracker 4.04)" "LHA3.0 105808 bytes (Unpacked) The FILE_ID.DIZ looks like this: LHA 3.0 FROM STEFAN BOBERG The "Sucker" started in the S: directory replacing the data's in EVERY file with the text '@{b}CIRCLE OF POWER 1995:@{ub}', so the startup-sequence and rest of the files in the S dir was totally destroyed. The LHA3.0 looks a lot like the fake 'NComm 3.2', it does the same things to your HD and disk's. The archive is now on it's way to every wellknown anti-virus programer. Thanx to Kim B. and Flemming S., for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node CED4 " CygnusEd v4.00 - CoP Trojan - (27.03.1995)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'CED4' FROM THE ARCHIVE 'CED4.LHA'@{ui} ---------------------------------------------------------- There has just been released a archive called '@{b}CED4.LHA@{ub}', and there are a dectructiv program in the archive: CED4 174500 bytes (Unpacked) The FILE_ID.DIZ looks like this: CYGNUS EDITOR V4.0 (MAIN) The "Sucker" started in the S: directory replacing the data's in EVERY file with the text '@{b}CIRCLE OF POWER 1995:@{ub}', so the startup-sequence and rest of the files in the S: dir was totally destroyed. This goes for all files in your 'DEVS:' directory to. The CED4 looks a lot like the fake '@{b}NComm 3.2@{ub}' and '@{b}LHA30.LHA@{ub}' it does the same things to your HD and disk's. Please take care, there is a lot of fake programs around, that does this thing. Checke everything before you start it. The archive is now on it's way to every wellknown anti-virus programer. Thanx to Kim B., for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node opus5 " DirectoryOpus v5.00 - CoP Trojan - (29.03.1995)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'OPUS5' FROM THE ARCHIVE 'OPUS5.LHA'@{ui} ----------------------------------------------------------- There has been released a archive called '@{b}OPUS5.LHA@{ub}', and there are a dectructiv program in the archive: I have not seen the archive yet, but I have talked to some people that used this 'thing', and had there data files replaced, It does the same things that '@{b}NCOMM32.LHA@{ub}', '@{b}CED4.LHA@{ub}' and '@{b}LHA30.LHA@{ub}' it will replace the data's in EVERY file with the text: 'CIRCLE OF POWER 1995:' Please take care, there is a lot of fake programs around, that does this thing. Checke everything before you start it. If you find this program, please send it to me, or send it to all the well known antivirus programmers. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @{" More information about the 'OPUS5.LHA' Trojan " link OPUS52 } @endnode @node opus52 " More information about the 'OPUS5.LHA' Trojan (04.04.95)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} Hi All !!! I now know some more about the FAKE Opus v5.0, it has a size of 347308 bytes. The archive '@{b}OPUS5.LHA@{ub}' has a size of 464397 bytes, and in the FILE_ID.DIZ you can read: ------------------------------------------- DIRECTORYOPUS v5.0 ------------------------------------------- * Uses multiple processes for windows. * Full REXX support * Faster dir-routines. * Better archive handeling, supports LZX! ------------------------------------------- No anti-virus program can find this trojan yet, but I have tested it on all the wellknown killers, and there are only 2 that detects something yet, but this trojan is now on it's way to every wellknown anti-virus programmer @{b}VirusWorkShop v4.9@{ub}, can not find it yet, but will give you a requester saying that: "$3f0/$3f1/$3e8 Hunk at the beginning found" @{b}VT v2.71@{ub} can not find it yet, but will give you a requester saying that: "3E8-Hunk am anfang ist im file" Thanx to Kim B. for uploading this 'thing' to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node Sinfo " About SInfo v1.0 - CoP Trojan - (11.04.1995)! @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'Sinfo v1.0' FROM THE ARCHIVE 'SINFO10.LHA'@{ui} ------------------------------------------------------------ There has been released a program called '@{b}SInfo v1.0@{ub}', do not start that program it will replace every file in your S:, Libs: and C: with a new file, with a size of 5 bytes, in this file you can read 'cop!'. This is another program from '@{b}CIRCLE OF POWER!@{ub}', the same lamer that has written '@{b}NComm32.LHA@{ub}', '@{b}OPUS5.LHA@{ub}', '@{b}LHA30.LHA@{ub}' and '@{b}CED4.LHA@{ub}'. There is another thing, SInfo v1.0 will ask for 'SINFO.library', and the library is in the archive, BUT it is not 'Sinfo.library', it is the reel 'Bootblock.library v3.1' from SHI, why this ???????? SInfo v1.0 is spread in a program called '@{b}SINFO10.LHA@{ub}', and has a size of 4432 bytes The main program has a size of 2552 bytes. In the FILE_ID.DIZ you can read: .------------------------------------------. | SYSTEMINFO V1.0 BY JURGEN HUNSMANN 1995! | | A VERY GOOD REPLACEMENT OF THE INFO CMD! | `----------------------------------(baron)-' In the DOC you can read this: ---------------------------- QUOTE START --------------------------------- TYPE: SystemInfo ala INFO DESC: Will list all devices available on you're system. AUTH: J rgen H nsmann DATE: 01-Apr-95 MAIL: jh@grafix.xs4all.nl FIDO: 2:286/407.19 SInfo v1.0 DOC! ~~~~~~~~~~~~~~~~~ It works just like the WorkBench Info command, but has some features not found in the default INFO command. 1) It will show Meg/Kilo/Bytes left on the device instead of blocks. 2) It is ALOT faster 3) It shows assigns 4) Can force devices to be validated! Contact me at the addresses above! ---------------------------- QUOTE END ----------------------------------- This new '@{b}CIRCLE OF POWER!@{ub}' thing, is on it's way to every wellknown anti- virus programmer. And to the 'COP!' programmer, STOP the shit you are doing, you must have a big problem somewere. Thanx to Kim B. for uploading this to my BBS. Regards... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node Creator " Creator v1.0 - Trojan - (18.04.1995)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'CREATOR' FROM THE ARCHIVE 'CREATOR.LHA'@{ui} --------------------------------------------------------- In the last day or two, a lot of people have uploaded a small program to 'Virus Help BBS' with the name '@{b}cREATOr v1.0@{ub}', it is stated in the doc that it is a program, that will you choose how fast your HD shall run after every reset. BUT if you run it, it will start to format your hard- disk. The doc says nothing about this. Here is some info about the program: Archive name......: @{b}CREATOR.LHA@{ub} Archive size......: @{b}2757 bytes@{ub} Files in archive..: @{b}CREATOR.DOC 1124 bytes@{ub} @{b}FILE_ID.DIZ 484 bytes@{ub} @{b}C:CREATOR.SCR 40 bytes@{ub} @{b}S:CREATOR.DAT 2880 bytes@{ub} The FILE_ID.DIZ looks like this: ******************************************* * cREATOr V1.0 (C) 04-10-95 * * * * Thiz Powerful Tool Will Let You Choose * * How Fazt Your HD (Mili Seconds) Shall * * Run After Every Reset !!! Normally Thiz * * Is Only Possible With SCSI-2 HD's And A * * Fazt CPU (020/030/040) But After 1 Year * * Of Hard Coding I've Developed This Good * * Product Which Should Run On All AMIGAS! * ******************************************* So @{b}DO NOT@{ub} start this thing, you will loose your HD. This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to everybody that has uploaded this thing to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @{" More about the 'Creator' Traojan " link Creator2 } @endnode @node Creator2 " More about the Creator trojan - 18.04.1995)" Hi All...... Hmmmmmm, there has been another release of the CREATOR trojan, but there is something wrong again. Again the doc' states that it will let you choose how fast your HD shall run after every reset. But if you try to start the program, you will asked to write 'FORMAT' in a shell, and that would be a stupid thing to do, right ???. This 'new' update will NOT work at any of my Amiga's, so there for I can not tell you what it will do, but I have people testing it right now. Here is some info about the program: Archive name......: CREAT_11.LHA Archive size......: 2757 bytes Files in archive..: CREATOR.DOC 1124 bytes FILE_ID.DIZ 484 bytes C:CREATOR.SCR 40 bytes S:CREATOR.DAT 2880 bytes The FILE_ID.DIZ looks like this: ******************************************* * cREATOr V1.1 (C) 04-11-95 * * * * Thiz Powerful Tool Will Let You Choose * * How Fazt Your HD (Mili Seconds) Shall * * Run After Every Reset !!! Normally Thiz * * Is Only Possible With SCSI-2 HD's And A * * Fazt CPU (020/030/040) But After 1 Year * * Of Hard Coding It Works Very Fine !!! * * FIX VERSION - FIXED VERSION - FIXED VER * ******************************************* This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to everybody that has uploaded this thing to our BBS. Regards.... Jan Andersen. @endnode @node Futuretracker " FutureTracker - CoP Trojan - 19.04.1995)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'FUTURETRACKER' FROM THE ARCHIVE 'TRSI-FT.LHA'@{ui} --------------------------------------------------------------- Okay there is another '@{b}Circle Of Power@{ub}' trojan around. This time it is in a fake ProTracker called 'FutureTracker'. It will do the same thing as the other trojans that '@{b}CoP@{ub}' has released in the last month, only this time it will rewrite every file in DEVS:, L:, and S:, with another file where you can read this: @{b}[cOp]: Khanan / Circle Of Power :[cOp]@{ub} This time the 'thing' will show a text on the screen (See the Iff.Pic in this archive). Here is what it says: @{i} - - - - - - - - - - - - - - - - START - - - - - - - - - - - - - - - - - -@{ui} .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp cIrcle of pOwer'95 .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp --[==================================================================]-- Sweden's no.1, "CIRCLE OF POWER" rammed yer arse again!! Have phun retyping all those valueble config's. haha! Fuck you all! -^( THE TERROR WILL NEWER STOP, PHEAR THE MIGHTY COP! )^- --[==================================================================]-- [kHANAN/cOp] @{i} - - - - - - - - - - - - - - - - - END - - - - - - - - - - - - - - - - -@{ui} This text will come to your screen when 'FutureTracker' is replacing the files on your harddisk. Here is some info about the program: Archive name......: @{b}TRSI-FT.LHA@{ub} Archive size......: @{b}278290 bytes@{ub} Files in archive..: @{b}FutureTracker 317608 bytes@{ub} @{b}FILE_ID.DIZ 360 bytes@{ub} @{b}FutureTracker.cfg 1065 bytes@{ub} @{b}FutureTracker.doc 90 bytes@{ub} The FILE_ID.DIZ looks like this: _ _ __________________________- --. .--------\\\\_ ___/___ / ______/--^-|. | bACk tO | | __/ _/______ \ |: | tHe rOOTs l____|___/ \_________\____|| |-------------------/_______\----------cDr-| | FutureTracker - ProTracker Clone by PSI! | | 6 channels, 256 samples, full MIDI port! | `------------------------------------------' This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to Kim B. for uploading this thing to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node VWS50 " VirusWorkshop v5.0 - CoP Trojan - 21.04.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE 'VIRUSWORKSHOP' FROM THE ARCHIVE 'TRSI-VW5.LHA'@{ui} ---------------------------------------------------------------- There has just been released a @{b}FAKE@{ub} version of '@{b}VirusWorkShop v5.0@{ub}', when you try to run the program, some music will start, and that is all that I can find out. I can not se that it writes anything to any drives. But I'll let some others, test it on there systems. I can tell you, that Markus Schmall has @{b}never@{ub} made a version 5.0, and that he @{b}never@{ub} will release VirusWorkShop with the version string v5.0 This is said to be antoher '@{b}COP' (Circle Of Power)@{ub} release, but I can not get it to infect my system. Here is some info about the program: Archive name........: @{b}TRSI-VW5.LHA@{ub} Archive size........: @{b}221737 bytes@{ub} VirusWorkShop Size..: @{b}135744 bytes@{ub} The FILE_ID.DIZ looks like this: _________________ ____________ \ . ___.___._ \/ ____/_____) TRiSTAR & \/| .| | | _/_____ \| | || | : V \\ || RSi |___| |___|___\______/_____| +*#*+ |____\ +*#*V +*#*+ PRESENT! VIRUS-WORKSHOP 5.0 This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. By the way.. The newest version of VirusWorkShop at this date is v4.9, and the size is 136556 bytes. Thanx to Kim B. for uploading this thing to our BBS. Regards.... _________ _ @{b}Jan Andersen@{ub}. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node ABASE " ABase - Saddam Infected Archive - (22.04.1995)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}THE ARCHIVE 'ABASE.DMS' IS INFECTED WITH SADDAM VIRUS@{ui} ----------------------------------------------------- There has been spread a demo version of a program with the name '@{b}ABASE@{ub}', it is an adress base from Poland. This archive contains the @{b}Saddam virus@{ub} which is inside the '@{b}l:Disk-validator@{ub}'. This info is for the Amiga user that still runs with KickStart 1.3, that is because that Saddam Virus can not run under kickstart 2.0 -> 3.1. Here is some info about the program: Archive Name.......: @{b}ABASE.DMS@{ub} Archive Size.......: @{b}222609 Bytes@{ub} ABase program......: @{b}83096 Bytes, PowerPacked (138332 Bytes Unpacked)@{ub} Saddan Virus.......: @{b}L:Disk-Validator (1848 bytes).@{ub} Again thanx to Kim B. (Great Virus-Hunter)..... Regards... _________ _ @{b}Jan Andersen.@{ub} ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node CCHack " CarlingCard Hacker - Trojan - 02.05.1995" @{b}WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING@{ub} @{i}DO NOT START THE PROGRAM 'CCHACK2.exe'@{ui} -------------------------------------- There has been released a program that is said to be a @{b}CallingCard Hacker@{ub}, if you start the program it will look for a BBS: assign, and then read the user.data file. This textstring is coded in the the file. Why a hacker program for CallingCards, want to read the 'BBS:User.Data', I do not know, but do not trust this program.... Here is some info about the trojan: Name.....: @{b}CCHACK2.exe@{ub} Size.....: @{b}11216 Bytes (unpacked)@{ub} If you start the program this will be displayed: @{b}MCI CallingCard Hacker by ByTePaCkEr/Finland 1995@{b} @{b}Usage: CChack2.exe <CALLINGCARD.NR.>@{ub} VT v2.72 will find this 'thing', but in the doc to VT, Heiner states that the file has a size of 11368 Bytes (unpacked), so maybe there is an other version of this trojan, and maybe the name of this is 'CCHACK.EXE', I do not know. This 'thing' is on it's way to every wellknown antivirus programmer, that will accept new virus from us. Thanx again to Kim B. a great virushunter, for uploading it to us..... And to Markus Schmall for the first info about this 'thing'... Regards.... _________ _ @{b}Jan Andersen@{ub}. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node Amiekspress " AmiExpress v5.0 - CoP Trojan - 03.05.1995" @{b}WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING@{ub} @{i}DO NOT START THE 'Acp' FROM THE ARVHIVE 'PSG-AE5.LHA'@{ui} ----------------------------------------------------- There has been released a program that is said to be a new version of the BBS program @{b}AmyExpress v5.0@{ub}, but it is another '@{b}Circle Of Power@{ub}' trojan, it will replace every file in DEVS: and S: dir, with a textfile where you can read: @{b}[cOp]: Khanan :[cOp]@{ub} Inside the fake 'AmiExpress v5.0' file 'Acp', you can read this is the ASCII text: @{b}$VER: ACP V5.0 (C)-95 JOSEPH HODGE@{ub} In the File_ID.Diz, you can read: AmiExpress v5.0 If you start the program, a shell window will pop up, where you can read this: [cOp]: The Circle Of Power did it AGAIN! :[cOp] [cOp]: :[cOp] [cOp]: THE TERROR WILL NEVER STOP, PHEAR THE MIGHTY COP! :[cOp] Here is some info about the archive it is spread in: Archive Name..: @{b}PSG-AE5.LHA@{ub} Archive Size..: @{b}71982 Bytes (Striped For BBS adds)@{ub} Trojan Name...: @{b}Acp@{ub} Trojan Size...: @{b}71904 Bytes@{ub} Someone must know this '@{i}Khanan@{ui}' or other members of '@{i}COP@{ui}'. If you know anything about these stupid guy's, please contact us.... This 'thing' is on it's way to every wellknown antivirus programmer, that will accept new virus from us. Thanx again to Kim B. for uploading this 'sucker' to our BBS..... Regards.... _________ _ @{b}Jan Andersen@{ub}. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node copkill " CoP Killer v1.1 - CoP Trojan - 20.05.1995" @{b}WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING@{ub} @{i}DO NOT START THE PROGRAM 'Copkiller' FROM THE ARCHIVE 'COPKILL1.LHA'@{ui} -------------------------------------------------------------------- Okay there is another '@{b}Circle Of Power@{ub}' trojan on the loose. This time it will rewrite the files in DEVS:, and in the new file you can read this: @{b}[cOp]: Scotch & Khanan on tour '95 :[cOp]@{ub} Here is some info about the file it is spread in: Archive name: @{b}Copkill1.LHA@{ub} Archive size: @{b}9801 Bytes@{ub} Cop Trojan : @{b}Copkiller (8428 bytes)@{ub} In the FILE_ID.DIZ you can read this: @{i}>--------- FILE_ID.DIZ START --------------<@{ui} _____ ______ ___ DIRECT UPLOAD FROM __/ ___// / // /\ SAFE HEX \___ // _/ // / / INTERNATIONAL / / // __ // / / ------------- /____//__/__//__/ / AGAIN A NEW TOP-HIT! \____\\__\__\\__\/ ------------- ->> PRESENTS C.O.P. Killer v1.1 <<- An excellent trojankiller that recognises the new encoding system used by C.O.P. Also read about the SHI reward >$5000< for the name of a virus programmer. Update 18-05-95 @{i}>--------- FILE_ID.DIZ END ----------------<@{ui} But this is not a release from SHI..... This 'sucker is now on its way to every antivirus programmer, that will accept new virus from 'Virus Help Denmark'. Thanx to Bahrat Asar for uploading this 'sucker' to our BBS. Regards..... _________ _ @{b}Jan Andersen.@{ub} ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ @endnode @node MST-CA12.LHA " Callerslog v1.2 - CoP Trojan - 30.05.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}DO NOT START THE PROGRAM 'CALLERSLOF.SFX' FROM THE ARCHIVE 'MST-CA12.LHA'@{ui} ------------------------------------------------------------------------- There has been found a new '@{b}COP@{ub}' trojan in a fake program. It was released about the 28'th of May. Here is some info about the trojan: Archive Name: @{b}MST-CA12.LHA@{ub} Archive Size: @{b}19349 Bytes (Ripped for BBS add's)@{ub} Trojan Name : @{b}cALLERSLOG.SFX@{ub} Trojan Size : @{b}8428 Bytes (Is not a SFX. Archive)@{ub} @{i}Here is what the File_ID.DIZ will tell you:@{ui} .--------[____ mYSTIC ____]--------. |__ ______\ \____ / /_________|____ / | \ / /___/_/ ___/______/ ___/__ / \___ /____ \ \ / \ \ / \___\/ /____/ / /______/_____/______/ | /___/ \________/AdN! _|_ | \_/ | cALLERSLOG 1.2 fOR lOGIC bBS | | 100% fIXED - iNC iFF sCREENsHOT | | | `-[LoGIC DeVELOPeMENT]-[/X cOMPAT]-' This new trojan will replace everything in your DEVS: dir. With a text 41 bytes long, where you can read this: @{b}[cOp]: Scotch & Khanan on tour '95 :[cOp]@{ub} This new '@{b}COP@{ub}' trojan is now on it's way to every wellknown antivirus programmer that will accept new virus from Virus Help Denmark. Thanx again to KIM B. for uploading this our BBS. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TRSI-INS.LHA " TRSI Installer - CoP Trojan - 10.06.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} There has just been released another Trojan. It was uploaded to a BBS in Sweden by @{b}Gryzor@{ub} (@{i}Member of Circle Of Power@{ui}). The name of the archive is: @{b}TRSi-INS.LHA@{ub} @{b}(Size about 40000 bytes)@{ub} The FILE ID.DIZ says that this is an installer for several games. @{b}But TRSI has nothing to do with this sucker.@{ub} We can at this time not say anything more about this trojan, bacause we have written this warning out of a phone call from Markus Schmall, but we will here more when Markus has tested this thing. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @{" Click here " link Flake011.txt } to read Markus Schmall's test of the archiv. @endnode @node VCHCK660.lzx "Virus_Checker v6.60 - Trojan - 27.07.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All.....@{ui} There has just been found a fake @{b}Virus_Checker v6.60@{ub}. Do not use this trojan at all. The VC.guide is just a rewritten v6.57. Here is some info about the sucker: Archive name... : @{b}VCHCK660.lzx@{ub} Archive Size... : @{b}About 122.000 bytes (Ripped for BBS adds)@{ub} VC v6.60 Size.. : @{b}52400 bytes@{ub} @{i}The newest version of Virus_Checker is at this time v6.58 (Brain v1.20)@{ui} This new trojan is on its way to every wellknown antivirus programmer, that will accept new virus and trojan from us. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node ORS-QBD.LHA " QuarterBack Tools Diamond - CoP Trojan" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} There has been released a new @{b}COP trojan@{ub}. This time it is a fake 'QuaterBackTools'. This thimg will replace everything in your S:, LIBS;, BBS:, m.m with a text string of 75 bytes. @{i}The file_id.diz of this trojan looks like this:@{ui} ____ ___ ____ _ ___ ___ ____ ::::: / . \_/ ___)_/_)/ .__)(___)/ ___)::::. :::::/ \___ \ \ \/ \___ \::::: :::::\_____/___ /_ /__| \_ /___ /::::: `--[RD10/CodX] \/--\/-- ____\\/--- \/---' QUARTER BACK TOOLS DIAMOND SUPPORTS AFS FILE SYSTEM, XPK PARTITIONS, REORGANIZES BETTER THEN REORG, AND USES A SAFETY DISK WHEN REORGANIZING! NO CRASH! RELEASED BY : ERICO / OSIRIS Info about the trojan: Archive name: @{b}ORS-QBD.LHA@{ub} Archive Size: @{b}About 128654 Bytes@{ub} Trojan Name : @{b}QBTools3@{ub} Trojan Size : @{b}227716 Bytes@{ub} This new trojan is on its way to every wellknown antivirus programmer that will accept new virus from Virus Help. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node DM51 " Diskmaster v5.1 - CoP Trojan - 04.11.95" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hello everybody.....@{ui} The mad guys from '@{b}Circle Of Power@{ub}' is back. This time it is a faked program called 'DiskMaster v1.4'. It will replace files in LIBS:, DEVS:, S:, with a new file with the length of 41 bytes, and in this file you can read this text: @{b}FausT / cIRCLE oF pOWER'95 - TRUE POWER!@{ub} The file_id of this program look's like this: _________ _ ____/"""./###/____)\_____________ /"""/ //_______ /"""/""./"___/_ / / //"""/" / // / //____ \_ \ // / ____/ / //""""/X\@!/ \_____/\__/___/ ""\______/_________/ --><!VIRUS!<></____/-><>-!WARNING!-<><-- Brought To You Diskmaster V5.1 Debugged And Updated With VirusX2.4 VirusKiller!! >>>----------------------------------<<< This is nothing that Virus_Help has anything to do with. But I'm sure that you all know that by now. This littel 'sucker' is on it's way to every wellknown anti-virus programmer that will accept new virus from Virus Help Denmark. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TP5-SPAC.LHA " TP-5 Spaceballs Demo - CoP Trojan - 29.12.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All !!!!!@{ui} There is a lot of trojans comming right now from '@{b}The Party 5@{ub}', but I'm pretty sure that the files are from the '@{b}COP@{ub}' idiots. The archive '@{b}TP5-SPAC.LHA@{ub}' with a size about 45000 bytes (ripped from all BBS adds) the mainfile '@{b}TP5_Spaceballs.exe@{ub}' has a size of 38060 bytes. The program is trying to lock on NComm:, just like tha old @{b}COP@{ub} trojan's. Here is the FILE_ID from the archive: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Spaceballs 40k intro called | | 'Ice Frontier' | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us...... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TP5-ANDR.LHA " TP-5 Andromeda Demo - CoP Trojan - 29.12.1996" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All !!!!!@{ui} There is a lot of trojans comming right now from '@{b}The Party 5@{ub}', but I'm pretty sure that the files are from the '@{b}COP@{ub}' idiots. The archive '@{b}TP5-ANDR.LHA@{ub}' with a size about 47000 bytes (ripped from all BBS adds) the mainfile '@{b}TP5_Andromeda.exe@{ub} has a size of 40216 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. @{i}Here is the FILE_ID from the archive:@{ui} .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Andromeda's 40k intro called 'feelings'. | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us...... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TP5-TSL.LHA " TP-5 Silents DK Demo - CoP Trojan - 29.12.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All !!!!!@{ui} There is a lot of trojans comming right now from '@{b}The Party 5@{ub}', but I'm pretty sure that the files are from the 'COP' idiots. The archive '@{b}TP5-TSL.LHA@{ub}' with a size about 46000 bytes (ripped from all BBS adds) the mainfile '@{b}TP5_SilentsDK.exe@{ub}' has a size of 39440 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. @{i}Here is the FILE_ID from the archive:@{ui} .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Silents DK's 40k intro called | | 'Byte Kitchen' | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us....... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TP5-PRLX.LHA " TP-5 Parallax Demo - CoP Trojan - 30.12.95" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All !!!!!@{ui} There is a lot of trojans comming right now from '@{b}The Party 5@{ub}', but I'm pretty sure that the files are from the '@{b}COP@{ub}' idiots. The archive '@{b}TP5-PRLX.LHA@{ub}' with a size about 41000 bytes (ripped from all BBS adds) the mainfile '@{b}TP5_Parallax.exe@{ub}' has a size of 39980 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. @{i}Here is the FILE_ID from the archive:@{ui} .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Parallax's 40k intro called 'Cubic'. | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TMTC90.LHA " TMTC90.LHA archive infected with virus - 30.12.1995" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} A new archive is now spread with an 'old' virus in it. The archive name is '@{b}TMTC90.LHA@{ub}'. The virus in the archive is '@{b}Disaster Master 2@{ub}', and it is in the @{b}C: dir.@{ub} in the @{b}cls command@{ub}. Every wellknown viruskiller can find this virus. Just make sure that you don't use or install the 'cls' command on your HD. @{i}The FILE_ID.DIZ look's like this:@{ui} _________________+ Ti/\/\eTr/\cE \______ ______/_________________ | _|__ +\______ ______/ + | | \+ _____| | + |___| \/ / | |_____/ /|_____| Released /_____/ Today Chicago 90 HD and AGA Fixed Done by >TORCH< Leader of TmT That is all for now.... Happy new year everybody.... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{ub}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node NC210.LHA " NC210.LHA/LZX infected with HappyNewYear Virus" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} A new archive is now spread with a virus in it. The archive name is '@{b}NC210.LZX@{ub}' or '@{b}NC210.LHA@{ub}'. The virus in the archive is the new link virus called '@{b}Happy New Year 96@{ub}'. At this time only 3 viruskillers can find this 'sucker'. @{b}VirusWorkshop v5.8... By Markus Schmall@{ub} @{b}VT v2.79............. By Heiner Schneegold@{ub} @{b}VirusZ II v1.27...... By Georg Hoermann@{ub} @{i}The FILE_ID.DIZ look's like this:@{ui} Get file description from comprograms + Name: @{b}NC210.lha@{ub} Path: @{b}Aminet/comm/misc@{ub} Best: @{b}Aces High SW, 5 Ndz@{ub} That is all for now.... Happy new year everybody.... Thanx to '@{b}ENZO@{ub}' for saving this for us....... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node SIGN.LHA " DanceModPoolTro.exe Virus infected - 05.02.1996" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} A new archive is now spread with a virus in it. The archive name is '@{b}SIGN.LHA@{ub}'. The virus in the archive is the new link virus called '@{b}Happy New Year 96'.@{ub} Archive Name.....: @{b}SIGN.LHA@{ub} Size.............: @{b}25261 bytes (Ripped for BBS adds).@{ub} Infected file....: @{b}DancePoolModTro.exe (25484 Bytes Packed with STC)@{ub} At this time only 3 viruskillers can find this 'sucker'. @{b}VirusWorkshop v5.9... By Markus Schmall@{ub} @{b}VT v2.80............. By Heiner Schneegold@{ub} @{b}VirusZ II v1.27...... By Georg Hoermann@{ub} @{i}The FILE_ID.DIZ look's like this:@{ui} .------------------------------------------. | f GHt AGA NSt | | FASC SM. | | | | fR ENDSh P RUlEZ... | | WORlDW DE !! | `------------------------------------------' !!sIGn&sPREAd!! That is all for now.... Happy new year everybody.... Thanx to 'Morten Johan Leerhoy' sending the archive to us... Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node C!S-NS1.DMS " No Sense Magazine - Ebola Infected" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} A new archive is now spread with a virus in it. The archive name is '@{b}C!S-NS1.DMS@{ub}'. The virus in the archive is the '@{b}Ebola@{ub}' Link virus. Archive Name.....: @{b}C!S-NS1.DMS@{ub} Size.............: @{b}546381 bytes (DMS Packed)@{ub} Infected file....: @{b}No_Sence1 (60048 Bytes Packed with STC)@{ub} At this time only 3 viruskillers can find this 'sucker'. @{b}VirusWorkshop v5.9... By Markus Schmall@{ub} @{b}VT v2.80............. By Heiner Schneegold@{ub} @{b}VirusZ II v1.27...... By Georg Hoermann@{ub} @{i} The FILE_ID.DIZ look's like this:@{ui} ___________________________________________ _ _ , __ _ , __ | ) (_) ) (_/_ | ) ) (_/_ n o s e n s e m a g a z i n e - d i s k p u b l. a C - L O U S diskmagazine The First Issue of No Sense Magazine - Disk Publication (Includes Swedish chart.) ___________________________________________ Well, that is all for now..... Thanx to 'Kim B.' sending the archive to us... @{b}IMPORTANT:@{ub} Virus Help DK BBS, new phone number @{b}+45 4659 6867.@{ub} Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node TXC-Z11.LHA " ZAP v1.1 Unpacker - Ebola Infected" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{i}Hi All...@{ui} A new archive is now spread with a virus in it. The archive name is '@{b}TXC-Z11.LHA@{ub}'. The virus in the archive is the '@{b}Ebola@{ub}' Link virus. Archive Name.....: @{b}TXC-Z11.LHA@{ub} Size.............: @{b}197233 bytes (LHA Packed)@{ub} Infected file....: @{b}UnARJ.... ( 9100 Bytes)@{ub} @{b}UnRAR.... (24176 Bytes)@{ub} @{b}Install.. ( 4132 Bytes)@{ub} At this time only 3 viruskillers can find this 'sucker'. @{b}VirusWorkshop v5.9... By Markus Schmall@{ub} @{b}VT v2.80............. By Heiner Schneegold@{ub} @{b}VirusZ II v1.28...... By Georg Hoermann@{ub} @{i}The FILE_ID. look's like this:@{ui} __ ______ __.__________ \// _). | )__) .__) .--/ / \ \ | \----------------. | / \_____/ |__/__|____/TOXiC GIVES YA: | |-\___/----- \_|---------------------------| | ZAP V1.1 *FREEWARE* | | EXTRACTS LHA/LZH/LZX/DMS/ARJ/ZIP/ZOO/RAR | | EASY GUI, PREFS EDITOR + SAVE PREFS | | FILE/DIRECTORY/DEVICE REQUESTERS | | ALL EXTRACTORS INCLUDED,STATUS DISPLAY | | NEW MANUAL + NEW INSTALLER + NEW ICONS | | PLAY MUSIC WHILE EXTRACTING | | FASTER SOURCE CODE, FASTER PROGRAM | `----TOXiC'S-2:ND-RELEAS-DOWNLOAD-&-TRY----' Well, that is all for now..... Thanx to 'Torben Danoe' sending the archive to us... @{b}IMPORTANT:@{ub} Virus Help DK BBS, new phone number @{b}+45 4659 6867.@{ub} Regards.... __ __ /// @{b}Jan Andersen@{ub} FidoNet: 2:235/112.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ @{b}VIRUS HELP DENMARK@{ub} VirNet : 9:451/247.0 @endnode @node ABLANK11.LHA " Amiblank Trojan - (Markus Schmall)" @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} @{b}ABlank11 Trojan:@{ub} ---------------- other possible names: KUK Crew Trojan Length: 1056 bytes (PP40 lib) or 1352 bytes unpacked Nothing tricky at all. It will be tried to initialize SYS: again and then to create several files (and dirs) on the device. Code isn`t that good written, equalities to existing trojans can be found, but I cannot remember which one exactly. Thanks must go to Jan Andersen and Flemming Slabiak sending me this one. Visible texts in the unpacked file: '> KUK CREW < A New and Evil Group has come t' 'o spread TERROR and DESTRUCTiON to the Amiga' ' Scene! HAHAHAaaaaaaaaaah',0 'dos.library',0 'SYS:',0,0 'KUK_CREW!',0 'KUK_CREW!:Haha!',0 'KUK_CREW!:Mr.Fitta_%ld',0,0 'KUK_CREW!:Dr.Klitta_%ld',0 'KUK_CREW!:Kuk+Fitta=Barn_%ld',0,0 'KUK_CREW!:Kiss&Bajs rNice_%ld',0 @{b}Greets Markus Schmall (Programmer of VirusWorkshop)!!!!!@{ub} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @endnode @node TP5-TRSI.lha " TP-5 TRSi Demo - CoP Trojan - 28.12.1995)" @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} @{i}Hi !@{ui} Warning ! The file "@{b}TP5-TRSI.lha@{ub}" contains a @{b}COP@{ub} trojan and it is NO TRSI release. In the file_id it`s said that this is a 40K intro from TRSi. It`s the same code as found in the pha-xmas.lha trojan. The file didn`t appear up to now (28.12. 19.00 o`clock) on german systems. The file was on some boards in Denmark. I have informed in a public letter the Aminet moderators, so that this thing will be hopefully not uploaded to it. The File_Id looked like this: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | TRSI's 40k intro called 'Domination' | | | `------------------------------------------' Special thanks must go to Jan Andersen of Virus Help DK and Kim B. for the support. Thanks ! Greets @{b}Markus Schmall. (Programmer of VirusWorkshop)@{ub} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @endnode @node PHA-XMAS.lha "Phenomena DOS-Extender V1.1 - CoP Trojan - 24.12.1995)" @{i}Hi ! Back in the street...@{ui} @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} The archiv "@{b}PHA-XMAS.lha@{ub}" contains a new trojan. The code looks like the @{b}COP@{ub} trojans, but this time no word from them. Via the access of DosLists it will be tried to access the files and overwrite them with a $1f byte long string, which look like this: "+46-620-13141 - DUNGEON OF DOOM" A swedish number, I suppose. If the sys partition is protected, the following text will be up: @{b}'Phenomena DOS-Extender V1.1 ',$A9,'1993 by Photon'@{ub} @{b}'Unable to write Swapfile. Remove write-protection and retry'@{ub} @{b}'Creating new Swapfile. Please hold...'@{ub} Of course Photon has nothing to do with it. @{i}The FileID of this files looks like this:@{ui} .------------------------------------------. : Phenomena presents ' merry x-mas ! ' : : Pha's very last production on the Amiga! : : : : Code & Graphics : Photon, Color & Twins : : Music : Tip & Mantronix : `------------------------------------------' But it`s only a little lame trojan. The archive already popped up in Germany on 24.12., but the archive was corrupted. 2 days later I found it as intact archive on the D-o-E BBS, where I want to thank Mercury for his freedl, otherwise I wouldn`t have been able to analyse this one. Some people had real luck. E.g. Hitpoint downloaded the corrupted archive and could so not start the shit (hi Dieter !)... Ok, that is all for now, it`s morning time and I want to sleep... Greets @{b}Markus Schmall (Programmer of VirusWorkshop)@{ub} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @endnode @node SusiStepper "Susi_Drive_Stepper Trojan - (Markus Schmall)" @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} Hi ! I just recieved a new (old?) trojan, here the analyse of it: @{i}Susi_Drive_Stepper Trojan:@{ui} -------------------------- Filelength: @{b}904 bytes unpacked@{ub} Programmed in: @{b}Assembly language@{ub} Processors: @{b}MC68000-MC68040(?)@{ub} @{b}On MC68060 it did not work@{ub} Typ: Trojan This is a very easy programmed trojan. Via the use of Disk Resource it will be tried to access a device (0) and some IDs will be changed. The whole new "created" DiskResource struct is not correct and contains a lot of not understandable code. The trojan is not reset- proof, it just tries the above mentioned diskresource manipulation and some little hardwarehacks.The trojan selects unit 0 and steps with the head around. The direction will be changed at every loop and the head moves always one track. The timing is so bad managed, that the controller gets irritated and quits work temporarly. The name of the new created port is "susi". You can see at the end of the file some names, but nothing more. All in all a simple trojan. 0260: 00000000 00000000 00006469 736B2E72 ..........disk.r 0270: 65736F75 72636500 73757369 00616E64 esource.susi.and 0280: 72656100 76616C65 6E74696E 6100696E rea.valentina.in 0290: 67726964 00636872 69730000 0A000120 grid.chris..... @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} A special hello and thanks goes out to Jan Andersen for his really great help all the time and all his work. He sended me this trojan. Thanks Jan. - Merry X-mas to all of you - Have a nice christmas celebration time - Greets @{b}Markus Schmall (Programmer of VirusWorkshop)@{ub} @endnode @node vmk12.lha " VirusMemKill v1.2 Trojan - (Markus Schmall)" @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} @{b}vmk12.lha@{ub} (a file which came from an eastern country), which is said to be VMK 1.2 contains a new lame bootblockvirus. The maincode is @{b}3452 bytes@{ub} long and contains the old vmk + the installer for this little bb virus. Next versions of VT, VZ and VW will surely recognize it. signed @{b}Markus Schmall (Programmer of VirusWorkshop)@{ub} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @endnode @node HappyNew " Happy_New_Year_96' Link-Virus - (Markus Schmall)" Hi #? A new little linkvirus appeared yesterday on the gobal stations. It`s called @{b}HNY96 (Happy_New_Year_96)@{ub} and is @{b}540 bytes@{ub} long and infects normal executable files. The infection is done via LoadSeg(). We recieved this virus from the US, Holland, Switzerland and Germany. It seems to be on the wild, so there will be an update of VT very soon to kick the bastard. VW 5.7 is too new to stress the users with a 600 kb release again. Since the installer isn`t known, I will release a blockersystem in the coming days. Greets @{b}Markus Schmall (Programmer of VirusWorkShop)@{ub} @{b}P.S.: Ebola linkvirus is found in dvd!-def.lha. Don`t start it...@{ub} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @endnode @node M-hac.lha " ConMan 1995 link-virus - (Markus Schmall)" @{b}Warning ! M-hac.lha and Bloody.exe contain LINKVIRUSES ! BE CAREFULL !@{ub} Here a first BETA ANALYSE of it: @{i}ConMan 1995 Linkvirus:@{ui} ---------------------- Other possible names: @{b}M-Hac Virus, Bloody Virus@{ub} Detected in: @{b}M-hac.lha and Bloody.EXE@{ub} Detected when: @{b}August 1995/Germany SOS@{ub} Linking method: @{b}4eb9 (!!!!)@{ub} Resident: @{b}NO@{ub} Length: @{b}1836 bytes@{ub} This is a new type of linkvirus. There are 2 installers known yet. It simply creates a new process with the known @{b}CONMAN@{ub} code , but now with different names. @{i}Possible names are:@{ui} C:DIR ramlib Background_Process RAm L:FastFileSystem LIBS: gadtools.library Workbench DF0 addbuffers CON LIB:req.library CLI(0): no command loaded CLI(1): no command loaded Please note that several of this takss can appear in normal systems, too. The speciality of this virus is, that it uses a intern 4eb9 linker to link to files. Quite tricky. Viruskillers like VT, VZ_II and VW should so be able to detect the infected files. The linking routine knows the following hunksymbols: @{b}$3f2,$3f3,$3ec and $3eb.@{ub} The code is a little bit dangerous, but I will implent in VirusWorkshop a complete reverse analyzed routine, so it should be no problem to repair even not working infected files. The virus adds 4 hunks to the file and the linked code is partly packed. It is packed with StoneCracker 4.04 and then afterwards manipulated. @{b}The virus is not memory resident.@{ub} Some words about the installers: m-hack.lha FILE_ID.DIZ .-------------------------------. | MASTER AMIEX ONLINE PW HACKER | | PREVIOUS VERSION HAVE A BUG! | `-------------------------------' The programm hack (4388 bytes long) contains the trojan. bloody.exe FILE_ID.DIZ: NON DOS DISK READER >>>>-BEST! The programm is including this ID 25560 bytes unpacked long. Greets @{b}Markus Schmall (Programmer of VirusWorkShop)@{ub} @{b}P.S.: This analyse is copyrighted and strictly forbidden to be used in any SHI production....@{ub} @endnode @Node srn-db33.lha " Strange Atmosphere Link-Virus (02.03.96) - Markus Schmall" @{b}Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !@{ub} The archiv '@{b}srn-db33.lha@{ub}' is a possible installer of a new linkvirus called @{b}Strange Atmosphere@{ub}. We have here the first infected files. The files become 1232 bytes longer and the linkvirus contains a destructive routine, which is able to format harddiscs. We will give you as soon as possible a viruskiller update, which can kill this little bastard ! Thanks to RD10/ORS for the testsamples and to Maestro for his general great work ! Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @{" Analysis made by Markus Schmall " link StrangeAtmosphereAna } @Endnode @Node StrangeAtmosphereana " Analysis of Strange Atmosphere link-virus" @{b}THIS IS A BETA ANALYSIS, WHICH BE CHANGE UNTIL THE FINAL RELEASE OF THE NEXT VIRUSWORKSHOP VERSION ! KNOWN INSTALLERS OF THE LINKVIRUS ARE: SRN-DB33.LHA AND TCR-RESC.DMS !@{ub} Entry...............: Strange Atmosphere Alias(es)...........: SA Virus (as called in VW) Virus Strain........: - Virus detected when.: 2/1996 where.: Germany Classification......: Link virus, memory-resident Length of Virus.....: 1. Length on storage medium: 1232 Bytes 2. Length in RAM: $2710 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) Caches may cause problems during the decoding process --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Linkvirus Self-identification method in files: - Searches for $1080402 at the end of the first codehunk Self-identification method in memory: - Checks for $3d385e29 at position -6 of the LoadSeg() adress System infection: - RAM resident, infects the LoadSeg() DOS function - DoIO() exec function and Coolcapture will be infected only under special conditions Infection preconditions: - File to be infected is bigger then $a28 bytes - The file is not already infected - HUNK_HEADER and HUNK_CODE are found - HUNK_HEADER structure is valid - There must be 4 free blocks on the disc - File is shorter than 290000 bytes - The lenght of the first hunk must be exactly the same as written in the hunkheader structure Infection Trigger...: Accessing the file Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Files will be trashed (depends on the Rasterbeam) Devices will be overwritten (depends on the Rasterbeam) Transient damage: -System gets locked while reset and a new copperlist will be shown. Damage Trigger......: Permanent damage: - Internal counter Transient damage: - Internal counter Particularities.....: The crypt/decrypt routines are not aware of processor caches. The installer code in several files is working correct with higher processors. The linkcode checks for correct length of the first hunk to remove problems with extra ordinary packers. Similarities........: Link-method in the executable files is the simple "link behind the first hunk" method without any special tricks. Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. There are no stealth routines build in. Armouring...........: The virus is only one armouring technique to protect it`s code. It uses a normal crypt routine to hide the viral structures. Heuristik checkers like the one in VirusWorkshop can find the dangerous parts and VW gives you the rating "Virus!". Name................: In the crypted part there is the following string: '-+* Strange Atmosphere [gOOd] *+-' If the internal counter reaches 50, the word "gOOd" will be replaced by "eVIL" and the destructive code will be activated. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.0 (VT follows soon) Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 04.03.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall Date................: March 1996 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall Special note........: Virus Test Center Hamburg and Virus Help Team DK are strictly allowed to use this analyse in their own productions. All other groups/institutions may please contact me first. ===================== End of Strange Atmosphere Virus =================== @Endnode @Node chkmount.lha " WireFace Trojan Type G - 09.08.1995 - (Test By Markus Schmall) A short beta analyse of the chkmount.lha trojan ! @{b}THIS IS COPYRIGHTED MATERIAL ! NOT ALLOWED TO BE USED IN ANY SHI PRODUCTION !@{ub} @{i}WireFace Trojan Typ G:@{ui} ---------------------- Found in : @{b}chkmount.lha@{ub} Type : @{b}destructive trojan@{ub} Protection : @{b}*Art@{ub} Filesize : @{b}4672 Bytes (partly packed)@{ub} This is another trojan from the @{b}WireFace series@{ub}. This trojan looks in parts like Biomechanic trojans, some byterow comparecode are for sure copied. I haven`t test up to the end, but the code looks like a comparable code as in the icond biomechanic stuff. If you start it and a destruction is not possible (devices not found) a text will be printed on screen saying several times: nugget@dataphone.se It has some visible texts at the end of the virus. The virus itself is protected and then afterwards packed with StoneCracker 4.04. The final filesize is 5868 bytes. The following devices are tried to be accessed and the 39 first sectors are going to be cleared: 'scsi.device' 'icddisk.device' 'oktagon.device' 'SoftSCSI_OktagonC9X.device' Other visible texts are: '(TrojanName: iLSKNA ANDREAS v1.1) WiREFACE / dEMONS oF tHE " " pENTAGRAM strikes again with another stunning release (trojan) " " hahaha. Send postcards, money, bugreports or COMPLAINTS' 'to me at this email adress: nugget@dataphone.se. CU in another relase!' 'nugget@dataphone.se' (This is the printed text) The programm looks like created with an old compiler. Some special 1.x programming technics are used, which won`t be used nowaday normally anymore. VirusWorkshop and VT will give you the warning, that a $3e8 hunk is in the file. This is the protection from the trojan. Simple, but effective. Something more to wonder about: I have downloaded this file from SOS at 8.8.1995. and I have only used the name MOUNT-972 in one warning in AMiganet and the german Z-net, so the viruscoder must read it, too. The trojan is supplied with a little documentation: Mount-972 Virus Checker ----------------------- by Robert Wolvestein (ao@dataphone.se) This small checker finds and eliminates the Mount-972 virus that resently popped up! The virus must have been spread via Aminet or thru BBS's coz it is EVERYWHERE, almost 40% of my 'scene-friends' had it in some way or another. Regards Robert. (ED: A cool fake, better play with your joystick) Greets.. @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node BIO-WARN.LHA " Flake013.txt Warning FAKE!! - 18.07.1996 - Markus Schmall" @{b}Warning !@{ub} It is said to be trojan in "@{b}BIO-WARN.LHA@{ub}". This is spreaded under the name of @{i}Virus Help Team Denmark@{ui} and contains a file called @{b}flake013.txt@{ub} and @{b}flake_killer_bio.exe@{ub} and advertisements from the ASYLUM bbs. The text flake013 is a analyse/warning from me, which was spreaded under the name of Virus Help Team DK some days ago. The executable file is not known to me. The upload user of the archiv is known (the handle) and we will force the sysop of Asylum to close this account. Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @{" Click here " link VcKey110.lha } to read the reel Flake013.txt @Endnode @Node VcKey110.lha " MakeKey v1.10 For Virus_Checker - 08.07.1995) - Markus Schmall" @{b}Warning !@{ub} @{b}VcKey110.lha@{ub} is a trojan ! DON~T START IT ! YOU HAVE BEEN WARNED ! Here is my BETA analyse of the file. @{i}VCKey 1.10 Trojan:@{ui} ------------------ other possible names: @{b}none@{ub} Kickstart: @{b}V37 and higher@{ub} Filelength: @{b}9088 bytes (partly packed)@{ub} found in/when: @{b}VkKey110.lha/Jul95@{ub} This is said to be a cracked keyfile creator for the wellknown Virus- Checker antivirusprogramm. @{i}The FILE ID looks like this:@{ui} MakeKey v1.10 Keyfilemaker for Virus Checker Cracked. -----------------------( EAGLE's NEST! )---- In reality this file contains a nasty trojan, which tries to format your SYS: device (DOS1 bootcode) and give it the new name "Snupp!". If I can read my autodocs correct, only a quickformat will be done. Try to use Disksalv to recover the data on your sys: device. In the unpacked code you can read: @{i}"WiREFACE / dEMONS oF tHE pENTAGRAM * WHiPPED YOUR HD, SUKKAH !! We Look " "Down Your Nose (Laughter)!"@{ui} The dangerous code was linked using the 4eb9 linking method on the normal makekey programm from the actual VirusChecker distribution. The dangerous code is packed with powerpacker 4.0 (5848 bytes long). This was probably done to shorten the whole file and to crypt the visible texts. The unpacked viruscode is 7588 bytes long. (Do you really think that such a lame protection can stop a good antivirus- researcher from doing its job ????) VT 2.74 and VW 5.2 atleast recognize a $4eb9 linker in the file. Another viruskiller, which claims to recognize 4eb9 files, does not detect it. @{i}There is a little document in this archive called MakeKey.readme:@{ui} ----------------------------------------------------------------- MakeKey v1.00 cracked... presenting MakeKey v1.10 :) This is a specially written program to allow users who have registered to make a keyfile from the information they recieve. *** But now you can enter any serial numbers you want ! *** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It can be run from SHELL or WORKBENCH and opens a GUI. It requires WB2.04 or better to run. Enter the data into the gadgets and click on MakeKey and the keyfile will be generated. Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node GVP-HS15.lha " HardDiskSpeeder v1.5 GVP Inc. 1995 - Markus Schmall" @{b}Warning !@{ub} The archive "@{b}gvp-hs15.lha@{ub}" contains a new trojan ! Here is my first analyse: @{i}Kara Trojan Virus:@{ui} --------------------- Filelength packed: @{b}1460 Bytes (Rob Northern !!!)@{ub} @{b}1924 Bytes (unpacked)@{ub} Other possible names: @{b}GVP-HS15 Trojan@{ub} Works only with Kickstart 3.0 and ahead (V39 funtions will be used). Some other suspicius fact is, that the programm was packed using the Rob Northern cruncher, also called Propack. The file was afterwards modified a little bit, so that no existing depacker can unpack it. This trojan is programmed quite simple. The needed libraries will be opened and it will we checked for the old SnoopDos task. Then the file "s:nothere" will be tested. If it exists, no damage will be caused. Then a TimeDisplayAlert (timer some seconds) will pop up and show you: @{b}LMB> Kill system RMB>Reboot@{ub} The code analyzer behind is programmed like this: 1.If the user gave no input in the 5 seconds and/or presses the right mousebutton, the system will be trashed using some basic format and delete routines. 2.If the user presses the left mousebutton, then a ColdReboot will be performed. @{b}SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS, THEN RESET YOUR AMIGA BY HAND !@{ub} The routine to show the Alert is a Kickstart V39 function. It will be not tested, if the used system is really V39 or higher. @{i}FileID of this archive (GVP-HS15.lha):@{ui} HardDiskSpeeder v1.5 GVP Inc. 1995 (a little cache program for HDs!) ... If you start the programm, it will show you the following text: 'HardDiskSpeeder v1.5 installed ...' If you start it using a "?", then the following text will show up: 'HardDiskSpeeder v1.5 by GVP Inc. 1995' The trojan tries to destroy the following directories and devices: dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c: The formatted new devices will have the name: '"Kara Virus strikes back"' Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node Flake011.txt " TRSi Installer Trojan - Markus Schmall" @{b}Warning !@{b} The file @{b}TRSi-INS.lha@{ub} is @{b}NO TRSi release@{ub} and contains a fucking trojan ! In the middle of the 10.6.1995. one of our members (NIKE/TRSi) got a call on the BBS from a guy called @{b}GRYZOR@{ub}, who is supposed to be the leader of @{b}Circle of Power (COP)@{ub}, and this guy said to NIKE that TRSi is lame and such things. Later he uploaded there a file called TRSi-INS.lha to this board and NIKE wondered a little bit and contacted me and the other TRSi guys. So this virus is now (10.6.1995. 18:30 o`clock) about 6 hours old. Let us stop this bastard and finally get a solution for the COP problem (hi Apollo and Noise Belch). Here is my first analysis of the virus, which is a little bit short, but I ran totally out of time. Sorry dudes.. @{i}Biomechanic Trojan@{ui} ------------------ other possible names: @{b}TRSI-INS Trojan@{ub} Type: @{b}Destruction only@{ub} Destruction caused by: @{b}simple bytemodification@{ub} This is @{b}NO@{ub} TRSi release ! It is just a @{b}FAKE@{ub} ! In the File-ID it is stated that this are some hd installers for actual games. In real this is just a trojan, which will manipulate your files on your HD. The contents of the archive: @{b}ViroCop-HD_install.exe 5912 ----rwed 02-Sep-92 12:49:54@{ub} @{b}SWOS-HD_install.exe 9588 ----rwed 02-Sep-92 12:51:12@{ub} @{b}SensibleGolf-HD_install.exe 4776 ----rwed 02-Sep-92 12:51:24@{ub} @{b}Mortal-Kombat2-HD_install.exe 5512 ----rwed 02-Sep-92 12:50:12@{ub} @{b}MCI-CARDS4-FREE.EXE 5912 ----rwed 02-Sep-92 12:49:30@{ub} @{b}Embryo-HD_install.exe 6764 ----rwed 02-Sep-92 12:50:24@{ub} The virus is looking for a special enviroment and then manipulates the files: @{i}Here a original PGP signed message:@{ui} 0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../I.R o 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..A...~ 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 IO..! 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 O3R._ 0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5 "5 @{i}Here the manipulated one:@{ui} 0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../I.R o 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..A...~ 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 IO..! 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 O3R._ 0040: 2235ABB5 BE37E843 79CC0002 B37800A5 "5 CyI..3x. If you start the virus (it is in all the above listed files), a little text will show up: @{b}- b i o m e c h a n i c -@{ub} and the work begins. If the work is completed, the following text will be printed out, too: @{b}... trashed your hd ...@{ub} and a directory named "@{b}biomechanic trashed your hd !!@{ub}" will be created, which is empty. The code looks quite good. This is not the work of a real beginner. The guy behind has some programming knowledge. This way of programming is better than from the @{b}COP@{ub} viruses. The programm uses indirect adressing and a lot of stackusage, which cannot be done by a beginner (atleast I think so). Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node VZII_119.lha " VirusZ II v1.19 FAKE - Markus Schmall) @{b}Warning !@{ub} A faked @{b}VirusZ_II 1.19@{ub} is going around. The filename is '@{b}vzii-119.lha@{ub}' and contains some parts of the actual @{b}vzii-118.lha@{ub} release from Georg Hoermann. The mainprogramm seems to be an older version of VirusZ with a filelength of 64664 bytes. I found no trojan in it. Please just delete the file. I called Georg and he told me, that he not released VirusZ_II 1.19 ! @{i}File ID of the fake:@{ui} _________ _ ____/"""./###/____)\_____________ /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ \ // / ____/ / //""""/X\@!/ \_____/\__/___/ ""\______/_________/ --><><><><><></____/-><>- Presents-<><-- VirusZ II v1.19 - (09.06.95) >>>----------------------------------<<< Probably just again somebody, who wants to destroy the good reputation of @{b}Virus Help and Georg Hoermann@{ub}. Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node FileGhost3 " FileGhost 3 linkvirus - (06.1995) - Markus Schmall" @{b}WARNING !@{ub} @{i}Fileghost 3 Linkvirus:@{ui} ---------------------- @{b}MC68040 and MC68060: yes Kickstart V35 and above Patched vectors: DOS LoadSeg() Increases filelength by 1288 bytes Detected: Jun`95 in the south of Germany@{ub} This is another linkvirus out of the Fileghost series. This linkviruses just add their code to the end of the first hunk and then search for the last "rts" and modify it to a "bsr.b" to get activated. So the relochunks will stay unchanged. Differences to the previous versions of the virusfamily: @{b}1. Some more indirect adressing 2. Test, if SnoopDos (FindTask "SnoopDos") is active 3. It will be searched for 2 longwords in the first hunk@{ub} $53460C46 at offset $2A from the loadseg() memptr $2F49003C at offset $3A " " " If you know, which programm has such longs in the first hunk, please let me know. Thanks. 4. The cryptroutine is a little bit advanced. 5. The word $1994 will be used to check, if the virus already infected the LoadSeg() vector. This routine is comparable to Fileghost2 and to the Polygonifrikator viruses. 6. Depending on a spreading counter, the virus will set new windowtitles (see at the bottom of the description). The fileghost virus contains no destructive routine. As on every type of this type of virus, it is possible that programms, which need a 100% correct hunkstructure (e.g. some packers) will get problems and will not work. The virus is, in my opinion, not from the author of the last Fileghost viruses. This one has display routines and will be recognized by the infected user in this way very fast. The last versions of Fileghost just worked around in the background. @{i}New texts for the windowtitles:@{ui} ------------------------------- 'AUA! schlag nicht so auf die Tasten!' 'FileGhost3 - the nightmare continues!' 'Hallo DEPP!' 'Was machst Du denn als n chstes ?' 'Wei t Du eigentlich, da Du dumm bist ?' 'Und schon wieder eine Datei weniger!' 'Gib mir mal `n Bier!' tet alle Nazis + RAPER!' 'AMIGA kills PC! (HEHE)' 'INTeL Outside !' Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node LZX130.lha "LZX v1.30 Trojan - 09.06.1995 - Test By Markus Schmall" @{b}Warning !@{ub} The file @{b}lzx130.lha@{ub} with the File ID: @{i}LZX Version 1.30 (Evaluation) Jun 5, 1995@{ui} and the following files: @{b}LZX_68040 65384 ----rwed Gestern 07:55:44 LZX_68020 64896 ----rwed Gestern 07:55:34 LZX_68000EC 67680 ----rwed Gestern 07:55:20@{ub} contains a @{b}COP@{ub} trojan ! Don`t start it, it will trash your HD ! It tries to fuck up the following dirs: @{b}'ncomm' 'bbs' 'devs' 'envarc' 'libs'@{ub} All files will be overwritten with the following text and NO rescue is possible: @{b}=CIRCLE OF POcER= [ THE RETURN OF THE POcER PEOPLE! PHEAR US! ]@{ub} The destruction routine is the same as in the last one and does not seem to be from a prof. coder. Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node hackt.lha " ConMan Trojan - Test By Markus Schmall" @{b}Warning to all :@{ub} ---------------- Packing type: @{i}Turbo Squeezer@{ui} The archiv "@{b}hackt.lha@{ub}" contains a fucking @{b}CONMAN@{ub} trojan ! The archiv contains the file @{b}Hackt.exe@{ub}, which is Turbo Squeezed. packed: @{b}12692 Bytes@{ub} unpacked: @{b}12312 Bytes@{ub} It installs a new process with the name CLI(0):console.device and writes a new file called C:Iprefs. This Iprefs is packed several times and uses the 4eb9 linker method to unlink some strange stuff. packed: @{b}10820 Bytes@{ub} unpacked: @{b}14216 Bytes@{ub} The file itself contains an very old IPrefs and an, again packed, destructive virus from a guy called @{b}CONMAN@{ub}. It will try to destroy many sectors by filling them with the word "@{b}CONMAN 1995@{ub}". There is no rescue for such sectors. Due to no viruskiller for this bastard it is best for the infected users to do the following: Boot from the orginal WB disks and simply copy a new IPREFS to your HD and it should work again ! The ConMan viruses were mostly BBS hackers, now this guy reached a new dimension. I got yesterday a phonecall from an irritated user (someone of Krypton or so ?) and he told me about his file. He got it from a BBS in Berlin, which is thought to be the homeplace of @{b}CONMAN@{ub}. This guy told me that he had downloaded it around 6.4.1995, so this virus is on the wild. Sorry for this short analysis, I just got the thing packed in a warning from RD10/Osiris @{b}(NEVER SPREAD THE VIRUS IN A WARNING MAN ! IF YOU WANT TO DO SOMETHING GOOD, THEN DON`T SPREAD IT IN THIS WAY !)@{ub} and wanted to give you some information than RD10. It is weekend for me now, too and I want to go to a party, so wait for the first viruskillers to recognize this bastard. Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} Special hellos to IXXy and Simone.... @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node Gath95-!.lha " Achtung.exe Trojan - 11.02.1995 - Test by Markus Schmall" @{b}VirusWarning ! VirusWarning ! VirusWarning ! VirusWarning !@{ub} The archiv @{b}Gath95-!.lha@{ub} contains a trojan ! @{b}DELETE IT !@{ub} @{i}Gath95-! Trojan:@{ui} ---------------- Filelength: @{b}14032 bytes unpacked@{ub} (crypted with a simple loop) other possible names: @{b}Achtung(.exe) trojan@{ub} This is a very simple trojan. It tries to format your dh0: using quick- format and afterwards it will be tried to fill your dh0: using files with the following names: dh0:lamer.aaaaa. The filesnames can differ in the last chars (possible to really fill up the drive). The trojan writes a new file with the name: @{i}"ram:verwirrung" (a german word, which means irritation)@{ui} The the executecommand for the quickformat will be started. The new name of the dh0: device is then LAMER. This trojan is much more dangerous than the ordinary quickformat stuff, because of the high amount of new written files (lamer.aaaax), the intern structures of the qickformatted directory will be changed and a data loss is in most cases not to prevent. This trojan was spreaded as intro for the @{i}Gathering`95 party in Oslo@{ui}. @{i}File_ID.DIZ:@{ui} +------------------------------------------+ |Virtual Dreams, Melon and Rage's New Intros +------------------------------------------+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] THE GATHERING PARTY INVETATIONS. 3 OF THEM [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] +------------------------------------------+ |The BEST CODE of 1994/95. Defintly! Get it! +------------------------{ cSo/ 'g5! }---+ Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} Special thanks to Mario/TRSi for keeping this virus for me ! Euronymous/TRSi for the warning ! Ixxy/TRSi for calling Mario @Endnode @Node dpl-dc99.lha " 27.02.1995 - Test by Markus Schmall" @{b}Warning !@{ub} Caution ! The file "@{b}dpl-dc99.lha@{ub}" contains a trojan, which can format your SYS: device. If you have started this one, then check your loadwb command. If it is @{b}2088 Bytes@{ub} long, replace it ! It is a new written command from the virus !!! Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node cry_206.lha " DMS v2.06 Trojan - 11.02.1995 - Test by Markus Schmall" @{b}Warning !@{ub} The file @{b}cry_206.lha@{ub} is a trojan ! It contains the DMS 2.06 fake trojan like the @{b}DMS206.lha@{ub} archiv in the last week !!!! It`s a FastCall hacker ! Don`t start it ! Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node Istrip21.lha " Istrip v2.1 Trojan - 17.02.1995 - Test By Markus Schmall" @{b}Warning !!@{ub} Caution ! The file "@{b}Istrip21.lha@{ub}" is a trojan and contains a BBS hacker ! Be careful and delete this file ! Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node Pestilence " Pestilence Bootblockvirus 1.15 - 09.12.1994- Markus Schmall" @{b}Warning !@{ub} @{i}(This analyse was made in a hurry and is still beta!!!)@{ui} @{i}Pestilence Bootblockvirus 1.15:@{ui} ------------------------------- Kickstart 1.x : @{b}not working@{ub} Kickstart 3.1 and MC68040 : @{b}working@{ub} Patched vectors: @{b}Exec-Disable TD`s BeginIO Exec-Coldcapture Exec-KicksumData (not repairable) Intuition-DisplayAlert (not repairable)@{ub} First appearance (as far as I know): Heilbronn/Germany This is a new bootblockvirus with some nasty inner workings: The last both patched vectors cannot be repaired, because the virus does not store the original value. Sorry guys ! All other patched vectors can be corrected by VirusWorkshop. It crypts all read blocks (T-DATA) with an eor-loop. If the virus is active in memory, all crypted blocks will be decrypted online. If you remove the virus from memory, several checksum- errors will appear on your screen. VirusWorkshop 4.6 and higher are able to repair the crypted blocks, because there is no magic in this cryptroutine. Such routines (online-(de)crypting) were first seen on the AMIGA in the "Saddam" diskvalidator viruses and then in "The Curse of little Sven" bootblockvirus. The whole virus is crypted with a simple eor-loop and looks like the work from a quite sober`n clean programmer. At the end of the virus you can read (after decrypting it): @{b}'trackdisk.device' 'intuition.library' 'PESTILENCE v1.15 (c) 14/05/94!'@{ub} Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node Removcmd.lha " Removcmd.lha Trojan - 26.10.1995 - Markus Schmall" @{b}Warning !@{ub} Warning ! The archive "@{b}removcmd.lha@{ub}" contains an installer for the @{i}Commander Linkvirus@{ui} ! This installer appeared around the globe around 24.10.1994. and is descriped as follows: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Have you got probs. with the COMMANDER ! !! virus by Brian Blister? It's a link-vir ! !! that eats your mem like hell.. brand new! !! and not killable with VirZ or VirKiller ! !! or any other killer.. Except this one ! !! brought to you by Coma/FD and Bigmama/FD! !! Download and be happy!!!!!!!!!!!!!!!!!!!! @{b}Don`t start this file@{ub} ! It`s a installer for the fucking Commander Linkvirus, which can be removed 100% from VT 2.68 and VW4.3. The archive contains the file "@{b}kill@{ub}" with the filelength 2252 bytes ! This is the installer ! The virus first appeared in scandinavia and it`s spreading was nearly stopped by some motivated members of SHI (special hi in this case to @{i}Jan Andersen@{ui} and @{i}Bo Krohn@{ui}). Now the Commander virus is spreaden worldwide...... Greets @{b}Markus Schmall@{ub} @{i}(Programmer of VirusWorkshop)@{ui} @{b}(IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)@{ub} @Endnode @Node ebola2 " Ebola " linkvirus (17.04.96) - Markus Schmall)" Date: 17 Apr 96 6:18:37 Hi ! A new link-virus appeared called @{" BBS TRaveller " link lop_mi2.lha }. It`s an EBOLA clone with some codes from the 'Strange Atmosphere' link-virus. It only activates, if the following programms are not in memory: Virus_Checker SnoopDos (all versions) VirusZ II SetfunktionMananger VW-Save! If VT will be started, the virus removes itself. THERE IS NO INSTALLER KNOWN AT THE MOMENT ! So keep the eyes open ! Greets Markus Schmall (Progammer of VirusWorkshop). @Endnode @Node lop_mi2.lha " BBS Traveller linkvirus (19.04.96) - Markus Schmall" Warning ! A new linkvirus is out. The first known infected file is lop_mi2.lha. The FILE_ID.DIZ looks like this: . ____ .:: ______ / |.:::::' | __ \_ \ _|:: ::.::::. .-- \____:: :::: :: \ --. | `::::':: ::_____/ | | L P `::::' | | | | MASTER ISO 1.22 100% CRC | | THIS IS THE IMPROVED | | INTENSITY-VERSION ... | `------------------------------' The virus is linked on it normally. It doesn`t seems to be an installer, probably the guys behind it didn`t know about this infection. Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It seems to be spreaded global. Since a Hf guy tried this archiv before release 3 things for Hf Emacs checked for me this 3 releases and all of them were virusfree. ! Special thanks at this time to Lenny Dee/HF for the fast warning ! Ok, here the analyse of the little bastard: Entry...............: BBS Traveller Virus Alias(es)...........: Ebola-II Virus Strain........: - Virus detected when.: 17.04.1996 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1536 Bytes 2. Length in RAM: 12000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. (this longword comes from the EBOLA-I virus) - Searches for $24121996 at the end of the first hunk (selfrecognition) - Searches for $1080402 at the end of the first hunk (this is the recognition of the Strange Atmosphere linkvirus) Self-identification method in memory: Searches for $3D385E29 at offset -6 from the Dos LoadSeg() function. If $1020304 will be found at this position, the destruction counter will be manipulated (somekind of test for the programmer of this virus ?) System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Dos ReadARGS(), Exec Findname(), Exec Findtask, Exec SetFunktion() and Exec Addport() Infection preconditions: - File to be infected is bigger then 2600 bytes and smaller then 290000 bytes - Device must have more than 6000 sectors - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found Infection Trigger...: Accessing files via LoadSeg() Files starting with "v","V","." or "-" will be NOT infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Formatting the drive Transient damage: - none Damage Trigger......: Permanent damage: - Formatting the drive, when an internal counter reaches 5000. Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some simple retro technics to stop viruskillers searching for itself. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Damage routine is taken from the Strange Atmosphere linkvirus. The virus is a typical mixture from the EBOLA and the Strange Atmosphere linkviruses. We think that all 3 ones come from the same programmer, probably in the east or north of Germany. Stealth.............: If the viruskiller VT up to version 2.82 will be started, the virus removes itself completly from memory. If one the following programms will be found in memory, no link try will be started: SetFunktionManager VirusChecker VirusZ_II SnoopDos SnoopDos 3 VW-Save! Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code based on the position of the rasterbeam. Comments............: The name EBOLA is the name of a virus, which humans can get infected with. CARO rules say, that no names of persons etc. may be used to call a virus, but I spoke to other persons and they already recognized this virus in this way. The virus contains the string "BBS Traveller", but this is just a clone from the EBOLA linkvirus with some enhancements. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.1 beta above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 19.04.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: April,19. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of BBS Traveller Virus ========================= Greets Markus Schmall @Endnode @Node HitchHiker " Hitch Hiker 1.10 link virus (19.05.96) - Markus Shmall" Hi #? A new linkvirus appeared on 17.05. in Austria, Finland and Sweden. it`s called Hitch Hiker 1.10 linkvirus. Here the analyse of it: Entry...............: Hitch Hiker 1.10 Alias(es)...........: none Virus Strain........: - Virus detected when.: 18.05.1996 where.: Austria, Finland Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 1700 Bytes (uses a primitiv polymorphic technic) 2. Length in RAM: 3000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for $ABBAFAb4 at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), Dos Write() (librarychecksum will be recalculated) Infection preconditions: - Device must have more than 8000 sectors and is smaller than $20000 bytes or file is bigger than $8000 bytes - HUNK_HEADER and HUNK_CODE are found - device is validated - 10 free blocks on the device - hunk_code must contain the same length as in the header. Infection Trigger...: Accessing files via LoadSeg() or Write() Files containing a "." or a "-" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some special things at the fileinfection (buggy) and at the library opencode. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Stealth.............: no stealth functions found Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code and uses a very simple length polymorphism code. The heuristic scanner of VirusWorkshop detects this one already as virus. Comments............: The first infected file is probably lzx121crk.lha. This is the old SHOOT version of LZX1.21r with the infected file. As I got reports from Austria and Finland, I suppose it has gone through internet channels as this file didn`t appear on scene boards. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.1 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 19.05.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: May,19. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Hitch-Hiker 1.10 ========================= VW 6.1 (release on 19.5. in the evening hours) is able to remove this little bastard. Special note: The heuristic scanner of VW 6.0 already detected this one (see v-nl19.txt on the boards). Greets Markus Schmall @Endnode @Node HitchHiker3 " Hitch Hiker 3.00 link virus (13.07.96) - Markus Shmall" Entry...............: Hitch Hiker 3.00 Alias(es)...........: none Virus Strain........: - Virus detected when.: 13.07.1996 where.: Germany, USA, ISRAEL Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 3020 Bytes (uses a polymorphic technic) 2. Length in RAM: 8000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for $FAB4FAB4 at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), Dos Write() (librarychecksum will be recalculated and it will be tried to cheat some viruskillers) Infection preconditions: - HUNK_HEADER and HUNK_CODE are found - device is validated - 10 free blocks on the device - hunk_code must contain the same length as in the header. - File must be between $1f40 and $20000 bytes (not working) Infection Trigger...: Accessing files via LoadSeg() or Write() It`s a typical infector. It cannot be rated as fast infector as it only infects at the above mentioned operations. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Due to a adressacess behind the viruscode it`s possible that trashed code results out of an infection. Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are polymorphic and consists of some logical stuff. The virus uses some special things at the fileinfection (buggy) and at the library offsetcode. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus and the first HitchHiker viruses. Stealth.............: no stealth function found. the only things to mention is the library negoffset value. Armouring...........: The virus is heavily armoured with a $100 byte long polymorphic decryptor. Not only the registers are changing, even the operations will be mixed. This polymorphic routine can be seen right now as one of the best available routine for the AMIGA. The routine mixes a lot of codes and uses a normal polymorphic scheme. No slow polymorphism code was found. The decrypt header is static $100 bytes long and initialises a circular decryption. The decryption code uses anti heuristik stuff and only a full implented code emulation would be able to crack this one. The polymorphism is working in the normal scheme (with $dff006 and $dff007 usage) and uses not the modern technics like slow polymorphism. ("White paper" analyse of this engine can be obtained from me or from the Virus Test Center in Hamburg. We need special information about you before we give such information away.) Comments............: Maybe interesting for the reader is that the programmer of the virus wrote some more text in it than in the last ones: 'The Hitch-Hiker Generation: 00000308 - Version 3.00' 'Last in series. "Dedicated to Heiner Markus ZIB and Georg" It would be interesting to know, who this ZIB is. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.86 and VW 6.2 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 17.07.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: July, 17. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Hitch-Hiker 3.00 ========================= Greets Markus Schmall @Endnode @node "HitchHiker3ins" " Hitch Hiker 3.00 Installer" Lately the HitchHiker 3.00 linkvirus appeared and everybody was searching for an installer. One day for the release of VirusWorkshop 6.2 the archiv patchhh.lzx with the following File_ID.DIZ arrived at my place: PatchHH 1.0 by ZIB. This anti-virus util will stop the propagation of all known Hitch-Hiker viri. (1.10/2.01/3.00). Not THAT user-friendly but it was made in a fucking hurry.....(So no local support ! :)) ... I was very surprised, because ZIB was the fourth name in the dedicated list of HitchHiker 3.00 and I don`t know that person. The document looks like this: ----------------------------- Here's a little utility that will stop the propagation of the Hitch-Hiker virus series (currently 1.10/2.01/3.00). This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned above will not start their devious work. When a version of HH is already active you'll get a warning. It's better of course to get the latest virus-killer. Like VirusZ or VT, however at the time I wrote this proggy only VT recognised 2.01 and none of them 3.00. Hope I spared you a lot of probs with this proggy :) ZIB. Sounds like a viruskiller. In reality some names of C: programms will be decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and this files will be infected from this nasty linkvirus. Detection tested 20.07.1996. Greets Markus Schmall @endNode @Node Mutation " Mutation Nation linkvirus (21.05.1996) By Markus" *** About: Mutation Nation linkvirus Entry...............: Mutation Nation Alias(es)...........: none Virus Strain........: Ebola series (Ebola, BBS traveller, Strange At.) Virus detected when.: 21.05.1996 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1316 Bytes (uses a primitiv polymorphic technic) 2. Length in RAM: $ba8 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - searching for DEADC0DE at the end of the first hunk Self-identification method in memory: - 213f at the LoadSeg entry (like EBola?) System infection: - infects the following functions: Dos LoadSeg(), Exec FindTask() Infection preconditions: - File is between $7d0 and $43e90 bytes long - HUnk Code is found (virus overruns $3e8 etc. hunks) - File is not infected already - device is validated - device contains free blocks Infection Trigger...: Accessing files via LoadSeg() Files containing a "." or a "-" and then at offset 2 one of this characters "aen" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - Reset Damage Trigger......: Permanent damage: - none Transient damage: - Counter reaches $14 Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff at the use of registers. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Like in a lot of trojan it will be searched for a special task ("Dupe"). If this one is found, the virus will be not activated. Probably this is somekind of security backdoor for the programmer. Stealth.............: no stealth functions found The virus does not work with SnoopDos (1,2,3) started Fileflags will be restored, but length will be visible changed. Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code and uses a very simple register polymorphism code. The heuristic scanner of VirusWorkshop 6.1 isn`t able to detect this virus. The heuristic in VW6.2 is able to break the cryptcode. Comments............: We recieved this file from a sysop in the south of Germany. As it has a lot of similarities to the Ebola etc. viruses we suppose this programmer of this viruses comes from the south or east from Germany and has normal programming knowledge. The virus contains the string: '-=* Mutation Nation V1.0 by AIZ *=-' Same length and comparable stuff as in BBS-traveller etc. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.2 , VT2.84 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 25.05.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: May,25. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Mutation Nation ========================= Greets Markus Schmall @endNode @Node voxel " Voxel_Svind.exe Trojan (27.07.96) - By Jan Andersen)" Hi All.. There is a new trojan out that will change the names on the files in your system, please do not execute this program. Here is some info about this archive: Archive Name.......: @{b}dph-vos.lha@{ub} Archive Size.......: @{b}225750 Bytes (lha.Packed)@{ub} Trojan File Name...: @{b}Voxel_Svind.exe@{ub} Trojan File Size...: @{b}179860 Bytes@{ub} Here is the File-Id.DIZ from the archive:@{b} /\___ /\___/\_/\____/\ \___ \/ ___/ _ \_ _/ /_ / // / __// ___// // _ \ presents /____/\___/\_\ \_\\_//_/ .our.new.demo. VOXEL SVIND!@{ub} This archive is on it's way to every wellknown antivirus programmer. Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @Endnode @NODE hf-vc24.lha " Vinci v2.4 - Intro Infected) Hi All.. Well.. Martin Wulffeld has just released a new version of his great text reader. And whitin a few hours a Cracked version was out. But the trojan 'Alfons Eberg 2.0' (Another WireFace trojan) is in the archive. It is said to be an 'HF-INTRO', if you start this intro, it will fuck up your system. Delete this intro and you have no problems. File_Id.Diz: .----/ / /___\-------------------------. |:::/ __ /___\/ AdVoCaTe Of | |::/ / / \_/ HELLFiRE TOOL DiViSiON | |:/___/___/\___\ CRACKED | +-\___\___\/___/---------------------------+ + Vinci 2.4 + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ + A cool textviewer with lots of features + + Check it out! REGISTER +@{ub} And some info about the archive: Archive Name.......: @{b}hf-vc24.lha@{ub} Archive Size.......: @{b}210068 Bytes (lha.Packed)@{ub} Trojan File Name...: @{b}HF-INTRO.EXE@{ub} Trojan File Size...: @{b}2876 Bytes@{ub} Hmm.... just thinking, I guess that 'AdVoCaTe Of HELLFiRE' should check there intro for virus, before releasing archives...... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @ENDNODE @node patchhh.lzx " HitchHiker 3.00 linkvirus - Analyse by Markus Schmall" Lately the HitchHiker 3.00 linkvirus appeared and everybody was searching for an installer. One day for the release of VirusWorkshop 6.2 the archiv patchhh.lzx with the following File_ID.DIZ arrived at my place: @{b}PatchHH 1.0 by ZIB. This anti-virus util will stop the propagation of all known Hitch-Hiker viri. (1.10/2.01/3.00). Not THAT user-friendly but it was made in a fucking hurry.....(So no local support ! :))@{ub} ... I was very surprised, because ZIB was the fourth name in the dedicated list of HitchHiker 3.00 and I don`t know that person. The document looks like this: ----------------------------- Here's a little utility that will stop the propagation of the Hitch-Hiker virus series (currently 1.10/2.01/3.00). This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned above will not start their devious work. When a version of HH is already active you'll get a warning. It's better of course to get the latest virus-killer. Like VirusZ or VT, however at the time I wrote this proggy only VT recognised 2.01 and none of them 3.00. Hope I spared you a lot of probs with this proggy :) ZIB. Sounds like a viruskiller. In reality some names of C: programms will be decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and this files will be infected from this nasty linkvirus. -Markus @endnode @node vhelp-37.txt " COP trojan (again) - 21.10.96 by Jan Andersen" Hi All..... This time I have got some bad news for you. The guy's from 'CoP' are back, with the same shit as always. A program that rewrites everything in your systems DEVS:, LIBS:, and S: dir's with a file 41 bytes long. In this file you can read: @{b}FausT / cIRCLE oF pOWER'95 - TRUE POWER!@{ub} The archive names is these new CoP trojan's are: Archive name.....: @{b}HF-TETA1.LHA@{ub} Archive size.....: @{b}646347 bytes@{ub} Trojan name......: @{b}TETRIS.EXE@{ub} Trojan size......: @{b}21244 bytes@{ub} File_Id.Diz......: @{b} _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS TETRIS ATTACK *FULL RELEASE* [1/2]@{ub} Archive name.....: @{b}HF-TETA2.LHA@{ub} Archive size.....: @{b}550826 bytes@{ub} Trojan name......: @{b}TETRIS.EXE@{ub} Trojan size......: @{b}21244 bytes@{ub} File_Id.Diz......: @{b} _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS TETRIS ATTACK *FULL RELEASE* [2/2]@{ub} Don't start these programs..... We hoped that the @{b}shitheads@{ub} behind 'CoP' had grown up, and left the kindergarden, but we must be wrong..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @endnode @node vhelp-38.txt " HD Protect v6.24 trojan - 03.11.96 by Jan Andersen" Hi All..... Well, there is a new littel trojan out, that will format your system if you run the 'sucker'. In the file-Id.diz you can read "Small...(~3k)", well it is packed with PowerPacker v4.0 after unpacking it the file size is 20200 bytes. If you take a closer look in the file you can read: run >NIL: hdprotect.data run >NIL: format drive dh0: name LURAD run >NIL: format drive dh1: name LURAD QUICK run >NIL: format drive dh2: name HOR_UNGE QUICK Here is a littel info about this archive: Archive name.....: @{b}HDPRO624.lha@{ub} Archive size.....: @{b}40590 bytes@{ub} Trojan name......: @{b}HDprotect@{ub} Trojan size......: @{b}20200 bytes unpacked@{ub} Trojan size......: @{b}3984 bytes packed@{ub} File-Id.Diz......: @{b}HD PROTECT V6.24 Track protect any HD Boot protect any HD Have three different Passwords Nice bootup picture Creat logfile to (ANY PATH:) Small...(~3k)@{ub} Don't start this programs..... Thanx to Dennis Bay for the first warning about this 'sucker'..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @endnode @node vhelp-39.txt " CygnusED v4.0 trojan - 03.11.96 by Jan Andersen" Hi All..... Well, there is a new littel trojan out, that will do some strange things to your system. The way it is done, looks like the 'CoP' guy's again. The archive "@{b}HF-CED40.LHA@{ub}" is said to be "@{b}CygnusEd v4.0@{ub}", and I guess that if anyone thinks that a new update of CED only has the size of 53380 bytes when v3.5 has a size of 156108 bytes, that is to much... Also if you take a look inside the archive you can read 'AMOS' many times, and the guys behind 'CED' do not program in AMOS.... Here is a littel info about this archive: Archive name.....: @{b}HF-CED40.LHA@{ub} Archive size.....: @{b}40316 bytes@{ub} Trojan name......: @{b}CygnusEd@{ub} Trojan size......: @{b}53380 bytes@{ub} File-Id.Diz......: @{b} _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS [----------------------------------------] Cygnus Editor Pro v4.0 HOT UPDATE! [----------------------------------------]@{ub} Don't start this programs..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @endnode @node vhelp-40.txt " The Black Lotus 'Abduction' demo" 09-11-1996 Hi All..... Well, there is a new littel trojan out. I have for the last 3 hours been trying to infect my system with this 'sucker' but it will not. Maybe the reason is something with AMOS, if you read inside the program, you can find the text AMOS many times. The trojan type is just like the @{" HF-CED40.LHA " link vhelp-39.txt } (CygnusEd 4.0) trojan, it is the same crap you can read in the archive. Here is a littel info about this archive: Archive name.....: @{b}tbl-abdu.lha@{ub} Archive size.....: @{b}369928 bytes@{ub} Trojan name......: @{b}Abducted@{ub} Trojan size......: @{b}53408 bytes@{ub} File-Id.Diz......: @{b}the black lotus " abduction " small demo dedicated to x-files@{ub} Another thing about this 'sucker', there are 5 .bin files in the archive but here is what these .bin files really are: Abducted1.bin : HotHelpLibrary 3.00 Abducted2.bin : muimaster.library 16.160 (1996/07/21) Abducted3.bin : RUSH 37.4908 (1993/07/18) Abducted4.bin : wizard.library 37.137 (1996/07/ 3) Abducted5.bin : gtlayout.library 32.3 (1996/01/14) @{b}Don't start this programs.....@{ub} Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867 @endnode @node darkfuck.lha " DarckFuck.lha - Happy New Year 97' Infected (21.12.96)" Hi All..... Well, there is a new linkvirus out. It is a new "Happy New Year 97" link virus. At this time there is no known installer of this new virus, only an infected archive. Here is some info about the infected archive: Archive name.....: @{b}darkfuck.lha@{ub} Archive size.....: @{b}9820 bytes (ripped for BBS adds)@{ub} Infected name....: @{b}NOTRICK.EXE@{ub} Infected size....: @{b}9256 bytes (packed with Stonecracker)@{ub} File-Id.Diz......: @{b}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LESEN UND VERBREITEN!!!!! DARKLORD HAT EIN NEUES HANDLE! BZW. GLAUBT MAN JEDENFALLS!!! MEIN FREUND WURDE AUCH GEBUSTET !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!@{ub} VT will be released on Sunday the 22 of December 1996, and it will be abel to clear infected files. In an ohther warning about this achive it is said to contain an new "AFFE" virus, but that is not true. @{" Click Here " link happy } to read Markus Schmall test of HNY Virus. Thanx to Markus Schmall for info about 'HNY 97' Don't start this programs..... Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node TBF-F175.LHA " AMFTP v1.75 HNY 97' Infected - (22.02.1997)" Hi All..... Well another archive has been spread with the new 'Happy New Year 97' link virus. Just use VirusWorkshop v6.4 or VT v2.94, to remove the virus. 4 programs in the archive is infected with the virus: Here is some info about the infected archive: Archive name.....: @{b}TBF-F175.LHA@{ub} Archive size.....: @{b}305454 bytes (ripped for BBS adds)@{ub} Infected name....: @{b}AmFTP/AmFTP (Infected size: 116124)@{ub} @{b}AmFTP/AmFTP020 (Infected size: 115700)@{ub} @{b}AmFTP/AmFTPPrefs (Infected size: 33308)@{ub} @{b}AmFTP/RegisterAmFTP (Infected size: 37036)@{ub} File-Id.Diz......: @{b} ___________. ________________ ____________ _) l__\______ /_) _) \. ./ |/ __/| ./ | | _l\ \ | |__________|______\__________//______+sD+ . . | AMFTP V1.75 [68000 & 020+] *CRACKED* | | Cracker : rEdCROW^tBF | | ReleaseDate : 19.02.97 | | | `---------------------------------------'@{ub} Don't start this program..... @{" Click Here " link happy } to read Markus Schmall test of HNY Virus. Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node MAPUS200.LZX " HitchHicker 4 infected archive - (06.03.1997)" Hi All..... Well, another linkvirus has seen the daylight. It is a new version of the known "HitchHicker", the new virus has been named "HitchHicker 4". If you look inside the infected file, within the first 100 bytes you can find a text saying "@{b}CopyCat Decruncher V1.01@{ub}", this file is infected with this new string of "HitchHicker 4" link-virus. At this time the only killer to remove this sucker is Heiner Schneegold's '@{b}VT v2.95@{ub}' viruskiller. But I'm sure that the other major viruskillers, will find it in the next update. The first known archive with this virus in it is: MAPUS200.LZX Here is some info about the infected archive: Archive name.....: @{b}MAPUS200.LZX@{ub} Archive size.....: @{b}37529 bytes (ripped for BBS adds)@{ub} Infected name....: @{b}Mapus/Bin/MaPuS.200@{ub} Infected size....: @{b}21156 bytes@{ub} File-Id.Diz......: @{b}mapus 2.0 the dms checker@{ub} @{b}Virus Removal....:@{ub} VT v2.95, by Heiner Schneegold. (VT295K.LHA) Read @{" Markus Schmall's " link "Hitch-Hiker 4"} test of Hitch Hiker v4.11 link-virus. Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node "Hitch-Hiker 4" "Hitch Hiker 4.11 test by Markus Schmall" Entry...............: HitchHiker 4.11 Alias(es)...........: CopyCat Decruncher 1.01 Virus Strain........: - Virus detected when.: Febuary 1997 where.: Germany and Italy Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 3052 Bytes 2. Length in RAM: 3500 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40) Computer model(s)...: all models/processors (MC68000-MC68060) The virus heavy problems with the 060 cache --------------------- Attributes --------------------------------------- Easy Identification.: - Type of infection...: Self-identification method in files: - length of hunk 1 Self-identification method in memory: - test for the changed jump command from Exec PutMsg() and a longword in the trapcode. System infection: - The entryjump of Exec PutMsg() will be patched to a trap code. - A new trapcode will be installed. - a process with a library name will be started, which installs the patches again Infection preconditions: - HUNK_HEADER is found - device is validated - to be infected file is bigger than $be8 - 10 free diskblocks Infection Trigger...: The infection is based on the packet handling system of AMIGA OS. Every started file will be infected. All synchron dos commands are affected. Storage media affected: all DOS-devices Interrupts hooked...: A trapvector in the vectorbase will be changed Damage..............: Permanent damage: - none Transient damage: - The stealth/fileinfect engine performs a wrap around copy of the originalfile as we saw it already in the BEOL3 virus, which source was made public by the programmer. Damage Trigger......: Permanent damage: - none Transient damage: - infecting a file Particularities.....: The crypt/decrypt routines are not 100% aware of processor caches. The packet handling works in even on the new developer OS versions, but some codes have problems with task functions. The virus is incompatible to the new versions of EXEC, as it uses some commands only legal in V37-V41 versions of the task handling. The virus tunnels doscall watcher like SnoopDos etc. by using only lowlevel packet routines. Similarities........: The link method has been seen in the BEOL3 linkvirus already. A new hunkheader will be added and the origfile will be seen as datahunk. In this way the virus doesnt need to perform a errorfull hinkcorrection. The first codehunk contains the virus itself. Stealth.............: Second working directory and file stealth code in a virus. Armouring...........: The virus is not armoured with a special tricky crypting code. By adding the strings "CopyCat Decruncher 1.01" and "FLK!" and "-TRSi-" the virusprogrammer wanted probably hide his actions as the first 20 bytes of the hunk could really look like an unpacker. Some parts of the code will be manipulated online (data reuse) and some functions refuses to work properly in a testsuite. Specialities........: As always the virus contains a crypted part: 'The Bastard is Back!',$0A 'The Hitch-Hiker',$0A '- Version 4.11 ',$0A 'Greetings going like a scrolltext in the sky to:' 'Georg, Heiner, Markus, Johann, Pius, Zib, Ariel,' 'InFekt, UFO and all the guys on #amielit' 'Not yet deactivated by Flake!' The last string depends probably on my removal code for the hitchhiker 3 linkvirus, which overwrote parts of the virus with a special other string. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.95, VW 6.5 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 01.03.1997. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Mar, 01. 1997 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of HitchHiker 4.11 Virus ========================= @endnode @node DNC-IB2.LHA " Ibrowse v2.0 Trojan" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} Well, we do not know much about this trojan. We have been looking all over the world for this archive, but we can not find it. If you have it, please send it to us. Here is some info about the infected archive that we know of: Archive Name.... : @{b}dcn-ib2.lha@{ub} Archive size.....: @{b}?@{ub} Infected name....: @{b}?@{ub} Infected size....: @{b}?@{ub} File-Id.Diz......: @{b}Ibrowse v2.0@{ub} If you have this archive, @{" Send it to us !!!!!! " link teamdk } Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @Node vhelp-43.txt " HitchHicker 4 linkvirus (06.03.97) - By Jan Andersen)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} Hi All..... Well, another linkvirus has seen the daylight. It is a new version of the known "HitchHicker", the new virus has been named @{b}"HitchHicker 4"@{ub}. If you look inside the infected file, within the first 100 bytes you can find a text saying "CopyCat Decruncher V1.01", this file is infected with this new string of "HitchHicker 4" link-virus. At this time the only killer to remove this sucker is Heiner Schneegold's 'VT v2.95' viruskiller. But I'm sure that the other major viruskillers, will find it in the next update. The first known archive with this virus in it is: @{b}MAPUS200.LZX@{ub} Here is some info about the infected archive: Archive name.....: @{b}MAPUS200.LZX@{ub} Archive size.....: @{b}37529 bytes (ripped for BBS adds)@{ub} Infected name....: @{b}Mapus/Bin/MaPuS.200@{ub} Infected size....: @{b}21156 bytes@{ub} File-Id.Diz......: @{b}mapus 2.0 the dms checker@{ub} Virus Removal....: @{b}VT v2.95, by Heiner Schneegold. (VT295K.LHA)@{ub} Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @Endnode @Node vhelp-44.txt " Intel Outside 4 Trojan (03.06.97) - By Jan Andersen)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} Hi All.... There is a new trojan out. It will replace your startup-sequence with a old VirusScanlist by Jan Hendrik Lots (size 4924), and it will replace your user-startup, with an Devil-Check2.0 Bugreport (Size 4660 bytes). The trojan is pretty lame. Here is some info about this trojan & archive: Archive name.....: @{b}IO4-INVI.LHA@{ub} Archive size.....: @{b}69396 bytes (ripped for BBS adds)@{ub} Trojan name......: @{b}io4-invi/IO4-INVI.EXE@{ub} Trojan size......: @{b}63484 bytes (PowerPacked) - Unpacked 100348 bytes.@{ub} File-Id.Diz......: @{b} ___ ____ ___ ___ __ .-//-/ /- / \------/ /--/ /-/ /-//--. | / / / / / / / / / // / / | | /__/ \____/ /__/ /_____/ | | | | Intel Outside 4 Invitation Demo! | | 12-13 JULI 1997 WLOCLAWEK | | | `------------------------------------------'@{ub} @{b}Don't start this program.....@{ub} Thanx to Mr. Heiner Schneegold, for checking this archive. I'm sure that the next version of VT will find this sucker.... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @Endnode @Node vhelp-45.txt " Xtruder v3.5 Trojan (23.07.97) - By Jan Andersen)" @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} @{b}WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!@{ub} Hi All.... There is a new trojan out. The trojan in inside @{b}Xtruder v3.5.@{ub} If you use a fakekey or the keyfile "Alex Holst #5", Xtruder v3.5 will delete your SYS: partition. Virus Help Team Denmark can @{b}not@{ub} support this kind of programming by an antivirus programmer, and will not support Xtruder with new viruses. Here is a copy of a letter that Martin Wulffeld mailed in Virus_Amy: @{b}>------------------------------ START LETTER ------------------------------@{ub} *** Area : VIRUS_AMY Date: 30 Jun 97 20:40:01 *** From : Martin Wulffeld (39:141/124.53) *** To : All *** About: Xtruder 3.5 As some of you may know Xtruder 3.5 has done a bit of damage to peoples files. However, it has only affected those people who used a fake keyfile and hopefully also the criminal Bxxxx Pxxxxxxx (2:xxx/xx) who still owes my friend Alex Holst somewhere around 7000 Dkr. I hope all you fucknuts learned a lesson. From v3.6 and forward I will remove this behaviour. Peace out! . martin . kozmiq . wulffeld@post4.tele.dk . . see ya at roskilde'98 . --- Spot 1.3a Unregistered * Origin: Roskilde'97 - FANTASTIC! (39:141/124.53) @{b}>------------------------------- END LETTER -------------------------------@{ub} Here is some info about this trojan & archive: Archive name.....: @{b}xtruder35.lha@{ub} or @{b}xtrude35,lha@{ub} Archive size.....: @{b}447128 bytes (ripped for BBS adds)@{ub} Trojan name......: @{b}Xtruder@{ub} Trojan size......: @{b}183700 bytes Unpacked.@{ub} File-Id.Diz......: @{b}Xtruder 3.5 by Martin Wulffeld. This virus killer can detect more than 248 filevira. Has a screen mode- and font sensitive GUI along with a comprehensive ARexx interface and locale support.@{ub} @{b}Don't start this program.....@{ub} Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @Endnode @node VHELP-46.txt " Ibrowse v2.0 Trojan (08.08.97) - By Jan Andersen)" Hi All.... There is a new trojan out. The trojan in inside a @{b}Fake Ibrowse v2.0@{ub} If you run Ibrowse a picture will be shown with a face, and a text that is telling you that @{b}ScareCrow@{ub} has done damage to your system. When I tested the archive on my test system (68000), everything it did was to replace my userstart-up and startup-sequence, with a text file. If it does damage to other systems I don't know at the moment, but it will be testet very soon. Here is text: >------------------------------ START LETTER ------------------------------- ScareCrow Since i now have your undevided attention while you are trying to save what is left of your hard-disk i might as well begin. Your first question will be why? The why is becose i am playing a fair game with someone for some time now, his name is Jan Hendrik Lots of Virus Help team NL. He and his little buddies of AGA tryed to catch me last year with no succes, but what would you expect if you relay on their help lead by a clowns character calling himself KleinDuimpje. Yes, KleinDuimpje, you better start up that board again becose we havnt finished yet. Hunting season is open again fans, and these trojans i have been spreading are just mearly the beginning of it. i would also like to invite some of the people i admire: Nr. 1 is L.I.S.A. (lamers in serious agony) They did a great job, and they inspired me. Nr. 2 is C.O.P. (faust, circle of power) Damn, i loved that Tetris attack! Nr. 3 is smooth criminal aldo the boy has no taste, im inviting him to this party. What have i cooked up? i am planning to make a competition out of this, who ever wants to compete is invited. Who can make the most trojans and virusses, who can put down the most boards. Who can make the most hits and i am listing them all. The list will be released in a trojan by the end of each month. time to play. >------------------------------- END LETTER ------------------------------- I guess that @{b}Jan Hendrik Lots@{ub} must know something about this guy, I'll get in contact with Jan Hendrik Lots and have a talk with him. Anyway, we know ScareCrow's real name, adress, phone number (the new one), and a lot of other things about this guy. Actions might be taken later on. Well...... But everybody should think before installing programs like this one. A new update of Ibrowse ?????. version 2.0 ?????. Don't install these programs that you are not 100% sure that is okay. If you want to, try and install the programs like this on on floppy disks, it takes a bit longer, but it might save your system........ Here is some info about this trojan & archive: Archive name.....: @{b}DCN-IB2.LHA or DCN-IB2.LZX@{ub} Archive size.....: @{b}595211 bytes (ripped for BBS adds)@{ub} Trojan name......: @{b}Ibrowse@{ub} Trojan size......: @{b}327848 bytes Unpacked.@{ub} File-Id.Diz......: @{b} /\ _ _ ___/ \___________(_)_______(_)__________ / ________ / ___/ \ _____/ ____ ____ \ / / / ___/ / / /\__ \/ / / / / / \____/\___________ __________ /\____/\_/\_/| .--aMiGA iLLEGAl--\/--------\/Rr!----------. | IBrowse 2.00 FINAL 68030+ | `----[1/1]------------------[28-04-97]-----'@{ub} Don't start this program..... Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node VHELP-47.txt " MUI 020 Installer (31.08.97) - By Jan Andersen)" Hi All.... There is an infected archive out. The archive is infected with a new string of the linkvirus @{b}"Happy New Year"@{ub}. It is said to be a patch for MUI written by Dave Jones. But Dave Jones didi not program this patch, some stupid guy must be trying to damage Dave's name. Pretty lame....... @{b}VT v2.99 by Heiner Schneegold (28.08.97)@{ub}, will find and remove this sucker. Here is some info about this trojan & archive: > ----------------------------- INFO START -------------------------------- Archive name.....: @{b}MUI020.LHA@{ub} Archive size.....: @{b}2709 bytes (ripped for BBS adds)@{ub} Trojan name......: @{b}MUI_Patch@{ub} Trojan size......: @{b}2696 bytes (Unpacked).@{ub} Archive text.....: @{b}======================================================== Patch MUI 020+ version 1.1 by DJ (you know who!) ========================================================@{ub} ****** Usage: ****** Simply unpack the archive into a directory and run the MUI_Patch program which will then try to locate MUI:muimaster.library and make the necessary modifications/optimizations to the libraries internals for an increase in performance of some routines upto 35% ...Now when is Stefan going to release a truely written 020+ MUI??? > ------------------------------ INFO END --------------------------------- @{b}Pretty lame text.@{ub} Don't start this program..... Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node VHELP-48.txt " AmixHack Trojan (08.09.97) - By Jan Andersen)" Hi All.... There is a BBS trojan out. But the SysOp of the board has to run the program to start the trojan. After the trojan has been executet, it will delete the caller.log, that way you can't see what the trojan did. Then it will copy the user.dat to Libs: as TTA.library. In that way the sysop will have to be fool'ed to give the 'hacker' the TTA.library (renamed user.data). @{b}VT v2.99, VirusZ II v1.39, VirusWorkshop v6.6 and FastViruskiller v1.8, will find this trojan....@{ub} Here is some info about this trojan & archive: > ------------------------------- INFO START -------------------------------- Archive name.....: @{b}DEC-SCP.LHA@{ub} Archive size.....: @{b}41892 bytes (ripped for BBS adds)@{ub} Trojan name......: @{b}AmixHack0.Exe@{ub} @{b}AmixHack1.Exe@{ub} @{b}AmixHack2.Exe@{ub} @{b}AmixHack3.Exe@{ub} @{b}AmixHack4.Exe@{ub} Trojan size......: @{b}8348 bytes (11644 bytes Unpacked).@{ub} File id.Diz......: @{b}.................................. . ______ _____ _____ _____ _____ . .| | | | | |. .| ___| __| O | O | O |. .|___ | | | | ___|. .|______|_____|_____|_____|_|..... .................................. .....sCOOP V1.0 - /X hACKER....... .................................. ........mADE bY dECODER........... .................................. .................................. ......DO NOT RUN ON YOUR HD!......@{ub} > -------------------------------- INFO END --------------------------------- Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node VHELP-49.txt " Hitch Hicker v4.23 linkvirus (14.09.97) - By Jan Andersen)" Hi All.... There is a link-virus out. It is a new version of @{b}"HitchHicker"@{ub}, this time it is up to v4.23. At this time none of the big antivirus programs can find and remove it, but the programmers has recived an infected file, so in the new updates the removal code should be included. I have now recived four archives with this new link-virus, so there is a pretty good chance that the "HitchHicker v4.23" is on the run. So take care of what you execute. Gideon Zenz the programmer of AntiBeol, has made a small update of his anti virus program AntiBeol v1.33a. In the archive of v1.33a, is there a tiny tool which desinfects files, the virus only gets disabled, not removed. But this in the only program that will find the HitchHicker v4.23 linkvirus right now. This program is availble from VHT-DK BBS or our Homepage: @{b}http://home4.inet.tele.dk/vht-dk@{ub} After this warning was send out the first time, also VT v3.00 and FastVirus- Killer v1.10, VirusWorkshop v6.7 is now abel to find and remove this virus. Read also @{" Markus Schmall's test " link "Hitch-Hiker 4.23"} about HitchHiker v4.23 Here is some info about the four infected archives: > ------------------------------- INFO START -------------------------------- Archive name.....: @{b}DC-AmFTP.lha (or lzx)@{ub} Archive size.....: @{b}117186 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}AmFTP@{ub} Infected Size....: @{b}119148 bytes (Unpacked).@{ub} File id.Diz......: @{b}AmFTP 1.90 (1997/09/10)@{ub} Archive name.....: @{b}IDEFix191.lha (or lzx)@{ub} Archive size.....: @{b}117186 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}IDE-fix/c/IDEfix@{ub} @{b}26620 Bytes (Unpacked).@{ub} Infected File....: @{b}IDE-Fix/l/CacheCDFS@{ub} @{b}38312 Bytes (Unpacked).@{ub} File id.Diz......: @{b} .________________ ____ ____ ( _____/__ - ------------- _/ ___/ _/\_ T diGiTAL .-\ / 7--7 l / cORRUPTiON | \____.----- ----.____/------- - - - | | IDEfix97 v1.91 - CDROM driver software | Cracked 100% | | IMPORTANT! READ THE .NFO FILE! | `-[10/09/97]-------------------------[ 7eN ]@{ub} Archive name.....: @{b}MSR-A71P.lha (or lzx)@{ub} Archive size.....: @{b}224271 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}AmIRC1_71/AmIRC@{ub} @{b}209540 bytes (not packed)@{ub} Infected File....: @{b}AmIRC1_71/AmIRC020@{ub} @{b}208564 bytes (not packed)@{ub} File id.Diz......: @{b} -mSR'97- ________ () _____________ ______| _|___()___| ____ / | __ | / / ______/| | ____/_ .- |_____\__/___/_________ |____|_______/ | - --mYSTERiOUS- - /__________|-wARPsTAH!. | | AmIRC 1.71 Keyless 100 %!!! | Exe's only !!! | `-[10-09-97]---------[1-1]---------[lIZARD]@{ub} Archive name.....: @{b}slt-m21g.lha (or lzx)@{ub} Archive size.....: @{b}852280 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}Miami/Miami.000@{ub} @{b}415384 bytes (not packed)@{ub} Infected File....: @{b}Miami/Miami.020@{ub} @{b}410516 bytes (not packed)@{ub} File id.Diz......: @{b}_ _____ ____ _____ _ _______________. // /___/ /___/ \_ | .\___ \ / \_ _/ ShEltER 1997 || | / ___/________/_____| |____/----sTZ!/sE--------------------------' : | Miami 2.1g - 000/020/MAIN/EVA + KEYS | `-(o9/o9/97)--------------------(FUCK^YOU)->@{ub} > -------------------------------- INFO END --------------------------------- @{b}Thanx to Gideon Zenz, for the fast test of HitchHicker v4.23.@{ub} @{b}Thanx to Ramon, for sending the archives to me...@{ub} Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node "Hitch-Hiker 4.23" "Hitch Hiker 4.23 Test by Markus Schmall" Entry...............: HitchHiker 4.23 Alias(es)...........: HitchHiker 4 Virus Strain........: - Virus detected when.: September 1997 where.: Germany, Denmark and England Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 2912 Bytes 2. Length in RAM: 3200 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40) Computer model(s)...: all models/processors (MC68000-MC68060) The virus has problems with higher processors and OS versions --------------------- Attributes --------------------------------------- Easy Identification.: - Type of infection...: - linkvirus. It changes the whole files to 2 hunked file and copies 2908 bytes from the filestart to the end Self-identification method in files: - checks for $DEAD at a special fileposition. In this way the stealth mechanism is locating the infected files, too. Self-identification method in memory: - test for the changed jump command from Exec PutMsg() System infection: - The entryjump of Exec PutMsg() will be patched to a trap code. - A new trapcode will be installed. - tries to modifies entry points of the bsdsocket.library, which is used by connectiontools like AmiTCP and Miami. Infection preconditions: - HUNK_HEADER is found - device is validated - to be infected file is bigger than 2908 (exact viruslength) - 10 free diskblocks Infection Trigger...: The infection is based on the packet handling system of AMIGA OS. Every started file will be infected. All synchron dos commands are affected. Storage media affected: all DOS-devices Interrupts hooked...: A trapvector in the vectorbase will be changed Damage..............: Permanent damage: - none Transient damage: - The stealth/fileinfect engine performs a wrap around copy of the originalfile as we saw it already in the BEOL3 virus, which source was made public by the programmer. Damage Trigger......: Permanent damage: - none Transient damage: - infecting a file Particularities.....: The crypt/decrypt routines are not 100% aware of processor caches. The packet handling works in even on the new developer OS versions, but some codes have problems with task functions. The virus tunnels doscall watcher like SnoopDos etc. by using only lowlevel packet routines. Similarities........: The link method has been seen in the BEOL3 linkvirus already. A new hunkheader will be added and the origfile will be seen as datahunk. In this way the virus doesnt need to perform a errorfull hinkcorrection. The first codehunk contains the virus itself. Stealth.............: Second working directory and file stealth code in a virus. Armouring...........: The virus is not armoured with a special tricky crypting code. Specialities........: As always the virus contains a crypted part: "LHALZXZOOZIP" "bsdsocket.library" "POST" "DATA" "QUIT" "The Hitch-Hiker 4.23 - Generation #00001036" The first string is for the special ability to keep the files infected, even if they get crunched. This trick, which was used to remove common pc stealth linkviruses is not working here. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 3.00, AntiBeol 1.33, FastKill and VW 6.7 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 26.09.1997. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Sep, 29. 1997 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of HitchHiker 4.23 Virus ========================= @endnode @node vhelp-50.txt " Lisa FuckUp v3.0 (12.10.97) - Jan Andersen" @{b}Hi All....@{ub} There is a new trojan out. It is said to be a killer for "Ebola 97'" virus, but this is just a fake. The trojan will replase every file in SYS: with a file 10 bytes long, where you can read @{b}"LiSA FUCKUP v3.0"@{ub}. In the archive there is a read.me text, with a description of how to get this trojan to work, but you better not do it. This trojan have been send to all the major anti-virus programmers in the world, and will be included in the next update. So until, then take care... Here is some info about the trojan archive: > ------------------------------- INFO START -------------------------------- Archive name.....: @{b}SEBOLA97.LHA (or lzx)@{ub} Archive size.....: @{b}5856 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}ScanEbola97@{ub} Infected Size....: @{b}7004 bytes (Unpacked).@{ub} File id.Diz......: @{b}ScanEbola97: Scans your hard-drive for the Ebola97-virus.@{ub} > ------------------------------- INFO END ---------------------------------- Thanx to Heiner Schneegold, for the fast test of this trojan. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:236/120.0 \\\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-51.txt " HitchHicker v4.11 infected archive (03.11.97) Jan Andersen" Hi All.... Another archive has been found around the world, that is infected with the link-virus @{b}"Hitch Hiker v4.11"@{ub} link-virus. In the archive seven files is infected with "Hitch Hiker" virus. All you got to do is to run one of the major antivirus programs, and let the killer remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}NUP-SLOS.LHA (or lzx)@{ub} Archive size.....: @{b}223697 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}Scalos (109500 bytes) Scalos/prefs/Scalos (39916 bytes) Scalos Menu (26916 bytes) Scalos Palette (16968 bytes) Scalos Pattern (21452 bytes) Scalos/tools/OpenLocation_CA (11776 bytes) OpenLocation_MUI (6580 bytes)@{ub} File id.Diz......:@{b} _____ _________ / /___ _________ / \_/ / \_/ \_ .:.:/ ___ / / / / /.:. :::/ / / / / /____/:::: ::/______/ /___________/______/:::::::::: .-------/____/-[pRESENTS]------------------. | | | S S | | | | vERSION 39.154 - nICE wORKbENCH rEPLACE! | | | `-[ #37 ]---------------------[ 10/27/97 ]-'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Darryl Peters, for the info about this archive. Read @{" Markus Schmall's " link "Hitch-Hiker 4"} test of Hitch Hiker v4.11 link-virus. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-52.txt " Ebola Infected archive (20.11.97) - By Jan Andersen" Hi All.... Another archive has been found around the world, that is infected with the link-virus @{b}"Ebola"@{ub} link-virus. In the archive, two files is infected with this @{b}"Ebola"@{ub} linkvirus. All you got to do is to run one of the major anti- virus programs (@{b}VirusZ, VT and VirusWorkshop@{ub}), and let the killer remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}PSY-HAL.LHA (or lzx)@{ub} Archive size.....: @{b}294041 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}halloween/Copy (6612 bytes) /play (20048 bytes)@{ub} File id.Diz......: @{b} PROPHESY PRESENT HALLOWEEN DEMO 97 entitled "Trick or Treat"@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Jon Adams, for the info about this archive. Read Markus Schmall's test of the @{" Ebola Virus " link ebola } Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-53.txt " ZIB linkvirus found (29.11.97) - By Jan Andersen" Hi All.... A new link-virus has been spread the last days. At this time no viruskiller is abel to find and kill this sucker. The virus has been send to all the major AntiVirus programmers, so it is only a matter of time, before the viruskillers can find and remove this 'sucker'. There is no known program or archive that spreads this new virus. All that we know of this new virus, is that it will add @{b}1260 bytes@{ub} to all programs that is executed. And with in these @{b}1260 bytes@{ub} that is added you can read "TRSi". Well, I don't think that TRSi has anything to do with this. As soon as a killer is released that will kill this virus, we will let you know so check your contacts or our homepage. Heiner Schneegold, programmer of VT has made a quick test of this sucker, and here is what he found out: @{b}ZIB-Virus verbogener Vektor: Loadseg LastAlert: "TRSi" Eigener Process: ZIB Fileverlaengerung: #1260 Bytes Link hinter 1.Hunk RTS wird in bra.s umgewandelt falls bsdsocket.lib vorhanden, Veraenderungen@{ub} Well, this is all we know for now. After we wrote the warning, a few killers has been updated so the they will be abel to find and kill this "ZIB" virus. @{b}VT v3.01 (30.11.97) - Heiner Schneegold FastVirusKiller v1.12 (29.11.97) - By Dave Jones AntiBeol v1.34a (29.11.97) - By Gideon Zenz KillAnother v1.00 (29.11.97) - By Harry Sintonen@{ub} You can download these killers from our homepage or support BBS. Thanx to @{b}Dave Jones, Harry Sintonen@{ub} and @{b}Jakob Anderson@{ub} for sending this new virus to us. It is on it's way to all major antivirus programmers. @{" Click here " link ZIB } to read Markus Schmall's test of the ZIB virus. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node kilhitch.lha " Installer for Hitch Hicker v2.11 (07.12.97) - Jan Andersen" Hi All !!! After many month, and we have been looking for this archive all over the world, we finally got it. Thanx to John. Well if you belive this archive, it is said to remove the Hitch Hiker virus but what it does is, that it will install the @{b}Hitch Hiker v2.11@{ub} link-virus in your system. Okay here is a little test of it: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}kilhitch.lha (or lzx)@{ub} Archive size.....: @{b}7765 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}removehitcher/KillHitcher@{ub} Infected size....: @{b}3000 bytes.@{ub} File id.Diz......: @{b}!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Have you got probs. with the HitchHiker! !! virus? It's a link-vir that can corrupt ! !! your archives....brand new and not kill-! !! able with VirusZ or VWS or VT or any ! !! other killer.. Except this one..Brought ! !! to you by Blister/PP and MAX/PP ! !! Download and be happy!!!!!!!!!!!!!!!!!!!!@{ub} > ------------------------------- INFO END -------------------------------- Thanx to John for mailing us this archive. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-54.txt " ZIB linkvirus installer (05.12.97) - Jan Andersen" Hi All.... Well, now we finaly found the archive that installs the "@{b}ZIB@{ub}" link-virus. It s the command '@{b}spatch@{ub}' that will install this link-virus. I don't think that this version of '@{b}spatch@{ub}' came from GP Soft, some one have replaced the orginal '@{b}spatch@{ub}' with the installer version. So there for, take care when ever you meet the '@{b}spatch@{ub}' in an archive, and if the size is @{b}16716@{ub} bytes, don't use it. Here is some info about this archive: Archive name...: @{b}opus566p.lzx@{ub} Archive size...: @{b}138502 bytes (LZX packed)@{ub} Infector name..: @{b}spatch@{ub} Infector size..: @{b}16716 bytes (not packed)@{ub} Archive info...: @{b}Directory Opus 5 Magellan version 5.66 to 5.661 Upgrade Patch. (fake archive)@{ub} At ths time, no viruskiller will find this infector. But some of the anti- virus programs, will find and remove this 'ZIP' virus: @{b}VT v3.01 - By Heiner Schneegold FastVirusKiller v1.12 - By Dave Jines AntiBeol v1.34a - By Gideon Zenz Killanother1 v1.0 - By Harry Sintonen.@{ub} Thanx to Jakob Anderson for sending us this archive. @{" Click here " link ZIB } to read Markus Schmall's test of the ZIB virus. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node ZIB "ZIB linkvirus and installer - Test by Markus Schmall" Entry...............: ZIB Alias(es)...........: none Virus Strain........: - Virus detected when.: December 97 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 1260/1264 Bytes (uses a polymorphic technic) 2. Length in RAM: xxxx Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for "TRSi" at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), bsdsocket.library baseptrs Infection preconditions: - HUNK_HEADER and HUNK_CODE are found - device is validated - File must be smaller than $1e848 bytes Infection Trigger...: Accessing files via LoadSeg() It`s a typical infector. It cannot be rated as fast infector as it only infects at the above mentioned operations. Slow polymorphism technology or stealth techniques wasn`t found in this one. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non-polymorphic and consists of some logical stuff. The cryptword is $BABE. Similarities........: The linkmethod is camparable to all the HNY viruses. It will be tried to step $3e words back and check for an "rts" or a "nop" at the hunkend. The use of the bsdsocket library etc. shows some equalities to the latest hitchhiker viruses. NOTE: The installer itself links a 4 byte longer part to the original "c:\loadwb" and uses 2 patchcodes. Most viruskillers does not recognize this correct. VT 3.03 is doing it 100% right and VW should so, too. Stealth.............: no stealth function found. Armouring...........: readable text is crypted with a normal eor loop. Specialities........: The virus sends mails to the virusworkshop mailinglist. The list can be accessed using the virusworkshop@trsi.de account and was accessible even from external persons at that time. Now Vampire fixed this problem. The subject was: "Another 1 bites the dust" In the body the text: "Greetz to BEOL und BOKOR" can be found. The mail be remote send via the mailserver from the teuto.de domain via a special account. Comments............: The name ZIB appeared in the latest HitchHiker viruses, too. I suppose that this is somekind of virusclique pushing their actions. --------------------- Agents ------------------------------------------- Countermeasures.....: VT, VZ, FVK, VW above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hildesheim, Germany 17.01.1998. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Jan, 01. 1998 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of ZIB virus ========================= @endnode @node vhelp-55.txt " Ebola infected archive (15.12.97) - Jan Andersen" Hi All.... Another archive has been found around the world, that is infected with the link-virus "@{b}Ebola@{ub}" link-virus. In the archive seven files is infected with "@{b}Ebola@{ub}" virus. All you got to do is to run one of the major antivirus programs eg. @{b}VirusZ, VT@{ub} or @{b}VirusWorkshop@{ub}, and let the viruskiller remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}CPU-MV31.LHA (or lzx)@{ub} Archive size.....: @{b}108665 bytes (ripped for BBS adds)@{ub} Infected File....: @{b}CPU-MULTIVIEW.LHA/MultiView (8772 Bytes)@{ub} File id.Diz......: @{b} ________ ________ ____ t! _\ ._/_\_ / /---/_ _____________ _ / |_ /____/ / /// c . p . u \______/______| \________\ . . . MultiView (version 3.1) . 100% denerved! . . .10.12.97. .yELLOW wATER.@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Johnny Sandstroem, for the info about this archive. @{" Click here " link ebola } to read Markus Schmall's test of Ebola link-virus. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-56.txt " Ebola & HNY 96' infected archives (22.12.97) - Jan Andersen" Hi All.... A few archives has been found that contains "@{b}Happy New Year 96@{ub}" and "@{b}Ebola@{ub}" link-virus. All you got to do is to run one of the major antivirus programs eg. @{b}VirusZ, VT or VirusWorkshop@{ub}, and let the viruskiller remove this virus. I found a warning written by '@{b}CHILL@{ub}' about these infected archives. And he wrote about a virus called '@{b}Vera 2.3@{ub}', I had never heard about this virus, I found the archive, and made a test of the file. Is @{b}NOT@{ub} a virus/trojan it is a fail recog. by VirusZ II. I'll post a letter to the programmer, and I guess that it will removed in the next update. So there is @{b}NO@{ub} virus in the archive '@{b}DS-POC.LHA@{ub}'. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}D-S_MK2.LHA (or lzx)@{ub} Archive size.....: @{b}2832772 bytes.@{ub} Infected File....: @{b}MK2@{ub} Infected with....: @{b}Ebola Link-virus@{ub} File id.Diz......: @{b} .---- \ ___|__ / __/__ !!MERRY X-MAS!! .--./ / \____ \.--------------. |;)|_ /| ___/ |mORtAL kOMbAT2| | /_________\^/ ! ORG. PAL VER | | <- - -- --- -----! hD Fixed | | hAvE PhUN!!!!! | `--------------------------[17.12.97]-'@{ub} @{" Click here " link ebola } to read the Ebola Test by Markus Schmall. Archive name.....: @{b}D-S_ZW2.LHA (or lzx)@{ub} Archive size.....: @{b}488796 Bytes@{ub} Infected Files...: @{b}Zeewolf2_HD@{ub} @{b}Z2Boot@{ub} Infected with....: @{b}Ebola Link-virus@{ub} File id.Diz......: @{b} .---- \ ___|__ / __/__ !!MERRY X-MAS!! .--./ / \____ \.--------------. |;)|_ /| ___/ | Zeewolf iI | | /_________\^/ ! | | <- - -- --- -----! hD Fixed | | hAvE PhUN!!!!! | `--------------------------[17.12.97]-'@{ub} @{" Click here " link ebola } to read the Ebola Test by Markus Schmall. Archive name.....: @{b}ORG3_3.LHA (or lzx)@{ub} Archive size.....: @{b}569935 bytes.@{ub} Infected File....: @{b}aSCi.exe@{ub} Infected with....: @{b}Happy New Year 96 Link-virus@{ub} File id.Diz......: @{b}_ _ _ ___ _____ ______ __ __ _( _(____( ___(____) /___) \/ (_. \______ (/ _ / _ \/ / \) ______\ _. /) /__/ | /_______( \_( |______/ /_____| sCUm pRESENTs - oRGAZm iSSUe #3 3/3 _ ________________________________ _@{ub} @{" Click here " link happy } to read the HNY 96' Test by Markus Schmall. > ------------------------------- INFO END -------------------------------- Thanx to @{b}Chill@{ub}, for the info about this archives. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk @endnode @node vhelp-57.txt " Happy New Year 98' linkvirus (04.01.98) - Jan Andersen" Hi All.... Happy New Year 98 to you all. There is a little more behind these words, a new linkvirus has been found, and it is " @{b}Happy New Year 98@{ub} ". It will add @{b}920 bytes to every executed file@{ub}. You can within the last 30 bytes of the infected file read "Happy New Year 98". We do not know of any installers or infected archives with this new virus, so if you find the installer, please mail it to me. The famos virus-killer @{b}VT by Mr. Heiner Schneegold@{ub} has now been updated to version @{b}3.03@{ub}, and it will find and remove the Happy New Year 98' virus. You can get the VT v3.03 archive from our homepage, or a BBS near you. Thanx to @{b}Gerald Schnabel@{ub} for sending us the infected file. @{"Read about" link vhelp-58.txt } the first found archive infected with "Happy New Year 98" virus. Regards.... __ VirNet..: 9:451/247.0 __ /// @{b}Jan Andersen@{ub} FidoNet.: 2:237/38.100 \\\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: vht-dk@post4.tele.dk http://home4.inet.tele.dk/vht-dk @endnode @node vhelp-58.txt " w9-sex.lzx infected with HNY 98 virus (04.01.97) Jan Andersen" Hi All.... The first infected archive with the new "@{b}Happy New Year 98@{ub}" linkvirus has now been found. We don't think that this archive is the installer of this new virus, so I guess that we are still looking for the it. If you find it, plaese mail it to us, or supload it to one of our support BBS'es. If your system has been infected, plaese use @{b}VT v3.03@{ub} to remove it. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}w9-sex.lzx@{ub} Archive size.....: @{b}187786 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}SeXtrO@{ub} Infected Size....: @{b}212396 bytes (Packed with CrunchyDat 1.0) 892996 bytes (unpacked)@{ub} Infected with....: @{b}Happy New Year 98 Link-virus.@{ub} File id.Diz......: @{b} ______ _____ ______ ______ _\ /__\ _\ __ \_\ __ \ /_ / ( / / / /n _ / _ i \___ ___/ \ \ n ry! \__ /____\/____\ ___\ e ______ _ W A R P 9 _ _____ | p.r.e.s.e.n.t.s | | - - ------------- - - | | S E X T R O | | | | TiTTEN-TuSSiS-GuTe LAUNe | | | `-[W9]--- - - --------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to @{b}Ramon@{ub}, for sending this archive to us. @{" Read our first " link vhelp-57.txt } warning about the "Happy New Year 98" virus. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-v059.lha " Happy New Year 98' infected archive 1998 Jan Andersen" Hi All.... Another infected archive with the new @{b}"Happy New Year 98"@{ub} linkvirus has now been found. We don't think that this archive is the installer of this new virus, so I guess that we are still looking for the it. If you find it, plaese mail it to us, or supload it to one of our support BBS'es. If your system has been infected, plaese use VT v3.03, VirusWorkshop v6.8 Virus_Checker II v1.1 (brain v2.2), VirusZ II v1.42 (bug-Fixed) and also FastVirusKiller v1.17 to remove it. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}CNS-BGE.LHA@{ub} Archive size.....: @{b}35564 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}BGEDIT/BGEDIT@{ub} Infected Size....: @{b}27068 bytes (Packed with CrunchMania Normal)@{ub} Infected File....: @{b}BGEDIT/LIBS/iff.library 4080 bytes (not packed)@{ub} Infected with....: @{b}Happy New Year 98 Link-virus@{ub} File id.Diz......: @{b} ___ ______ __ __________ _____ / | .\ \| | _/ .\ | __/ / ._|_ | \ \\ |__ \ | \ -|-._)_ \ ` / ` \ \ | \` \ | / \___/_____/_|__|____/___/___|_/ ((((( H E L L A M I G A )))))) | | | AMiGA-Tool to convert | | SNES, NES, SATURN, PSX, PCE! | |Graphics to IFF-AMIGA Format!! | | | `-------------------------------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to @{b}Arne Jensen@{ub}, for sending this archive to us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk61.lha " Happy New Year 96' infected archive 1998 Jan Andersen" Hi All.... I'm sorry to say this, but I was to fast when I wrote about the archive '@{b}CBS-ETIT.LZX@{ub}' and the 'happy New Year 96' linkvirus. At this time @{b}only @{b}VT 3.04@{ub} and @{b}VirusZ II v1.42a@{ub} can find this HNY-96 'hunk 11' virus. Thanx to Mr. Schneegold for correcting me in this matter.... Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}CBS-ETIT.LZX@{ub} Archive size.....: @{b}27678 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}CBS-Intro/Eternity.exe@{ub} Infected Size....: @{b}26736 bytes (Packed with StoneCracker 4.04) 58068 bytes unpacked.@{ub} Infected with....: @{b}Happy New Year 96 link-virus (hunk 11)@{ub} File id.Diz......: @{b} .__ .____.____.____.____.___ | |_ /| /| /|_ /| /_|`---. .--- \__\` / ` / ` / ` / ` __/`/___|---. | - take us to your dealer! - | |presents: | | BBSIntro for ETERNiTY | | | `------------------------------------------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to @{b}Johnny Hansen@{ub}, for sending this archive to us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk62.lha " Max BBS Trojan Type A - 1998 Jan Andersen" Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself @{b}"Cactus^Jack"@{ub}. And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "@{b}JC_SpiceGirls.LHA@{ub}". If you run this shit, a picture will be shown on your screen, with the text: Juraccis Cactus Presents Spice Girls Megamix Byt here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}JC_SpiceGirls.LHA@{ub} Archive size.....: @{b}60482 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}Jc-Spice.exe@{ub} Trojan Size......: @{b}111524 bytes (Packed with AMOS Pro Compiler v2.00) File id.Diz......: Jurasic Cactus Present Spice Girl Megamix Demo ! Coded By : c-jack Musax By : Bigo H release at The Gathering 97 demo comp@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk63.lha " Max BBS Trojan Type A - 1998 Jan Andersen" Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself @{b}"Cactus^Jack"@{ub}. And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "@{b}nce-tri9.lha@{ub}". Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}nce-tri9.lha@{ub} Archive size.....: @{b}47587 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}Trilobyte!_9.exe@{ub} Trojan Size......: @{b}46264 bytes (Packed with Powerpacker 4) 71468 bytes unpacked.@{b} File id.Diz......: @{b} ______ __ _ _____ ___ _ ___/.__.\_________/.__.\_/ \____ / .__: :_._ ______: :___/\_____\ ? : \ :| | \/ ._\ \ :| _ // ___// | |: \ || : \\ _/ \ \ || \/\ _)__\_ | || |\_|____/_| \\|\_|____/__ / ? |-|__|---------|____\----------\/---| | ...brings ya... | | ...Trilobyte! #9! | | | | tHIS iS tHE bEST yET dOODZ!!!!!! | `-----------------------------------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk64.lha " Max BBS Trojan Type A - 1998 Jan Andersen" Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "@{b}Cactus^Jack@{ub}". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "@{b}SPICE_POWER.lha@{ub}" Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}SPICE_POWER.lha@{ub} Archive size.....: @{b}36539 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}SpicePower97@{ub} Trojan Size......: @{b}57820 bytes (AMOS Pro Compiler v2.00 Cruncher)@{ub} File id.Diz......: @{b}ZENGO SPICE POWER MEGAMIX 1997! If ya like the Spice Girls, GET THIS!@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk65.lha " Max BBS Trojan Type A - 1998 Jan Andersen" Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "@{b}Cactus^Jack@{ub}". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "@{b}Mpeopledemo.lha@{ub}" This archive was corupt when I recived it, and I could only unpack a part of it, but the trojan code in in there. I could not run the trojan on my system, so I don't know if it works. Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: @{b}Mpeopledemo.lha@{ub} Archive size.....: @{b}49137 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}Mpeople.exe@{ub} Trojan Size......: @{b}122408 bytes (Packed ????? don't know)@{ub} File id.Diz......: @{b}.------------------------------------------. | M-PEOPLE SLIDESHOW | | | | CODED BY THE TRS CREW | | MUSAK BY : UNKNOWN | | DIGI PICS BY : IVAN GORGU | `------------------------------------------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk66.lha " Max BBS Trojan Type A - 1998 Jan Andersen" Hi All.... Well, I't looks like these 'AMOS' programmed trojans are comming. I have recived the archive via InterNet. It has been online on Aminet, so if you have downloaded it there, take care..... The trojan will delete (SnoopDOS.log): Count Process Name Action Target Name Res. ----- ------------ ------ ----------- ---- 1 ReOrgIt.exe Delete DH0:S/startup-sequence OK 2 ReOrgIt.exe Delete DH0:S/User-startup OK 3 ReOrgIt.exe Delete DH0:S/*.* Fail Here is some of the text strings you can read in the file: @{b}HAHAHA, your HD is stuffed Prepare to DIE@{ub} Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: @{b}ReOrgIt.lha@{ub} Archive size.....: @{b}52279 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}ReOrgIt.exe@{ub} Trojan Size......: @{b}60732 bytes (Packed ????? don't know)@{ub} File info........: @{b}EXCELLENT HD Reoganizer program 65% speed.@{ub} > ------------------------------- INFO END ----------------------------- Thanx to Raymond Lagerwey, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk67.lha " Miami Fake Keyfile checker Trojan (19.03.98) - Jan Andersen" Hi All.... Well, a new trojan has been found. The programs say's that it will check if your fake miami keyfiles is okay to you. Don't belive this at all. It will infect your system. But there is a rescue. Heiner Schneegold has released a new update of his great viruskiller "VT" today. @{b}VT v3.08@{ub} can be found on our @{" homepage.... " link teamdk } Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: @{b}PHK-MKEY.lzx@{ub} Archive size.....: @{b}2185 bytes (Ripped for BBS adds).@{ub} Trojan File......: @{b}mkey.exe@{ub} Trojan Size......: @{b}1880 bytes@{ub} File info........: @{b}.--------------------------------------. |So rumour has it Holger has released a| |virus to harm users with fake miami | |keyfiles. This will check your keys to| |ensure its safe to use, dEN saves ya | |and fists Holgers ass! | `--------------------------------------' }-- dEN 3/3/98 pHuKeRs --{@{ub} > ------------------------------- INFO END ----------------------------- Thanx to @{b}Heiner Schneegold@{ub} for the info about this archive. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk68.lha " Happy New Year Infected archive - (15.04.98) (c) VHT-DK" Hi All.... Well, a new archive has been found that is infected with the 'Happy New Year 96' linkvirus. And there should be no problems, since all the major antivirus programs can find and remove this virus. Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: @{b}PHT-Suns.lzx@{ub} Archive size.....: @{b}4755 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}Sunscream.exe@{ub} Infected Size....: @{b}4368 bytes (Packed with StoneCracker 4.04)@{ub} File info........: @{b}Phase Truce - 4kb intro for Rush Hours'98@{ub} > ------------------------------- INFO END ----------------------------- @{" Click Here " link happy "} to read the VTC test of Happy New Year virus. Thanx to @{b}Peter Hansen@{ub}, for the info about this archive. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk69.lha " Happy New Year Infected archive - (09.05.98 (c) VHT-DK)" Hi All.... Well, a new archive has been found that is infected with the 'Happy New Year 96' linkvirus. And there should be no problems, since all the major antivirus programs can find and remove this virus. Just remember to remove the virus, before starting the program..... Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: @{b}FFFF.LHA@{ub} Archive size.....: @{b}454.455 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}NlsForFun.exe@{ub} Infected Size....: @{b}34792 bytes (Packed with PowerPacker 4) 160108 bytes (Unpacked)@{ub} Infected with....: @{b}Happy New Year 1996 - Linkvirus.@{ub} File info........: @{b} ___ __ __ __ ___ __ ____ __ __ ___ `-- Y ' _/ __) Y --'-. | | ! | \| ' | -' | ! |---- | `---'--^-----^--!___)----^-----^-----^-----' NUKLEUS gives you a GAME with suprises...!! ____ ____ ____ ____ /\ ! |::::| |::::| |::::| |::::| //\FREE! |::__ |::__ |::__ |::__ ///\COOL! |::::| |::::| |::::| |::::| \\\/NICE! |::| |::| |::| |::| \\// ! |::| ist |::| ight |::| or |::| reedom !! ---------------------------------------bZ-'@{ub} > ------------------------------- INFO END ----------------------------- @{" Click Here " link happy "} to read the VTC test of Happy New Year virus. Thanx to @{b}Torben Danoe@{ub}, for the info about this archive. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk70.lha " Happy New Year Infected archive - (20.06.98 (c) VHT-DK)" Hi All.... Another infected archive with the new @{b}"Happy New Year 96'"@{ub} linkvirus has now been found. The archive have been spread via AmiNet, but we have told the people behind AmiNet about this archive, and we hope that they will remove it. If your system has been infected, plaese use @{b}VT v3.08, VirusWorkshop v6.9 Virus_Checker II v1.5 and VirusZ II v1.43.@{ub} Here is some info about the infected archives: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}WinTool.lha@{ub} Archive size.....: @{b}13461 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}WinTool (version 1.1)@{ub} Infected Size....: @{b}15296 bytes@{ub} Infected with....: @{b}Happy New Year 96 Link-virus@{ub} Archive info.....: @{b}This program will get information from another window, and give the option to manipulate it. Close it, change it, move it... Full source included. It is compiled in debug mode, so it will be easy to find bugs. It should be really easy to recompile it with no debug.@{ub} > ------------------------------- INFO END -------------------------------- @{" Click Here " link happy "} to read the VTC test of Happy New Year virus. Thanx to @{b}George Barkouris@{ub}, for sending this archive to us.@{ub} Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk71.lha " Max BBS Trojan #4 - (29.06.98 (c) VHT-DK)" Hi All.... A new trojan has been found. Again it is aimed for '@{b}Max BBS' systems@{ub}. The trojan will (if you run it), make 4 files in RAM: runit, runit.info, yes, yes.info., and within the next seconds the system will reboot and execute "RAM:runit < ram.yes d scsi.device", and will write 0 RIGID. It is 'only' SCSI device and 'only' unit '0' that is going to be damaged. The archive has been send to all the major antivirus programmers.... Here is some info trojan archive: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}maxsafe.lha@{ub} Archive size.....: @{b}12136 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}maxsafe@{ub} Infected Size....: @{b}5008 bytes@{ub} File_id.diz......: @{b}Help stop your BBS from crashing by finding those faulty doors@{ub} > ------------------------------- INFO END -------------------------------- Thanx to @{b}Dave Buckley@{ub} and @{b}Colin Wilson@{ub}, for sending this archive to us. Thanx to @{b}Mr.Heiner Schneegold@{ub} for the test of this archive Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk72.lha " Max BBS trojan (30.08.98) 1998 Jan Andersen" Hi All.... A new trojan has been found. Again it is aimed for @{b}'Max BBS'@{ub} systems. The trojan will (if you run it), delete almost everything from your system. I will also delete it self at the end. At this time we do not have the hole archive, we only have the trojan it self. The file has been send to all the major antivirus programmers.... Here is some info trojan archive: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}?@{ub} Archive size.....: @{b}? bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}UnpackJPEG@{ub} Infected Size....: @{b}27856 bytes@{ub} File_id.diz......: > ------------------------------- INFO END -------------------------------- Thanx to @{b}Dave Buckley@{ub}, for sending this file to us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk73.lha " PolishPower link virus (09.08.98) 1998 Jan Andersen" Hi All.... Another new linkvirus has been found. The archives name is still unknown all we have is the main file. It is a @{b}fake version of AMFTP v1.91@{ub}. If you run this program, @{b}5000 bytes@{ub} will be added to every file that is run. If you decode the virus, you can read @{b}"POLISHPOWER-Virus"@{ub} in the text. Here is some info about the infected file: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}?@{ub} Archive size.....: @{b}? bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}AMFTP (version 1.91)@{ub} Infected Size....: @{b}126316 bytes@{ub} Archive info.....: > ------------------------------- INFO END -------------------------------- @{b}If you find an archive that contains AMFTP with the size "126316" bytes, please send it to me, or upload it to one of our support BBS'es.@{ub} Thanx to @{b}Mr. Heiner Schneegold@{ub} for the fast test of this file. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk74.lha " Fungus/lsd virus (22.09.98) 1998 Jan Andersen" Hi All.... Another new virus has been found. The installer and infected archives is still unknown. All we have is some infected files. If you have this new virus on your system, every infected file will be @{b}added 760 bytes@{ub}. If you decode the virus part, you can read @{b}"fungus/lsd"@{ub} in a text-string. The major anti-virus programs "VT", "VirusChecker II" and "VirusZ", will be released in the near future, and they will be abel to find and remove this new virus. BUT: "Digital Corruption" has released a littel "fungus killer/disable", that will disable the virus. So if your system is infected with this new virus use the program from "Digital Corruption". The archive name of the littel disabler is "DC-FNG11.LHA". You should be abel to find the archive on a BBS near you, or get it from Virus Help Denmarks homepage. (Adress in the sign.) Thanx to @{b}"RAM"@{ub}, for this little killer/disabler... Thanx to @{b}Mr. Heiner Schneegold@{ub} for the fast test of this file. Thanx to @{b}Kisa@{ub} and @{b}Jeff German@{ub} for sending me the infected files. PS. @{" Click here " link vht-dk75.lha} to read about the installer of 'Fungus/lsd' virus. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk75.lha " Fungus/lsd indtsller found (23.09.98) 1998 Jan Andersen" Hi All.... The archive that installs the new @{b}"fungus"@{ub} virus is found. I have now recived 4 archives from all over the world (Australia, USA, Germany and Denmark). Everyone of the contains the same files, and the same file contains the 'fungus' virus in every archive. Here is some info about the 'fungus' archive: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}M31H_CRK.LHA@{ub} Archive size.....: @{b}436085 bytes (Ripped for BBS adds).@{ub} Infected File....: @{b}Miami_BETA/MUI.MiamiGui@{ub} Infected Size....: @{b}127360 bytes@{ub} File_id.diz......: @{b}.------------------------------------------. | | | Miami 3.1h BETA | | | | TOTALLY CRACKED AND ALL HOLGER BACKDOOR | | SHIT REMOVED FOR YOUR PLEASURE! | | CANT THE BIG GROUPS CRACK THIS??? | | | | CRACKED FOR YOU BY HOLGWHORE KRUDE | | | `------------------------------------------'@{ub} > ------------------------------- INFO END -------------------------------- Thanx to @{b}Ian, Michael, Peter@{ub} and @{b}Thomas@{ub}, for sending this file to us. PS. @{" Click here " link vht-dk74.lha} to read the first warning about the 'Fungus/lsd' virus. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// -------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0 @endnode @node vht-dk76.lha " datatypes.library v4.55 Trojan found (11.12.98) 1998 Jan Andersen" Hi All.... A new trojan has been found. This trojan was on AmiNet, but it has been removed now. It is a fake @{b}'datatypes.library v45.5'@{ub}. And it will if you are on InterNet and using 'Miami', send a e-mail to a Hotmail adress with your name and password. So if you have installed this version, get rid of it and install the v4.54 update (You can find this on AmiNet). Here is some info about the fake 'datatypes.library': > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}dtypes455upd.lha@{ub} Archive size.....: @{b}27.990 bytes@{ub} Trojan File......: @{b}datatypes.library@{ub} Trojan Size......: @{b}32748 bytes@{ub} > ------------------------------- INFO END ------------------------------- @{b}Note:@{ub} In May 1988, the same datatypes.library trojan was found, but with another file lenght (32832 Bytes). VT v3.10 will find this version, but not the new (yet!). In a few other text files, DC has been blamed for this and other trojans, I think that it is not true. Why should DC do this?. Thanks to Matthew for sending archives, and to Mr. Heiner Schneegold and Fridrik for the test and info. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk77.lha " Birthday Trojan & Dropper found (15.12.98) 1998 Jan Andersen" Hi All.... A new trojan has been found. This trojan was found on AmiNet, but we hope that it has been removed there. It is said to be a AGA Demo, made by some guy called SubZero. It will send a e-mail to a Hotmail adress (just like the datatypes.library trojan), but this time it will also install a new linkvirus. This virus will add about @{b}15k@{ub}, to some files on your system. At this time there is no cure for this trojan/virus. As soon as there is a program to remove this 'sucker', we will have it on our homepage, you can find it there. If your system has been infected with this trojan/virus, you can check the date for infected files, if you installed it on the 15'th, the date will be the 15'th on your system. Just replace every file with this date woth clean one's, for fresh archives of floppy disk's. This is all that you can do for now (sorry). Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}birthday.lha@{ub} Archive size.....: @{b}497.365 bytes@{ub} Trojan File......: @{b}birthday@{ub} Trojan Size......: @{b}703.664 bytes@{ub} Virus Size.......: @{b}About 15.000 bytes@{ub} > ------------------------------- INFO END ------------------------------- We hope to have a killer ready for this very soon. @{b}Note (27 Dec. 1998):@{ub} -------------------- @{b}xvs.library v33.15@{ub} has been released, and will find and repair infected files. You can use xvs.library with these antivirus programs @{b}VirusZ II, VirusChecker II@{ub} and @{b}VirusExecutor@{ub}. Thanks to @{b}Ramon, Buzz, Paul Pacheco@{ub} and many more, for sending archives and infected files. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0 @endnode @node vht-dk78.lha " Fake CygnusEd v4.17 (06.02.99) 1999 Jan Andersen" Hi All.... A new virus trojan has been found. It is said to be a new update of the wellknown program @{b}'CygnusEd v4.17"@{ub}. But if you start CED it will change the size of your 'c:mount' command and @{b}add 800 bytes@{ub}, and make the new size 7388 bytes. Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}HF-CD417.LHA@{ub} Archive size.....: @{b}306.382 bytes@{ub} Trojan File......: @{b}CygnusED/CED@{ub} Trojan Size......: @{b}169.872 bytes@{ub} Virus infect.....: @{b}c/mount (new size 7388 bytes)@{ub} Virus size.......: @{b}800 bytes@{ub} > ------------------------------- INFO END ------------------------------- We hope to have a killer ready for this very soon. Thanks to iknow@, for sending archives and infected files. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk79.lha " Fake Miami DeLuxe v0.9c (06.02.99) 1999 Jan Andersen" Hi All.... The installer of the new link-virus @{b}"STD-Crabs_1"@{ub} have been found. It is a fake version of @{b}"Miami DELUXE 0.9c"@{ub}. If you run the file "MiamiDx.beta" from the archive, it will infect every executed file with the "STD-Craps" virus. At this time only the viruskiller 'VT v3.14' is abel to find and remove this virus. VirusZ, VirusChecker and xvs.library will be updated as soon as possible. Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: @{b}mdlx09c.lha@{ub} Archive size.....: @{b}882.398 bytes@{ub} Dropper File.....: @{b}MiamiDx_Install/MiamiDx.beta@{ub} Dropper Size.....: @{b}439.724 bytes@{ub} Virus installed..: @{b}STD-Crap linkvirus@{ub} File_Id.Diz......: @{b} ___ fASt iNT3RNEt sERV _(___) _______ _____ _____ \ \ __.\ ._ \__\__ \__\ \__ / /[__ |/ / /___/_ __/ [sTZ!] /___/ |___| /.________/_____| -----------/_____|------------------------. | | | Miami DELUXE 0.9c | | keyfiles with this pack | | | `------------------------------------------'@{ub} > ------------------------------- INFO END ------------------------------- Thanks to @{b}David Knell@{ub}, for sending archives and infected files. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------- FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk80.lha " FastIPrefs 40.37 Trojan (13.07.99) 1999 Jan Andersen" Hi All.... A new trojan have been found on Aminet today. This trojan is like the "datatypes.trojan", it will send a e-mail using the bdsocket.library and Miami to the President of Amiga Inc, with a sick and senselles message. We are also sure that this is not the last trojan of this kind this time so be carefull what you install. Here is some info about the archive: Name........ : @{b}FastIPrefs@{ub} Archive name : @{b}FastIPrefs4037.lha@{ub} Archive size : @{b}41.583 bytes@{ub} Short desc.. : @{b}FastIPrefs 40.37 & FastWBPattern 40.06@{ub} This trojan has been sendt to all the antivirus programmers and thay will make recog. for this trojan in the next update. The archives will be removed from Aminet as soon as possible. Thanx to @{b}Alex van Niel@{ub} for the fast test. And to Mark de Jong, Yiannis, Petra Struck & Martin Lindhorst for the first reports about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk81.lha " Patch CopyMem Trojan (13.07.99) 1999 Jan Andersen" Hi All.... A new trojan have been found on Aminet today. This trojan is like the @{b}"datatypes.trojan"@{ub}, it will send a e-mail using the bdsocket.library and Miami to the President of Amiga Inc, with a sick and senselles message. We are also sure that this is not the last trojan of this kind this time so be carefull what you install. Here is some info about the archive: Name........ : @{b}Patch CopyMem@{ub} Archive name : @{b}CMQ060.lha@{ub} Archive size : @{b}12.183 bytes@{ub} Short desc.. : @{b}Patch CopyMem/Quick for 68060(040) v1.5@{ub} This trojan has been sendt to all the antivirus programmers and thay will make recog. for this trojan in the next update. The archives will be removed from Aminet as soon as possible. Thanx to @{b}Alex van Niel@{ub} for the fast test. And to Mark de Jong, Yiannis, Petra Struck & Martin Lindhorst for the first reports about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk82.lha " PoolMem v1.45 Trojan (14.07.99) 1999 Jan Andersen" Hi All.... A new trojan have been found on Aminet today. This trojan is like the @{b}"datatypes.trojan"@{ub}, it will send a e-mail using the bdsocket.library and Miami to the President of Amiga Inc, with a sick and senselles message. We are also sure that this is not the last trojan of this kind this time so be carefull what you install. Here is some info about the archive: Name........ : @{b}Poolmem v1.45@{ub} Archive name : @{b}Poolmem.lha@{ub} Archive size : @{b}67.918 bytes@{ub} Short desc.. : @{b}Memory defragmentizer/AllocP superset@{ub} This trojan has been sendt to all the antivirus programmers and thay will make recog. for this trojan in the next update. The archives will be removed from Aminet as soon as possible. Thanx to @{b}Heiner Schneegold@{ub} for the fast test. And to Mark de Jong, Yiannis, Petra Struck & Martin Lindhorst for the first reports about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk83.lha " PoolMem v1.45 Trojan (14.07.99) 1999 Jan Andersen" Hi All.... A new trojan have been found on Aminet today. But it has been removed, but this might have been spread, so take care... The trojan will after it has been executed, replace the 'c:loadwb' with a new 'loadwb' with the size of 84.772 bytes, and create a file in your wbstartup drawer called "Workbench" (size 40.668 bytes, packed), and now the trojan is ready to 'play' with your Amiga. You can find this text- string in the file: @{b} GuRuX mEdItAtIoNz: [JoShUa`S tRoJaN]`/AdDrEzZ: [yOuR ComPuTeR] TaZk: [SyStEm KiLlEr] MoRe iNfOrMaTiOn: ZoMbIe@pAlA.zZn.CoM@{ub} This trojan is made with AMOS, and it is a lame trojan..... Here is some info about the archive: Name........ : @{b}New msx-2 Turbo R emulator@{ub} Trojan name. : @{b}Amos Joshua Trojan@{ub} Archive name : @{b}msxR.lha@{ub} Archive size : @{b}124.196 bytes@{ub} Trojan name. : @{b}msxR.exe@{ub} Trojan size. : @{b}128.800 bytes (144.320 bytes unpacked)@{ub} Short desc.. : @{b}New msx-2 Turbo R emulator for 030 040 060@{ub} This trojan has been sendt to all the antivirus programmers and they will make recog. for this trojan in the next update. Thanx @{b}to Heiner Schneegold, Jan Erik Olausen and Alex van Niel@{ub} for the fast test. And to @{b}Gringo, Urban@{ub} for the first reports about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk84.lha " PoolMem v1.45 Trojan (14.07.99) 1999 Jan Andersen" Hi All.... A new trojan have been found today. This trojan is looks like the trojan we wrote about on the 15'th, the " Amos Joshua Trojan". This trojan will after it has been executed, the program will show a screen, where you can read this text: "CARGANDO BLOQUES..... ", ( I think that it is spanish but I don't understand it). The the system goes into a guru, and restarts but by now the trojan has replaced the 'c:loadwb' with a new 'loadwb' with the size of 122.836 bytes and create a file in your wbstartup drawer called "miami.config" (size 60.728 bytes), and now the trojan is ready to play with your Amiga again. This trojan is made with AMOS, and it is a lame trojan..... Here is some info about the archive: Name.......... : @{b}Sonic II@{ub} Trojan name... : @{b}Amos Joshua Clone Trojan@{ub} Archive name.. : @{b}SonicII.lha@{ub} Archive size.. : @{b}111.798 bytes@{ub} Trojan name... : @{b}SonicIIAmiga.exe@{ub} Trojan size... : @{b}182.452 bytes@{ub} Infected files : @{b}c:loadwb (122.836 bytes)@{ub} @{b}wbstartup:miami.config (60.728 bytes)@{ub} Doc Text : por fin!!!!!!!!!!!! la version del SONIC II creado para amiga en AMOS PRO+GUI EXTENSION Osea que puedes juegar en una ventana publica perfectamente.... Disfruta de este juego........ para contactar: zombie@pala.zzn.com This trojan has been sendt to all the antivirus programmers and they will make recog. for this trojan in the next update. Thanx to @{b}Alex@{ub} for the fast test. And to @{b}Christian@{ub} for the report about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk85.lha " MUI v4.0 Fake (02.11.99) 1999 Jan Andersen" Hi All.... We have finally recived an trojan archive that we have been looking for since April 1999. It was found on a BBS in England. The trojan is a FAKE 'MUI v4.0', and in the archive there are 3 files that will make trouble for you (see below), and at this time only one killer can find this trojan, and that is "VT v3.16", but the other big killers will make a recog for this trojan as soon as possible. Here is some info about the archive: Name........... : @{b}MUI v4.0@{ub} Trojan name.... : @{b}MUI 4.0 FAKE@{ub} Archive name... : @{b}mui40usr.lha@{ub} Archive size... : @{b}832.990 bytes@{ub} Trojan name.... : @{b}MUI (7536 bytes) Install-MUI (27034 bytes) ClickForColors (1340 bytes)@{ub} Mr. Heiner Schneegold (programmer of VT) has made this test of the fake MUI v4.0: @{b} > ----------------- CUT Start from VT 3.16 Doc -------------------@{ub} - MUI40-Fake (war kurz im Aminet) Keine Vermehrung Eine Nachricht soll verschickt werden Mind. drei Files veraendert. Empfehlung: Loeschen und sauberes Archiv neu aufspielen. Install Fake-L: 27034 Es wurde eine Zeile eingefuegt und Zahlen geaendert: ; $VER: Install-MUI 4.0 (01.04.99) (set current_version "4.0") (set current_libver 19) (set lng @language) (set #tmpdir "t:mui.inst") (complete 0) (run (cat "goodies/clickforcolors")) <---- diese Zeile MUI Fake-L: 7536 Datum geaendert und Text-Hunk angehaengt 4e752456 45523a20 4d554920 32312e31 Nu$VER: MUI 21.1 34202830 312e3034 2e393929 00000000 4 (01.04.99).... ;...... 00000000 000003f2 000003f1 0000000f ................ 77616861 68616861 68616861 20417072 wahahahahaha Apr 696c2046 6f6f6c73 20796f75 20736f72 il Fools you sor 72792061 73736564 20486f70 6566756c ry assed Hopeful 204d6f74 68657266 75636b21 000003f2 Motherfuck!.... ClickForColors Fake-L: 1340 Normal ein Txt-File jetzt ein PRG. (nicht codiert) 6e696d62 75732e73 75706572 696f722e nimbus.superior. 6e657400 62736473 6f636b65 742e6c69 net.bsdsocket.li 62726172 79004845 4c4f2073 6173672e brary.HELO sasg. 636f6d0d 0a004d41 494c2046 524f4d3a com...MAIL FROM: 3c706973 73656420 75736572 3e0d0a00 <pissed user>... 52435054 20544f3a 7374756e 747a4073 RCPT TO:stuntz@s 6173672e 636f6d0d 0a004441 54410d0a asg.com...DATA.. 00005375 626a6563 743a204d 6f766520 ..Subject: Move 796f7572 206e617a 69206173 73207769 your nazi ass wi 7468206f 7572204d 55492075 70646174 th our MUI updat 65206375 6e74210d 0a0d0a2e 0d0a0000 e cunt!......... @{b} > -------------------- CUT End from VT 3.16 Doc ------------------@{ub} This trojan has been sendt to all the antivirus programmers and they will make recog. for this trojan in the next update. Thanx to @{b}Heiner@{ub} for the test. And to @{b}Adam James@{ub} for sending the archive to us. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk86.lha " Sniper - HitchHiker Infected (17.01.2000) - 2000 Jan Andersen" Hi All.... Today we found an infected archive on Aminet. The archive is infected with the linkvirus @{b}"Hitch Hiker v4.11"@{ub}. Here is some info about the infected archive: Name.......... : @{b}Sniper@{ub} Virus name.... : @{b}Hitch Hiker v4.11@{ub} Archive name.. : @{b}Sniper.lzh@{ub} Archive size.. : @{b}667.902 bytes@{ub} Infected file. : @{b}Sniper@{ub} Infected size. : @{b}688.060 bytes (infected)@{ub} It is possible to run the game, @{b}BUT@{ub} remember to remove the virus first with one of the major antivirus programs like @{b}VirusExecutor, VirusZ, VirusChecker II@{ub} or @{b}VT@{ub}. Thanx to @{b}Jan Erik Olaussen@{ub} for the report about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode @node vht-dk87.lha " YAM Patcher Trojan (09.02.2000) - 2000 Jan Andersen" Hi All.... Today we recived an archive that was on Aminet for a very short time, but it has been removed now. It will replace your "@{b}s:cedmacros@{ub}" with another file that we don't know what damage that file makes (yet). So if you have installed this program, just delete your "s:cedmacros", and you should be safe. Info about the archive that was released: ----------------------------------------- Name........ : @{b}YAMPatcher@{ub} Archive name : @{b}PatchYamPPC12.lha@{ub} Archive size : @{b}7.088 bytes@{ub} The archive has been send to the antivirus programmers. Thanx to @{b}Urban@{ub} for the report about this trojan. Regards.... __ @{b}Jan Andersen@{ub} E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ @{b}www.vht-dk.dk@{ub} VirNet..: 9:451/247.0 @endnode