*****                VIRUS HELP DENMARK                 *****
        ***                      PRESENTS                       ***
         *                                                       *
    ***** *****           VirusWarning.Guide v2.7           ***** *****
     ***   ***                 5 April 1999                  ***   ***
      *     *                                                 *     *
  >>>>>>>>>>>>>>>>>>>>>>>>>--------------------<<<<<<<<<<<<<<<<<<<<<<<<<<
                            VirusWarning.Guide

   New warnings in this update of the guide             - New's.
   Virus/Trojan names in alfabetic order                - Names list.
   Virus/Trojan archives in alfabetic order             - Names List.
   Virus/Trojan/Archives that we are looking for!       - Help Us.

   Copyright  1994-1999                                - Copyright.
   About Virus Help Denmark                             - Who are we?
   My PGP public key                                    - PGP Key.
   Thanks list corncerning VirusWarning.guide           - Thanx list.
   The newest versions of the Amiga Antivirus programs  - AV Updates.

  This guide was made to give you a better look of the files that we have
  written warnings about.


              The newest updates of the Amiga AntiVirus programs
              --------------------------------------------------
                            (5 April 1999)


    xvs.library v33.18.............. (08.03.1999) By Georg Hoermann.
    VirusChecker II v1.12........... (17.02.1999) By Alex van Niel.
    VirusSlayer v1.14 (beta)........ (12.02.1999) By Martin Zemblowski.
    VirusChecker.brain v2.15........ (11.02.1999) By Alex van Niel.
    VT v3.15........................ (11.02.1999) By Heiner Schneegold.
    VirusExecutor v1.81b............ (27.12.1998) By Jan Erik Olausen.
    VirusZ II v1.44................. (06.09.1998) By Georg Hoermann.
    VirusZ III v0.92b............... (06.09.1998) By Georg Hoermann.
    VirusWorkshop v6.9.............. (24.03.1998) By Markus Schmall.

    !!!!!  Important news about VirusWorkshop by Markus Schmall  !!!!!

 Please remember to support the antivirus programmers, after all they are
 helping you.......

 PS : If you find a new virus or trojan,  please upload it to our  BBS 
      then we will send it to all the anti-virus  programmers that will
      accept new stuff from us. (use my  public PGP Key )

 You can get all the latest versions on our homepage, here is the adress:

                             www.vht-dk.dk


                        Copyright  1994-99 - Information

  This guide is written and  Copyrighted 1999,  by Jan Andersen of Virus
  Help Denmark using the warnings that we have been writing and send
  out on the Net's, with the exceptions of the virus warnings that Markus
  Schmall has written. But we have his permission to use them. No part of
  the guide may be altered in any way,  without a written permission from
   Virus Help Denmark .

  This  Guide will be  spread every 2 month, with all the new warnings by
  Markus Schmall and Virus Help Denmark.  We will at  that time have
  sent the  new  Warnings  out on  all the Nets and BBS'es,  that we have
  access to (InterNet, FidoNet, AmyNet etc.).

  If you want  to use this guide or some of the warnings,  please contact
  one of us and  get a written  permisssion to do it.  If you want to use
  the  warnings that  Markus Schmall has  written,  please contact him to
  get his permission.

  This Guide is free to spread in any way, as long as nothing is altered
  in any way.


 Who are Virus Help Danmark:
 --------------------------------
  We are 5 guys  who earlier worked for Safe Hex International to prevent
 the spreading of virus.  But as our policy couldn't fit SHI's, we decided
 to step out from the 31 dec.1994 to start on our own. Our objectives are:

    1) To fight and prevent the spreading of computervirus.
    2) To aid users with virus related problems.
    3) To support all wellknown antivirus programmer with virus.

 We will  coorporate with ALL, who support our sake.  We simply don't care
 if  they are  Germans,  Americans or wherefrom, as long as we can aid the
 Amiga users in the best possible way...

 For more info, please contact:

 Jan Andersen - VHT Denmark             Lars P. Kristensen - VHT Denmark
 ---------------------------            --------------------------------
 Fido...:  2:237/38.100                 E-Mail.: [email protected]
 VirNet.:  9:451/247.0
 AmyNET.: 39:140/127.100
 E-Mail.: [email protected]

 By snail-mail
 -------------
 Jan Andersen                           Lars P. Kristensen
 Charlottegaardsvej 131      or         Safirvej 25
 2640 Hedehusene                        3650 Oelstykke
 DK-Denmark                             DK-Denmark


 New Updates on VirusWarning.Guide can be found on these places:
 ---------------------------------------------------------------

 Virus Help Denmark on Internet
 ------------------------------
 Homepage....: www.vht-dk.dk


 Virus Help Denmark's Support BBS'es
 -----------------------------------
 BBS Name....: XPoint BBS              BBS Name....: SouthSide BBS
 Phone Number: +45 6381 8005           Phone Number: +45 4353 3828.
 Country.....: Denmark                 Country.....: Denmark
 Open........: 24 Hours                Open........: 24 Hours.
 Modem.......: 56.200 X2 & ISDN        Modem.......: 33.600 v34+

 BBS Name....: Futurelink Amiga BBS    BBS Name....: Dave's Place BBS
 Phone Number: +45 7588 4011           Phone Number: +44 (0)161 339 5695
 Country.....: Denmark                 Country.....: England
 Open........: 24 Hours                Open........: 24 Hours
 Modem.......: 33.6 v34+               Modem.......: 28.800

 BBS Name....: Thunderdome BBS.        BBS Name....: ABBS Support BBS
 Phone Number: +46 171 20586           Phone Number: +47 6935 3097
 Country.....: Sweden                  Country.....: Norway
 Open........: 24 Hours                Open........: 24 Hours
 Modem.......: 33.600 v34+             Modem.......: 33.600 v34+


 The guy's behind Virus Help Denmark.
 -----------------------------------------

 Jan Andersen........: VHT-DK's InterNet support, Virus-Hunter, Contact
                       to Anti-virus programmers.

 Lars P. Kristensen..: VHT-DK's PR-man, Translator, Virus help.
                       Virus Help Team's World support, BBS support.

 Henrik Lauridsen....: VHT-DK's InterNet support, Virus help.

 Torben Danoe........: VHT-DK's translator, Virus help.

 Jan Nielsen.........: VHT-DK's translator, Virus help.


 We have no leades of VHT-Denmark, no one is the Boss. We all deside what we do,
 and how. That is why we are working as a TEAM.


                Thanks list corncerning VirusWarning.guide


  Markus Schmall........: For letting us use his warnings in this guide


  Thanks must also go to: Jan-Jan,  Lars,  Henrik,  Georg, Heiner, John,
                          Torben, Soenke, Per, Kim B, Enzo, Deliveryman,
                          Martin, Flemming S, Jan, Thomas, Hee-Mann, Ib,
                          Dave, Ramon,  Harry, Alex, Cor for  collecting
                          trojans and viruses for us.
                          Speciel thanx to the Virus Test Center in Hamburg.
                          (Sorry if I forgot you)

  All the guys that is helping us collecting the new virus, and the few
  ones that are helping everybody, by programming a viruskiller.


 Please send me the new viruses that you find, so we can keep the support
 to the anti-virus programmers.

 You can encrypt it with my public PGP key, in that way the archive/file
 won't get spread if it ends up in the wrong place.


Type Bits/KeyID    Date       User ID
pub  1024/E7B1A755 1999/01/09 Jan Andersen <[email protected]>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQCNAzaX6BIAAAEEANnkhochSsPthVhFlRLPiCCndozo0h2g1RUQXTt4vSEvOpfs
j9wTv6hZKeXsi1kE+5UKM/Xt9S+/eftKw+6oiWKyqB2dZqeLtLt5Uj1TXViMygye
a0nDSFhub02NXTDehzgnhzO9kE/toqhTzyizygZYXrUD+Onp/CSq+InnsadVAAUR
tCNKYW4gQW5kZXJzZW4gPHZodC1ka0Bwb3N0NC50ZWxlLmRrPokAlQMFEDaX6BQk
qviJ57GnVQEBkGIEAIyaaerRR7kjLVmW1cshu6VHxq5uRVqg87M9qMTWJf0EfCgI
yj5aJODqsjc36DPyW5AJuUgB1nDKPgvjCBCQp27PEvu61+a0S0Cat6sK65S5dxQE
O92jtF/VPpaYy0nDsDoQemcFrggGVXxFTlstjNOk1GxatUIvGugBlcETUGO2
=kLIO
-----END PGP PUBLIC KEY BLOCK-----


              New warnings in this update of the guide

  New warnings in alfabetic order                            Warning Name
 -------------------------------------------------------------------------

  Miami DeLuxe v0.9c fake             (mdlx09c.lha)    - (vht-dk79.lha)
  CygnusEd v4.17 fake                (hf-cd417.lha)    - (vht-dk78.lha)

 -------------------------------------------------------------------------

    !!!!!  We are looking for a lot of Viruses. please help us!  !!!!!
    !!!!!  Important news about VirusWorkshop by Markus Schmall  !!!!!

 -------------------------------------------------------------------------

 New warnings in VirusWarning.guide
 ----------------------------------
  v1.0      v1.1      v1.2      v1.3      v1.4      v1.5      v1.6 

  v1.7      v1.8      v1.9      v2.0      v2.1      v2.2      v2.3 

  v2.4      v2.5      v2.6 


 New in VirusWarning.Guide v1.0
 ------------------------------
  Strange Atmosphere LinkVirus      (srn-db33.lha) ....: (Flake023.txt)
  VirusMemKill v1.2 Trojan          (VMK12.LHA)    ....: (Flake022.txt)


 New in VirusWarning.Guide v1.1
 ------------------------------
  Ebola 2 Link-Virus                               ....: (Flake024.txt)
  BBS Traveller Virus               (lop_mi2.lha)  ....: (Flake025.txt)
  Hitch Hiker 1.10 link virus                      ....: (Flake026.txt)


 New in VirusWarning.Guide v1.2
 ------------------------------
  Mutation Nation linkvirus                        ....: (Flake027.txt)
  Hitch Hiker 3.00 link virus                      ....: (Flake028.txt)
  Hitch Hiker 3.00 link virus Installer            ....: (Flake029.txt)


 New in VirusWarning.Guide v1.3
 ------------------------------
  HitchHiker 3.00 linkvirus         (patchhh.lzx)  ....: (Flake-28.txt}
  Voxel_Svind.exe                   (dph-vos.lha)  ....: (Vhelp-35.txt)
  HF-Intro.exe                      (hf-vc24.lha)  ....: (Vhelp-36.txt)
  Happy New Year 96' Infected       (ABC14.DMS)    


 New in VirusWarning.Guide v1.4
 ------------------------------
  CygnusEd v4.0 Trojan              (HF-CED40.LHS)       (VHelp-39.txt)
  HD Protect v6.24 trojan           (HDPRO624.LHA)       (VHelp-38.txt)
  Tetris Attack Full Release Disk 1 (HF-TETA1.LHA)       (VHelp-37.txt)
  Tetris Attack Full Release Disk 2 (HF-TETA2.LHA)       (VHelp-37.txt)
  The Black Lotus 'Abduction' demo  (TBL-ABDU.LHA)       (VHelp-40.txt)


 New in VirusWarning.Guide v1.5
 ------------------------------
  Happy New Year 97' virus          (DARKFUCK.LHA)       (VHelp-40.txt)
  HNY 97' infected archive          (TBF-F175.LHA)       (VHelp-41.txt)
  HitchHicker 4 infected archive    (MAPUS200.LZX)       (VHelp-42.txt)


 New in VirusWarning.Guide v1.6
 ------------------------------
  IBrowse v2.0 Trojan               (DNC-IB2.LHA)  
  HNY 97' infected archive          (AMN-PAS1.LHA) 
  HNY 97' infected archive          (DXP_LW2R.LHA) 


 New in VirusWarning.Guide v1.7
 ------------------------------
  Ibrowse v2.0                          (DCN-IB2.LHA) 
  Maups v2.0 (HitchHicker 4 Infected)  (MAPUS200.LZX) 
  Intel Outside 4 Trojan               (IO4-INVI.LHA) 
  Xtruder v3.5 Trojan                  (XTRUDE35.LHA) 


 New in VirusWarning.Guide v1.8
 ------------------------------
  Ibrowse v2.0                          (DCN-IB2.LHA)  - VHelp-46.txt
  Happy New Year 97' new string          (MUI020.LHA)  - VHelp-47.txt
  AmixHack Trojan                       (DEC-SCP.LHA)  - VHelp-48.txt
  HitchHicker v4.23 Link-Virus                         - VHelp-49.txt


 New in VirusWarning.Guide v1.9:
 -------------------------------
  Lisa FuckUp v3.0                     (SEBOLA97.LHA)  - VHelp-50.txt
  HitchHicker v4.11 infected           (NUP-SLOS.LHA)  - VHelp-51.txt
  Ebola infected                        (PSY-HAL.LHA)  - VHelp-52.txt
  ZIB linkvirus found                                  - VHelp-53.txt


 New in VirusWarning.Guide v2.0:
 -------------------------------
  Happy New Year 98 Infcted archive      (w9-sex.lzx)  - VHelp-58.txt
  Happy New Year 98 linkvirus                          - VHelp-57.txt
  Happy New Year 96 Infected archive     (org3_3.lha)  - VHelp-56.txt
  Ebola infected archive                (d-s_zw2.lha)  - VHelp-56.txt
  Ebola infected archive                (d-s_mk2.lha)  - VHelp-56.txt
  Ebola infected archive               (cpu-mv31.lha)  - VHelp-55.txt
  Happy New Year 96 Infected archive    (modtime.lzx)  -
  Hitch Hiker v2.11 installer          (kilhitch.lha)  -
  ZIP linkvirus installer              (opus566p.lzx)  - VHelp-54.txt


 New in VirusWarning.Guide v2.1:
 -------------------------------
  Miami Keyfile checker Trojan             (PHK-MKEY.lzx)  - vht-dk67.lha
  ReOrgIt Trojan                            (ReOrgIt.lha)  - vht-dk66.lha
  Max BBS trojan Type D                 (Mpeopledemo.lha)  - vht-dk65.lha
  Max BBS trojan Type C                 (SPICE_POWER.lha)  - vht-dk64.lha
  Max BBS trojan Type B                    (nce-tri9.lha)  - vht-dk63.lha
  Max BBS trojan Type A               (JC_SpiceGirls.LHA)  - vht-dk62.lha
  Happy New Year 96 Infected archive       (CBS-ETIT.LZX)  - vht-dk61.lha
  Happy New Year 98 Infected archive        (CNS-BGE.LHA)  - vht-v059.lha


 New in VirusWarning.Guide v2.2
 ------------------------------
 This was a 'buggy' release, sorry for that.........


 New in VirusWarning.Guide v2.3
 ------------------------------
  Happy New Year 96' Infected       (PHT-Suns.lzx) ....: (vht-dk68.lha)
  Happy New Year 96' Infected       (FFFF.LHA)     ....: (vht-dk69.lha)


 New in VirusWarning.Guide v2.4
 ------------------------------
   Happy New Year 96' Infected       (WinTool.lha)    -   (vht-dk70.lha)
   Max BBS #4 trojan                 (maxsafe.lha)    -   (vht-dk71.lha)


 New in VirusWarning.Guide v2.5
 ------------------------------
   Fungus/lsd installer              (m31h_crk.lha    -   (vht-dk75.lha)
   Fungus/lsd file virus                              -   (vht-dk74.lha)
   PolishPower link virus             (AMFTP 1.91)    -   (vht-dk73.lha)
   New Max BBS trojan                 (UnpackJPEG)    -   (vht-dk72.lha)


 New in VirusWarning.Guide v2.6
 ------------------------------
  Birthday Trojan & Dropper           (birthday.lha)    - (vht-dk77.lha)
  datatypes.library v45.5 Trojan  (dtypes455upd.lha)    - (vht-dk76.lha)


  All warnings in alfabetic order                         Warning Name
 ------------------------------------------------------------------------
  Abase infected Saddam Archiv         (ABASE.DMS) ....: (Vhelp-15.txt)
  Achtung.exe Trojan.               (GATH95-!.LHA) ....: (Vhelp-05.txt)
  Achtung.exe Trojan                (Gath95-!.lha) ....: (Flake005.lha)
  Addy v0.99 Trojan.                 (ADDY099.LHA) ....: (Vhelp-02.txt)
  Alfons Eberg 2.0 (Wireface)        (hf-vc24.lha) ....: (VHelp-36.txt)
  AMFTP v1.75 Infected              (TBF-F175.LHA) ....: (VHelp-42.txt)
  AmiBlank Trojan                   (ABLANK11.LHA) ....: (Flake021.txt)
  AmiExpress v5.0 Trojan             (PSG-AE5.LHA) ....: (Vhelp-18.txt)
  AmixHack Trojan                    (DEC-SCP.LHA) ....: (Vhelp-48.txt)
  BBS Traveller Virus                (lop_mi2.lha) ....: (Flake025.txt)
  Birthday Trojan & Dropper         (birthday.lha) ....: (vht-dk77.lha)
  Callerslog v1.2 Trojan            (MST-CA12.LHA) ....: (Vhelp-20.txt)
  CarlingCard Hacker Trojan          (CCHACK2.exe) ....: (Vhelp-17.txt)
  Commander link-virus Infector.    (dpl-mam1.dms) ....: (Vhelp-04.txt)
  Commander link-virus Infector.    (Denistro.exe) ....: (Vhelp-00.txt)
  ConMan Trojan                        (hackt.lha) ....: (Flake006.txt)
  ConMan 1995 link-virus               (M-hac.lha) ....: (Flake016.txt)
  CoP Killer v1.1 Trojan            (COPKILL1.LHA) ....: (Vhelp-19.txt)
  Creator v1.0 Trojan                (CREATOR.LHA) ....: (Vhelp-12.txt)
  CygnusEd v4.00 Trojan.                (CED4.LHA) ....: (Vhelp-08.txt)
  CygnusEd v4.0 Trojan              (HF-CED40.LHS) ....: (VHelp-39.txt)
  CygnusEd v4.17 fake               (hf-cd417.lha) ....: (vht-dk78.lha)
  DancePoolModTro.exe Infected          (SIGN.LHA) ....: (Vhelp-32.txt)
  datatypes.library v45.5       (dtypes455upd.lha) ....: (vht-dk76.lha)
  DirectoryOpus v5.00.                 (OPUS5.LHA) ....: (Vhelp-09.txt)
  DiskMaster v5.1 Trojan                           ....: (Vhelp-25.txt)
  DMS v2.06 Trojan                   (cry_206.lha) ....: (Flake003.lha)
  dpl-dc99.lha trojan               (dpl-dc99.lha) ....: (Flake004.lha)
  Ebola 2 Link-Virus                               ....: (Flake024.txt)
  FileGhost 3 LinkVirus                            ....: (Flake009.txt)
  Flake013.txt Fake                 (BIO-WARN.LHA) ....: (Flake014.txt)
  Fungus/lsd virus                                 ....: (vht-dk74.lha)
  Fungus/lsd installer              (m31h_crk.lha) ....: (vht-dk75.lha)
  Futuretracker Trojan               (TRSI-FT.LHA) ....: (Vhelp-14.txt)
  Happy_New_Year_96' link virus                    ....: (Flake017.txt)
  Happy New Year 96' New String     (CBS-ETIT.LZX) ....: (vht-dk61.lha)
  Happy_New_Year_97' link virus     (DARKFUCK.LHA) ....: (VHelp-41.txt)
  Happy_New_Year_97' New String       (MUI020.LHA) ....: (VHelp-47.txt)
  Happy New Year_98' link virus                    ....: (VHelp-57.txt)
  Happy New Year 98 Infcted archive  (CNS-BGE.LHA) ....: (vht-v059.lha)
  HardDiskSpeeder v1.5 GVP Inc.    (GVP-HS15.lha) ....: (Flake012.txt)
  HD Protect v6.24 trojan           (HDPRO624.LHA) ....: (VHelp-38.txt)
  HF-Intro.exe                       (hf-vc24.lha) ....: (VHelp-36.txt)
  Hitch Hicker 1.10 link virus                     ....: (Flake026.txt)
  Hitch Hicker 2.11 Installer       (kilhitch.lha) ....:
  Hitch Hicker 3.00 link virus                     ....: (Flake028.txt)
  Hitch Hicker 3.00 link virus Installer           ....: (Flake029.txt)
  Hitch Hicker 4.00 link virus                     ....: (VHelp-42.txt)
  Hitch Hicker 4.23 link virus                     ....: (VHelp-49.txt)
  Ibrowse v2.0                       (DCN-IB2.LHA) ....: (VHelp-46.txt)
  Ibrowse v2.0 (New warning update)  (DCN-IB2.LHA) ....: (VHelp-46.txt)
  Intel Outside 4 Trojan            (IO4-INVI.LHA) ....: (VHelp-44.txt)
  IStrip v2.1 Trojan                (Istrip21.lha) ....: (Flake002.lha)
  KillHitch Trojan                  (kilhitch.lha) ....:
  LHA v3.0 Trojan.                     (LHA30.LHA) ....: (Vhelp-07.txt)
  Lisa FuckUp v3.0 Trojan           (SEBOLA97.LHA) ....: (VHelp-50.txt)
  LZX v1.30 Trojan (CoP Type F)       (LZX130.lha) ....: (Flake007.txt)
  MakeKey v1.10 For Virus_Checker   (VcKey110.lha) ....: (Flake013.txt)
  Maups v2.0 (HH 4 Infected)        (MAPUS200.LZX) ....: (VHelp-43.txt)
  Max BBS trojan Type A        (JC_SpiceGirls.LHA) ....: (vht-dk65.lha)
  Max BBS trojan Type B             (nce-tri9.lha) ....: (vht-dk64.lha)
  Max BBS trojan Type C          (SPICE_POWER.lha) ....: (vht-dk63.lha)
  Max BBS trojan Type D          (Mpeopledemo.lha) ....: (vht-dk62.lha)
  Max BBS trojan Type E               (unpackjpeg) ....: (vht-dk72.lha)
  Miami DeLuxe v0.9c Fake            (mdlx09c.lha) ....: (vht-dk79.lha)
  Miami Keyfile checker Trojan      (PHK-MKEY.lzx) ....: (vht-dk67.lha)
  MultiView v3.1 (Ebola infected)   (CPU-MV31.LHA) ....: (VHelp-55.txt)
  Mutation Nation linkvirus                        ....: (Flake027.txt)
  NC210.LHA and NC210.LZX Infected (NC210.LHA/LZX) ....: (Vhelp-31.txt)
  NComm v3.2 Trojan.                 (NCOMM32.LHA) ....: (Vhelp-06.txt)
  No Sense Diskmagazine Infected     (C!S-NS1.DMS) ....: (Vhelp-33.txt)
  Pestilence Bootblockvirus 1.15                   ....: (Flake001.lha)
  PolishPower link virus              (amftp 1.91) ....: (vht-dk73.lha)
  Phenomena DOS-Extender V1.1       (PHA-XMAS.lha) ....: (Flake019.txt)
  Quarterback Tools Trojan           (ORS-QBD.LHA) ....: (Vhelp-24.txt)
  Removcmd.lha Trojan               (Removcmd.lha) ....: (Flake000.lha)
  ReOrgIt Trojan                     (ReOrgIt.lha) ....: (vht-dk66.lha)
  SInfo v1.00 Trojan                 (SINFO10.LHA) ....: (Vhelp-11.txt)
  Surprise Trojan at 'TP 4'.        (SURPRISE.DMS) ....: (Vhelp-01.txt)
  Susi_Drive_Stepper Trojan                        ....: (Flake018.txt)
  Strange Atmosphere LinkVirus      (srn-db33.lha) ....: (Flake023.txt)
  Tetris Attack Full Release Disk 1 (HF-TETA1.LHA) ....: (vhelp-37.txt)
  Tetris Attack Full Release Disk 2 (HF-TETA2.LHA) ....: (vhelp-37.txx)
  The Black Lotus 'Abduction' demo  (TBL-ABDU.LHA) ....: (VHelp-40.txt)
  TMTC90.LHA Virus Infected           (TMTC90.LHA) ....: (Vhelp-30.txt)
  TP-5 Andromeda Demo Trojan        (TP5-ANDR.LHA) ....: (Vhelp-27.txt)
  TP-5 Parallax Demo Trojan         (TP5-PRLX.LHA) ....: (Vhelp-29.txt)
  TP-5 Silents DK Trojan             (TP5-TSL.LHA) ....: (Vhelp-28.txt)
  TP-5 Spaceballs Demo Trojan       (TP5-SPAC.LHA) ....: (Vhelp-26.txt)
  TP-5 TRSI Trojan                  (TP5-TRSI.LHA) ....: (Flake020.txt)
  TRSi Installer Trojan             (TRSI-INS.LHA) ....: (Vhelp-21.txt)
  TRSi Installer Trojan             (TRSI-INS.LHA) ....: (Flake011.txt)
  Voxel_Svind.exe                    (dph-vos.lha) ....: (Vhelp-35.txt)
  Virus_Checker v6.60 Trojan        (VCHCK660.lzx) ....: (Vhelp-23.txt)
  VirusWorkshop v5.0 Trojan         (TRSI-VW5.LHA) ....: (Vhelp-15.txt)
  VirusZ II v1.14 - Fake            (VZII_114.LHA) ....: (Vhelp-03.txt)
  VirusZ II v1.19 - Fake            (VZII_119.LHA) ....: (Flake010.txt)
  VirusMemKill v1.2 Trojan             (VMK12.LHA) ....: (Flake022.txt)
  WireFace Trojan Type G            (chkmount.lha) ....: (Flake015.txt)
  Xtruder v3.5 Trojan               (XTRUDE35.LHA) ....: (VHelp-45.txt)
  ZAP v1.1 Unpacker virus infected   (TXC-Z11.LHA) ....: (VHelp-34.txt)
  ZIB linkvirus found                              ....: (VHelp-53.txt)
  ZIB linkvirus installer           (opus566p.lzx) ....: (Vhelp-54.txt)

 ---------------------------- End of list -------------------------------


                   Virus/Trojan Archives In Alfabetic Order
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

             Archive Name   - Archive infected With !
            ---------------------------------------------------
           !ansianim!.lha    - Trojan                           
           10000.lha         - Ebola Infected Archive           
           a!a-pp2.dms       - HNY 96' Infected archive         
           ABASE.DMS         - Abase infected Saddam Archiv     
           ABC14.DMS         - HNY 96' Infected archive         
           ABLANK11.LHA      - AmiBlank Trojan (Kuk Crew)       
           ac0396_1.DMS      - HNY 96' Infected archive         
           ACID05.LHA        - HNY 96' Infected archive         
           ACID06.LHA        - HNY 96' Infected archive         
           ADDY099.LHA       - Addy v0.99 Trojan                
           aframe01.lha      - Ebola Infected Archive           
           aga_italy2.lzx    - Trojan                           
           agt-cbsc.lha      - HNY 96' Infected archive         
           agt-cowz.lha      - HNY 96' Infected archive         
           apt-40kb.lha      - HNY 96' Infected archive         
           asp-fx13.lha      - HNY 96' Infected archive         
           ASTMA!.LHA        - HNY 96' Infected archive         
           ATW-MOD.LHA       - HNY 96' Infected archive         
           Birthday.lha      - Birthday Trojan & Dropper        
           C!S-NS1.DMS       - No Sense Diskmagazine Infected   
           CBS-ETIT.LZX      - HNY 96' New String (hunk 11)     
           CCHACK2.exe       - CarlingCard Hacker Trojan        
           cdrplay.lha       - Ebola Infected Archive           
           CED4.LHA          - CygnusEd v4.00 Trojan (CoP)      
           chkmount.lha      - WireFace Trojan Type G           
           CNS-BGE.LHA       - Happy New Year 98 Infcted        
           cpu-mv31.lha      - Ebola infected archive           
           cpu-nfot.lha      - Trojan                           
           cpucache.lha      - Trojan                           
           CREATOR.LHA       - Creator v1.0 Trojan              
           cry_206.lha       - DMS v2.06 Trojan                 
           D-S_MK2.LHA       - Ebola Infected archive           
           D-S_ZW2.LHA       - Ebola Infected archive           
           Darkfuck.lha      - HNY 97' Infected archive         
           dat_ho1.lha       - HNY 96' Infected archive         
           dat_ho2.lha       - HNY 96' Infected archive         
           dat_ho3.lha       - HNY 96' Infected archive         
           dat_ho4.lha       - HNY 96' Infected archive         
           dat_ho5.lha       - HNY 96' Infected archive         
           dat_ho6.lha       - HNY 96' Infected archive         
           dat_ho7.lha       - HNY 96' Infected archive         
           dat_ho8.lha       - HNY 96' Infected archive         
           dat_ho9.lha       - HNY 96' Infected archive         
           dat_h10.lha       - HNY 96' Infected archive         
           dcodes1_4.lzx     - HNY 96' Infected archive         
           dec-scp.lha       - AmixHack trojan                  
           Denistro.exe      - Commander link-virus Infector    
           detag063.lha      - HNY 96' Infected archive         
           diceroll.lha      - HNY 96' Infected archive         
           digital.lha       - HNY 96' Infected archive         
           dive-ing.lzx      - HNY 96' Infected archive         
           dop-dm1.dms       - HNY 96' Infected archive         
           dlm_prim.dms      - Ebola Infected Archive           
           dc-amftp.lha      - Hitch Hicker v4.23 Infected arc. 
           dcn-db3p.dms      - Trojan                           
           dcn-ib2.lha       - Ibrowse v2.0                     
           dcn-ib2.lha       - Ibrowse v2.0 (Update warning)    
           dph-vos.lha       - Voxel_Svind trojan               
           dpl-dc99.lha      - dpl-dc99.lha trojan              
           dpl-mam1.dms      - Commander link-virus Infector    
           dsy-bul1.lha      - HNY 96' Infected archive         
           dtypes455upd.lha  - Datatypes.library v45.5 Trojan   
           dvd!-def.lha      - Ebola Infected Archive           
           ed-psyo3.lha      - HNY 96' Infected archive         
           eft_cc14lha       - HNY 96' Infected archive         
           etc!hd.lha        - Trojan                           
           evilcomm.lha      - Trojan                           
           FFFF.lha          - HNY 96' Infected archive         
           flt1996.lha       - Trojan                           
           GATH95-!.LHA      - Achtung.exe Trojan               
           GVP-HS15.lha      - HardDiskSpeeder v1.5 GVP Inc.   
           h&w-woda.dms      - Trojan                           
           hackt.lha         - ConMan Trojan                    
           hdpro624.lha      - HD Protect v6.24 trojan          
           hf-cd417.lha      - CygnusEd v4.17 fake              
           hf-ced40.lha      - CygnusEd v4.0 Trojan             
           hf-lopi1.dms      - HNY 96' Infected archive         
           hf-teta1.lha      - Cop Trojan (Tetris Attack)       
           hf-teta2.lha      - Cop Trojan (Tetris Attack)       
           hf-vc24.lha       - Vinci v2.4 (HF intro infected)   
           hf-wttr.lha       - Ebola Infected Archive           
           ht-stag1.dms      - HNY 96' Infected archive         
           ht-stag2.dms      - HNY 96' Infected archive         
           idefix191.lha     - Hitch Hicker v4.23 Infected arc. 
           Ins-blf.lha       - HNY 96' Infected archive         
           Int-ap21.lha      - HNY 96' Infected archive         
           io3-64k.lha       - HNY 96' Infected archive         
           IO4-INVI.LHA      - Intel Outside 4 Trojan           
           Istrip21.lha      - IStrip v2.1 Trojan               
           JC_SpiceGirls.LHA - Max BBS trojan Type A            
           kewlcd.lha        - HNY 96' Infected archive         
           kilhitch.lha      - Hitch Hiker v2.11 Installer      
           LHA30.LHA         - LHA v3.0 Trojan.                 
           lop_mi2.lha       - BBS Traveller Virus              
           lzx121crk.lha     - Trojan                           
           LZX130.lha        - LZX v1.30 Trojan (CoP Type F)    
           M31H_CRK.LHA      - Fungus/lsd installer             
           MAPUS200.LZX      - HitchHicker v4.00 Infected       
           mdlx09c.lha       - Miami DeLuxe v0.9c fake          
           miamic.lha        - HNY 96' Infected archive         
           Modti541.lha      - HNY 96' Infected archive         
           modtime.lzx       - HNY 96' Infected archive         
           Mpeopledemo.lha   - Max BBS trojan Type D            
           msr-a71p.lha      - Hitch Hicker v4.23 Infected arc. 
           MST-CA12.LHA      - Callerslog v1.2 Trojan           
           mth-gd10.lzx      - Ebola Infected Archive           
           MUI020.LHA        - Happy New Year 97' New string    
           Nbk-fkt.lha       - HNY 96' Infected archive         
           NC210.LHA         - Happy New Year 96' Infected      
           NC210.LZX         - Happy New Year 96' Infected      
           nce-tri9.lha      - Max BBS trojan Type B            
           NCOMM32.lha       - NComm v3.2 Trojan (CoP)          
           nhp122.lha        - Ebola Infected Archive           
           NUP-SLOS.LHA      - HitchHiker v4.11 infected        
           OPUS5.LHA         - DirectoryOpus v5.00 (CoP)        
           opus566p.lzx      - ZIB linkvirus Installer          
           orb!mk.dms        - HNY 96' Infected archive         
           ORG3_3.LHA        - HNY 96' Infected archive         
           ORS-QBD.LHA       - Quarterback Tools Trojan (CoP)   
           otl-db1d.dms      - Ebola Infected Archive           
           patchhh.lzx       - HitchHiker 3.00 linkvirus        
           pet-sus5.dms      - Ebola Infected Archive           
           PHA-XMAS.lha      - Phenomena DOS-Extender V1.1      
           PHK-MKEY.lzx      - Miami Keyfile checker Trojan     
           PHT-Suns.lzx      - HNY 96' Infected archive         
           phonebook.lha     - HNY 96' Infected archive         
           plo-dm1.dms       - HNY 96' Infected archive         
           Plo-dm2.dms       - HNY 96' Infected archive         
           PSG-AE5.LHA       - AmiExpress v5.0 Trojan           
           psp-64k.lha       - HNY 96' Infected archive         
           PSY-HAL.LHA       - Ebola infected                   
           Removcmd.lha      - Removcmd.lha Trojan              
           ReOrgIt.lha       - ReOrgit Trojan                   
           scansys.lha       - Trojan                           
           scm-bps1.lha      - HNY 96' Infected archive         
           SEBOLA97.LHA      - Lisa fuckup v3.0 trojan          
           SIGN.LHA          - DancePoolModTro.exe Infected     
           SINFO10.lha       - SInfo v1.00 Trojan               
           slt-m21g.lha      - Hitch Hicker v4.23 Infected arc. 
           SPICE_POWER.lha   - Max BBS trojan Type C            
           srn-db33.lha      - Strange Atmosphere LinkVirus     
           Strip64.lha       - HNY 96' Infected archive         
           SURPRISE.DMS      - Surprise Trojan at 'TP 4'        
           TBF-F175.LHA      - AMFTP v1.75 HNY 97' Infected     
           TBL-ABDU.lha      - The Black Lotus 'Abduction' demo 
           Timezone.lha      - HNY 96' Infected archive         
           toolsd26.lha      - CoP Trojan                       
           TP5-ANDR.lha      - TP-5 Andromeda Demo Trojan       
           TP5-PRLX.lha      - TP-5 Parallax Demo Trojan        
           TP5-SPAC.lha      - TP-5 Spaceballs Demo Trojan      
           TP5-TSL.lha       - TP-5 Silents DK Trojan           
           TP5-TRSI.lha      - TP-5 TRSI Trojan                 
           trc-resc.lha      - Trojan                           
           TRSI-BV1DMS       - Ebola Infected Archive           
           TRSI-FT.LHA       - Futuretracker Trojan             
           TRSI-INS.lha      - TRSi Installer Trojan            
           TRSI-vw5.lha      - VirusWorkshop v5.0 Trojan (CoP)  
           TXC-Z11.lha       - ZAP v1.1 Unpacker virus infected 
           USX-SCFN.lha      - HNY 96' Infected archive         
           VCHCK660.lzx      - Virus_Checker v6.60 Trojan       
           VcKey110.lha      - MakeKey v1.10 For Virus_Checker  
           VMK12.lha         - VirusMemKill v1.2 Trojan         
           VZII_114.lha      - VirusZ II v1.14 (Fake)           
           VZII_119.LHA      - VirusZ II v1.19 (Fake)           
           w9-sex.lzx        - Happy New Year 98' Infected      
           XTRUDE35.LHA      - Xtruder v3.5 Trojan              


 After  a big HD-Crash in October 1998, a lot of the viruses that Virus Help
 Denmark has been collecting over the years was lost. We use the viruses for
 testing of antivirus programs. Please help us.... If you find some of these
 viruses/trojans  then,   Please mail them to us  or please  upload them to
 one of our  Support BBS'es , the sysop will see that it get to us.

 We have recived a lot of the missing viruses, but we still need your help
 with the last viruses. Thanx must go to these fine guy's/girls' for sending
 a lot of the viruses:
 Dave, Torsten, Dennis, Morten, Buzz, Michael, Martin, Ram, VTC, Soenke, Jan,
 Markus, Georg


 Here is a list of the missing viruses:

 Link-Virus:
 -----------
 EF67A3C3
 Irak 3
 GlobVec
 LOBO Weird
 Prometheus
 Starcom 1
 WECH
 Xeno 1

 File Viruses:
 -------------
 Aibon 2 Installer 2
 Alien Life Form 1
 Alien Life Form 3
 BootJob Exe-BB
 BootShop Installer 2
 Butonics 3,2
 Centurions 2
 Circle Of Power 10 (ToolsDeamon)
 Disk-Killer 1,0
 General Hunter 3,2
 H.N.Y. Clone
 H.N.Y. Clone Inst.
 Lha-Check 1,1
 Nano 1
 NoGuru 2,0
 SehrJung LoadWB
 Str.Atmosphere Inst. 2
 SysInfo 2,2
 Tai-Pan BB Installer
 TFC Revenge LoadWB
 Timedate Installer
 Vera 2,3
 XPR-Speeder 3,2

 Send these viruses to  Virus Help Denmark  or Upload them to one of our
  Support BBS'es  around the world.


               Virus/Trojan/Archives we are looking for, help us!
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         If you have some of these archives, please  send them to us .

  Archive name   -  Kind  -  Size  - Program info
  -----------------------------------------------------------------------------
  aga_italy2.lzx   Trojan   117026   Demo from AGA Italy, ruins rdb on hd's.
      etc!hd.lha   Trojan        ?   Is said to be some kind of trojan.
    evilcomm.lha   Trojan    40044   For Daydream BBS, corrupts hd's & fd's.
     flt1996.lha   Trojan        ?   Fairlight 1996 production, Trojan.
    h&w-woda.dms   Trojan        ?   Warrior of darkness AGA, hd formatter.
     patchhh.lzx   Virus         ?   Install the Hitch Hiker virus.
     scansys.lha   Trojan    12508   Fast optimizer for 68020-68030.
    srn-db33.lha   Virus         ?   Contains a new link-virus.
    toolsd26.lha   Trojan        ?   ToolsDeamon v2.6, COP Trojan.
  -----------------------------------------------------------------------------

  Thanx to these guys/girls for sending archives:

  Ramon for cpu-nfot.lha, John for kilhitch.lha, Bruce for trc-resc.lha.


 Hi All.......

 This trojan or virus has NOT been tested. The reason for this is that we do
 not have this file/archive in our collection.

 Please mail it to us if you have it. No names will be written down, unless
 you want credit for it. It is only the virus that we are looking for. Name
 and adress will be in the trachcan, if you want it.

 Please... Help us to support the anti-virus programmers.

 You can contact Virus Help Denmark, at  this adress .

 -- Thanx for your help...
                             Jan Andersen


                                BAD NEWS
                               ----------

 This must be the worst news in 1998....... Markus Schmall has stopped
 programming VirusWorkshop. Markus got a new job at a software company
 that is going to  take all his time. There  is nothing that we can do
 about this..... Exept to thank Markus for the time he made one of the
 best antivirus programs for the Amiga. VirusWorkshop will be missed..

 Good luck in the future Markus......

 Regrads....

 Jan and the rest of the Amiga fan's all over the world.......


 This archive in infected with the Ebola linkvirus, please read this
 analysis that Markus has done:


Entry...............: Ebola Virus
Alias(es)...........: E1116 (to stay CAROconform)
Virus Strain........: -
Virus detected when.: 9/1995
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     1116 Bytes
                      2. Length in RAM:                3300 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:
                      -  Searches for $ab1590ef at the end of the first Hunk.

                      Self-identification method in memory:
                      -  Checks for $213f at offset -2 of the loadseg()
                         function


                      System infection:
                      -  non RAM resident, infects the following functions:
                         Dos LoadSeg(), Exec FindTask() and Exec
OpenResource()


                      Infection preconditions:
                       - File to be infected is bigger then 2500 bytes and
                         smaller then 130000 bytes
                       - First hunk contains a $4eaexxxx command in the 16
                         bit range to the end of the file (test for the first
                         entry)
                       - the file is not already infected (the at long of the
                         end of the hunk)
                       - HUNK_HEADER and HUNK_CODE are found



Infection Trigger...: Accessing files via LoadSeg()
Storage media affected: all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - None
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - None
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of
processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      simple retro technics to stop viruskillers searching
                      for Draco and possible for the HochOfen (Trabbi) Virus.


Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus

Stealth.............: No stealth abilities

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code based on the
                      position of the rasterbeam.

Comments............: The name EBOLA is the name of a virus, which humans
                      can get infected with. CARO rules say, that no names
                      of persons etc. may be used to call a virus, but I
                      spoke to other persons and they already recognized
                      this virus in this way.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of the
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 03.09.1995.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: September,03. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of EBOLA Virus =========================


Entry...............: H.N.Y.96. / H.N.Y 97
Alias(es)...........: Happy_New_Year_96, Happy_New_Year_97
Known clones........: Aram Doll
Virus detected when.: 11/1995
              where.: Austria, Germany, Holland, Poland and USA
Classification......: Link virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:  540 Bytes
                      2. Length in RAM:             540 Bytes

                      Happy New Year97 uses Filepart() instead of
                      LoadSeg infection and the static length 628 bytes.
                      All other commands are 100% equal.


--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96"

Type of infection...: Self-identification method in files:
                      -  Searches for $65772059 in the first Hunk.

                      Self-identification method in memory:
                      -  Checks for $2f08 in the LoadSeg function

                      System infection: 
                      -  RAM resident, infects the LoadSeg() code of
                         DOS library

                      Infection preconditions:
                      - device has more than 4 free sectors
                      - file is longer than $960 bytes and shorter than
                        $1e460 bytes
                      - Hunk_Code is found in the area behind the HUNK_
                        header (NO CHECK FOR RUNAWAYS!!!)
                      - The filename contains this not a "-" and does
                        not contains ".l". This is probably to be secure
                        no to infect a library.
                      - $4e75 is found at the end of the first CODEHUNK
                        or $4e75 is in the last $3f words of this hunk.



Infection Trigger...: Accessing the volume
                       
Storage media affected: all DOS-devices

Interrupts hooked...: LoadSeg() of DOS will be used for the infection code.
                      The routine is a little bit buggy and trashes the
                      a1 register.

Damage..............: Permanent damage:
                      - None
                      Transient damage:
                      - None

Damage Trigger......: Permanent damage:
                      - None
                      Transient damage:
                      - None

Particularities.....: This virus uses no encryption routines to hide it`s
                      code. The LoadSeg() patch isn`t 100% clear and
                      trashes the adress register A1.


Similarities........: Link-method is comparable to the Crime
                      series. End of the first hunk will be the loc.
                      for the virus and the last "RTS" will be replaced.

Stealth.............: no stealth abilities found

Armouring...........: The virus uses only some special adresscommands to
                      confuse the AV people.

Installers..........: DemoManiac 2.19 fake (dop-dm1.dms)
                      DeTag0.63 (detag063.lha)

--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.79, VW 5.8
Countermeasures successful: all of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: (C) Markus Schmall, Hannover, Germany
Classification by...: Markus Schmall
Documentation by....: Markus Schmall
Date................: November,24. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to
                      use this document in their libraries. SHI is
                      forbidden to use this document in any form.
===================== End of H.N.Y.96. Virus ============================


Notes about the known clones:

Aram Doll is a normal linkvirus with 560 byte length. It`s not crypted and
uses the LastAlert pointer of Execbase for the selfrecognition in memory.
The LoadSeg patch differs a little bit.


  WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!
       WARNING !!! WARNING !!!WARNING !!! WARNING !!!WARNING !!!

      We have nok found the file that infects your systems with the
      Commander virus. The infector program is called:

                             DENISTRO.EXE

      I have two versions of this file, but they both installs the
      virus:

           1..   It has a size of 66592 bytes.
           2..   It has a size of 71800 bytes.

       Do not start this program, it will install the link part of
       Commander virus, and add 1664 bytes to your LoadWB command.

       This Virus has now been around for a few month,  but now we
       know.  Over 60 BBS'es in scandinavia  has now been infected
       with this new virus.  But thanx to the AntiVirusProgrammers
       that has  updated there killers fast,  to try and stop this
       virus.

       Thanx to:

       Kim B. Jensen   - For sending my the 'Denistro.exe'.

       The installer of Commander is now on it's way to every well
       known anti-virus programmer.


 Regards
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
                                              /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!
       WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!!


               TROJAN FROM 'THE PARTY 4' CALLED SURPRISE.EXE
               ---------------------------------------------

  There is a new warning about a demo that damages your RDB Boot. (Great
  way of starting the new year)  :-(((((((((

  This demo is called 'SURPRISE.exe',  and has a size of 39296 bytes. It
  makes all your partitions on your HD into,  one partition and calls it
  'SUCK ME ORGANIZERS'.  We think  that it  only makes  damages on  SCSI
  devices, but we are not sure about that.

  The demo was made at the 'PARTY 94' in Herning, Denmark. And was given
  to the organizers to compeat  in the contest of  the best demo. It did
  do some damage to there HD, but a guy (Benny) did restore there HD.

  We do  not know  if it was  spred at the party.  But if it was, please
  take care of this demo.

  This demo is on it's way to every wellknown antivirus programmer.

              Regards....
        __
   __  ///    Jan Andersen                 FidoNet:   2:236/116.1
   \\///      VIRUS HELP                  AmyNet :  39:141/142.0
    \XX/         DENMARK


  WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


                   DO NOT EXECUDE THE FILES FROM ADDY099.LHA
                   -----------------------------------------

 Do NOT start the 'ADDY0.99.Exe', it will replace your startup-sequence
 and shell-startup,  and add 656 bytes to your c:Dir command.  Spread in
 the archive 'ADDY099.LHA'.

 It will change your startup.sequence with a new small one:

 Prompt "AfraId ?..tHe fReAk wAs hEre 2 dEvEstAte  NDOS:>"

 Every  time you  run a shell  it will  add a line in  your user-startup
 "Wait 5" and you will the the text above when you are rebooting.

 I do  not know  what it does  to your 'C:Dir command',  but if you have
 started  this program  up, the replace the 'c:Dir command',  with a new
 clean one, form your WB disk's.

 It will work under KS 2.0 and 3.0, have not tested it under KS 1.3 yet.

 There is a "Readme" text in the archive, this is what is says:

 ///////////////////////// Addy Ver. 0.99 \\\\\\\\\\\\
                           
WHAT THE FUCK IS IT ?
A small BBS Add maker, for you guys to put in your .lha's :)
This Programme  is made by me,  if you like it, tell me cause i've JUST
started learning how to do make small programmes, if there are any bugs
in it, please let me know, i can be found at the coolest bbs'es in Sw.
( Sorry about  the lame doc, but i just can't  wait to release my first
programme ).

Usage:
If you cant figure this one out, you never will.
Simply double click And follow the instructions. Easy Huh ?
Known Bugs: NONE.. at all.. tested very well.. Wouldent want my first
release to be crap.. would I ?

Written By The Freak !
\\\\\\\\\\\\\\\\\////////////////////////////////

There is a FILE ID.DIZ to, here is the text:

 _________________________
:                         :
|  _____________________  |
|  \\\\\///////////  |
|   \Addy\ver./0.99///   |
|    \\\my\FIRST////    |
|     \Release EVER/     |
|      \\\///////      |
|       ~~~~~~~~~~~       |
|    -bY tHe FreAk-   |
|         SysOp at        |
|       Money Talks     |
|      +44 ELITE ONLY     |
_________________________:

------ END -------

 The archive is on it's way to every well known antivirus programmer
 in the world, thanx guys for the great job you are doing.....

 Thanx to Morph, for sending me this new 'Thing'.


 Regards
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
                                              /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!
       WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!!

                           FAKE VIRUSZ II v1.14
                          ======================

 On Thursday 2-2-95, one of my users from Sweden uploaded a new version of
VirusZ II v1.14, Released 2-2-95, and it has a size of 64664 bytes. But it
is a FAKE VERSION. In the doc' there was added new virus, but they was the
same as  in version 3.06 of the old  VirusZ, and there  was some new virus
and here is a quote from the FAKE guide:

        - Added Commander2, Saurnh, and Recycle viruses! Thanks to
          Markus Schmall for sending them.
        - Added Big Bug, MixiMaxiMum '93, BootX Kisser and The
          Amiga Fucker 15.3 bootviruses. Thanks to Markus Schmall
          for sending them, as always!.

 I have called Markus on the phone, and he has never heard of these virus,
But he told me that there has been a new release of VirusZ II, but the new
original release is v1.13.

 Remember to check the 'ABOUT' gadget,the size of the file is stated there
if the size is not right, do not use that version of VirusZ II.


 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help -      Denmark.      /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
                                              /____/


     VIRUS WARNING !!! - VIRUS WARNING !!! - VIRUS WARNING !!!
                VIRUS WARNING !!! - VIRUS WARNING !!!

                ANOTHER COMMANDER LINK-VIRUS INFECTOR
                -------------------------------------

 We have now found another program, that infects your systems with
 the Commander virus. The infector  program is a Demo or an Intro.
 If someone  knows the name and  adress of the  programmer of this
 program, please contact me.

 The name of the second installer is:

                          "MY MAMA IS A VAMPIRE"

 It can be found at two archives with the name:

 Title : dpl-mam1.dms
 Size  : 523162
 Desc. :         DuPlO DeMo DiViSiOn PrEsEnTs:
         - --> mY mAMA iS a vAMPiRE! (aGA oNLY) <-- -
         - --- * Version 3.0 (100% working!)-[1/2]- -
         Awesome texture effect! - Released 30 Oct 94

 Title : dpl-mam2.dms
 Size  : 602250
 Desc. : - --> mY mAMA iS a vAMPIRE! (aGA oNLY) <-- -
         - ---------- * Version 3.0 * ------------- -
         - - (100% bugfixed and fully working ----- -
         - -- version, packed in a NON corrupted -- -
         - --- archive this time!) ---------------- -
         ------------------------------------[2/2]- -

 Do not start  this program,  it will install the Commander virus,
 and add 1664 bytes to your LoadWB command. And infect everything
 that you will try to execute.

 Thanx to:
 Steffen Rabenborg - For telling me about the new installer.
 Peter Klein - For finding the new installer to me.

 The installer of Commander is now on it's way to every well known
 anti-virus programmer.

 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
                                              /____/


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


       DO NOT START 'ACHTUNG.EXE' FROM THE ARCHIVE 'GATH95-!.LHA'
       ----------------------------------------------------------

  There has just been released a archive called 'GATH95-!.LHA', there are
  one dectructiv program in the archive:

  Achtung       14032 Bytes
  Achtung.exe   14032 Bytes

  The FILE_ID.DIZ looks like this:

  +------------------------------------------+
  |Virtual Dreams, Melon and Rage's New Intros
  +------------------------------------------+
  [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
   THE GATHERING PARTY INVETATIONS. 3 OF THEM
  [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
  +------------------------------------------+
  |The BEST CODE of 1994/95. Defintly! Get it!
  +------------------------{ cSo/('g5! }---+


  This has NOTHING to do with the 'Gathering 95' in Oslo....

   Do not start the program 'Achtung.exe' and 'Achtung', will search for
  DH0:, and then make a lot of files starting with this:

  LAMER.AAAAAAAA           10240 Bytes (and then change the last letter B)
  LAMER.AAAAAAAB           10240 Bytes (and then change the last letter C)
  LAMER.AAAAAAAC           10240 Bytes (and then change the last letter D)

   And keep doing that until your HD is full.


   I have talked to a guy in Denmark, that  has lost everything  on his DH0
  drive, and there was some damage  to a lot of files, and  the name of his
  system was renamed to 'LAMER:!!!!' due to this little sucker.
   And I have other reports about HD craches due to 'Achtung.exe'.

   I have tried it on floppy  disks, and the one a called 'DH0:' was filled
  up with all of these 'LAMER.AAAAAAAA' 880 kb of them.

   I'm not gonna lose my HD trying to find out some more about this thing.
  The most improtant thing is: DON'T START THIS SUCKER !!!!!!!!

  But this little thing is on it's to every wellknown antivirus programmer.

   Thanx to Brian Overby for the help....


  Regards....
                                        _________    _
  Jan Andersen.                    ____/"""./###/____)\_____________
  Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                 /   /   //"""/"  / //   /  //____   \_
  FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
  AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
                                               /____/


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


        DO NOT START 'NComm v3.2' FROM THE ARCHIVE 'NCOMM32.LHA'
       ----------------------------------------------------------

  There has just been released a archive called 'NCOMM32.LHA', there are
  a dectructiv program in the archive:

  NComm   121896 Bytes (Packed with Stonecracker 4.04)
  NComm   226116 Bytes (Unpacked)

  The FILE_ID.DIZ looks like this:

  ********************************************
  NCOMM V3.2 *CRACKED* KEYFILE CHECK REMOVED!
  ********************************************


  The 'Sucker' started in the S: directory replacing the data's in EVERY
  file with the text 'CIRCLE OF POWER 1995', so the startup-sequence and
  rest of the files in the S dir was totally destroyed.  All .info files
  will be replaced in the same way

  The archive is now on it's way to every wellknown anti-virus programer.

  Thanx to Jan Ravn, for sending the 'thing' to us....


  Best Regards.....
                                        _________    _
  Jan Andersen.                    ____/"""./###/____)\_____________
  Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                 /   /   //"""/"  / //   /  //____   \_
  FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
  AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
  VirNet :   9:451/247.0                       /____/


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
     WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


       DO NOT START THE 'LHA v3.0' FROM THE ARCHIVE 'LHA30.LHA'
      ----------------------------------------------------------

 There has just been released a archive called 'LHA30.LHA', and there are
 a dectructiv program in the archive:

 "LHA3.0    69888 bytes (Packed with Stonecracker 4.04)"
 "LHA3.0   105808 bytes (Unpacked)


 The FILE_ID.DIZ looks like this:

 LHA 3.0 FROM STEFAN BOBERG


 The "Sucker" started  in the S: directory  replacing the  data's in EVERY
 file with  the text  'CIRCLE OF POWER 1995:', so the startup-sequence and
 rest of the files in the S dir was totally destroyed.

 The LHA3.0 looks a lot like the fake 'NComm 3.2', it does the same things
 to your HD and disk's.

 The archive is now on it's way to every wellknown anti-virus programer.

 Thanx to Kim B. and Flemming S., for sending the 'thing' to us....


  Best Regards.....
                                        _________    _
  Jan Andersen.                    ____/"""./###/____)\_____________
  Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                 /   /   //"""/"  / //   /  //____   \_
  FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
  AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
  VirNet :   9:451/247.0                       /____/


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


         DO NOT START THE 'CED4' FROM THE ARCHIVE 'CED4.LHA'
      ----------------------------------------------------------

 There has just been released a archive called 'CED4.LHA', and there are
 a dectructiv program in the archive:

 CED4     174500 bytes (Unpacked)


 The FILE_ID.DIZ looks like this:

 CYGNUS EDITOR V4.0 (MAIN)


 The "Sucker"  started  in the S: directory  replacing the  data's in EVERY
 file with  the text  'CIRCLE OF POWER 1995:',  so the startup-sequence and
 rest of the files in the S: dir was  totally destroyed.  This goes for all
 files in your 'DEVS:' directory to.

 The CED4 looks a lot like the fake 'NComm 3.2' and 'LHA30.LHA' it does the
 same things to your HD and disk's.

 Please take care,  there is a  lot of fake programs around, that does this
 thing. Checke everything before you start it.

 The archive is now on it's way to every wellknown anti-virus programer.

 Thanx to Kim B., for sending the 'thing' to us....


  Best Regards.....
                                        _________    _
  Jan Andersen.                    ____/"""./###/____)\_____________
  Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                 /   /   //"""/"  / //   /  //____   \_
  FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
  AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
  VirNet :   9:451/247.0                       /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


         DO NOT START THE 'OPUS5' FROM THE ARCHIVE 'OPUS5.LHA'
      -----------------------------------------------------------

 There has been released a archive called 'OPUS5.LHA', and there are a
 dectructiv program in the archive:

 I have not seen the archive yet, but I have talked to some people that
 used this 'thing', and had there data files replaced,

 It does the same things that 'NCOMM32.LHA', 'CED4.LHA' and 'LHA30.LHA'
 it will replace the data's in EVERY file with the text:

 'CIRCLE OF POWER 1995:'

 Please take care,  there is a  lot of fake programs around, that does
 this thing. Checke everything before you start it.

 If you find this program, please send it to me, or send it to all the
 well known antivirus programmers.


 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  More information about the 'OPUS5.LHA' Trojan 


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

 Hi All !!!

 I now know some more about the FAKE Opus v5.0, it has a size of 347308
 bytes.  The archive 'OPUS5.LHA' has a size of 464397 bytes, and in the
 FILE_ID.DIZ you can read:

 -------------------------------------------
            DIRECTORYOPUS v5.0
 -------------------------------------------
 * Uses multiple processes for windows.
 * Full REXX support
 * Faster dir-routines.
 * Better archive handeling, supports LZX!
 -------------------------------------------

 No anti-virus program can find this trojan yet, but I have tested it on
 all the wellknown killers,  and there are only 2 that detects something
 yet, but this trojan  is now on it's  way to every wellknown anti-virus
 programmer

 VirusWorkShop v4.9, can not find it yet,  but will give you a requester
 saying that:
 "$3f0/$3f1/$3e8 Hunk at the beginning found"

 VT v2.71 can not find it yet, but will give you a requester saying that:
 "3E8-Hunk am anfang ist im file"

 Thanx to Kim B. for uploading this 'thing' to our BBS.


 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


      DO NOT START THE 'Sinfo v1.0' FROM THE ARCHIVE 'SINFO10.LHA'
      ------------------------------------------------------------

There has been released a program called 'SInfo v1.0', do not start that
program it will  replace every file  in your S:, Libs: and C: with a new
file, with a size of 5 bytes, in this file you can read 'cop!'.  This is
another program from 'CIRCLE OF POWER!', the same lamer that has written
'NComm32.LHA', 'OPUS5.LHA', 'LHA30.LHA' and 'CED4.LHA'.

There is another thing, SInfo v1.0 will ask for 'SINFO.library', and the
library is in the archive, BUT it is not 'Sinfo.library', it is the reel
'Bootblock.library v3.1' from SHI, why this ????????

SInfo v1.0 is spread in a program called 'SINFO10.LHA', and has a size
of 4432 bytes

The main program has a size of 2552 bytes.

In the FILE_ID.DIZ you can read:

  .------------------------------------------.
  | SYSTEMINFO V1.0 BY JURGEN HUNSMANN 1995! |
  | A VERY GOOD REPLACEMENT OF THE INFO CMD! |
  `----------------------------------(baron)-'


In the DOC you can read this:

---------------------------- QUOTE START ---------------------------------

 TYPE: SystemInfo ala INFO
 DESC: Will list all devices available on you're system.
 AUTH: Jrgen Hnsmann
 DATE: 01-Apr-95
 MAIL: [email protected]
 FIDO: 2:286/407.19

                              SInfo v1.0 DOC!
                             ~~~~~~~~~~~~~~~~~
 It works just like the WorkBench Info command, but has some features not
 found in the default INFO command.

 1) It will show Meg/Kilo/Bytes left on the device instead of blocks.
 2) It is ALOT faster
 3) It shows assigns
 4) Can force devices to be validated!

 Contact me at the addresses above!

---------------------------- QUOTE END -----------------------------------


This new 'CIRCLE OF POWER!' thing, is on it's way to every wellknown anti-
virus programmer.

And to the 'COP!' programmer, STOP the shit you are doing, you must have a
big problem somewere.


Thanx to Kim B. for uploading this to my BBS.

Regards...
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:236/116.1         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


      DO NOT START THE 'CREATOR' FROM THE ARCHIVE 'CREATOR.LHA'
      ---------------------------------------------------------

 In the last day or two, a lot of people have uploaded a small program to
 'Virus Help BBS'  with the name 'cREATOr v1.0',  it is stated in the doc
 that it is a program, that will you  choose how fast  your HD shall  run
 after every reset. BUT if you run it, it will start to format your hard-
 disk. The doc says nothing about this.

 Here is some info about the program:

 Archive name......: CREATOR.LHA
 Archive size......: 2757 bytes
 Files in archive..: CREATOR.DOC    1124 bytes
                     FILE_ID.DIZ     484 bytes
                     C:CREATOR.SCR    40 bytes
                     S:CREATOR.DAT  2880 bytes


 The FILE_ID.DIZ looks like this:

 *******************************************
 *        cREATOr V1.0 (C) 04-10-95        *
 *                                         *
 * Thiz Powerful Tool Will Let You Choose  *
 * How Fazt Your HD (Mili Seconds) Shall   *
 * Run After Every Reset !!! Normally Thiz *
 * Is Only Possible With SCSI-2 HD's And A *
 * Fazt CPU (020/030/040) But After 1 Year *
 * Of Hard Coding I've Developed This Good *
 * Product Which Should Run On All AMIGAS! *
 *******************************************


 So DO NOT start this thing, you will loose your HD.

 This thing is on it's way to every wellknown antivirus programmer, who
 will accept new virus from 'Virus Help'.

 Thanx to everybody that has uploaded this thing to our BBS.


 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  More about the 'Creator' Traojan 


 Hi All......

 Hmmmmmm, there has been another release of the CREATOR trojan, but there
 is something wrong  again.  Again the doc' states  that it  will let you
 choose how fast your HD  shall run after every reset.  But if you try to
 start the program, you will asked to write 'FORMAT' in a shell, and that
 would be a stupid thing to do, right ???.

 This 'new' update will NOT work at any of my Amiga's, so there for I can
 not tell you what it will do, but I have people testing it right now.

 Here is some info about the program:

 Archive name......: CREAT_11.LHA
 Archive size......: 2757 bytes
 Files in archive..: CREATOR.DOC    1124 bytes
                     FILE_ID.DIZ     484 bytes
                     C:CREATOR.SCR    40 bytes
                     S:CREATOR.DAT  2880 bytes

 The FILE_ID.DIZ looks like this:

 *******************************************
 *        cREATOr V1.1 (C) 04-11-95        *
 *                                         *
 * Thiz Powerful Tool Will Let You Choose  *
 * How Fazt Your HD (Mili Seconds) Shall   *
 * Run After Every Reset !!! Normally Thiz *
 * Is Only Possible With SCSI-2 HD's And A *
 * Fazt CPU (020/030/040) But After 1 Year *
 * Of Hard Coding It Works Very Fine !!!   *
 * FIX VERSION - FIXED VERSION - FIXED VER *
 *******************************************

 This thing is on it's way to every wellknown antivirus programmer, who
 will accept new virus from 'Virus Help'.

 Thanx to everybody that has uploaded this thing to our BBS.


 Regards....

 Jan Andersen.


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


    DO NOT START THE 'FUTURETRACKER' FROM THE ARCHIVE 'TRSI-FT.LHA'
    ---------------------------------------------------------------

 Okay there is another 'Circle Of Power' trojan around. This time it is in
 a fake ProTracker  called  'FutureTracker'.  It will do the same thing as
 the other trojans  that 'CoP'  has released  in the last month, only this
 time it will rewrite every file  in DEVS:, L:, and S:,  with another file
 where you can read this:

 [cOp]: Khanan / Circle Of Power :[cOp]

 This time the 'thing' will show a text on the screen (See the Iff.Pic in
 this archive). Here is what it says:

 - - - - - - - - - - - - - - - - START - - - - - - - - - - - - - - - - - -

 .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp

                           cIrcle of pOwer'95

 .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp

 --[==================================================================]--

Sweden's no.1, "CIRCLE OF POWER" rammed yer arse again!! Have phun retyping
              all those valueble config's. haha! Fuck you all!

           -^( THE TERROR WILL NEWER STOP, PHEAR THE MIGHTY COP! )^-

 --[==================================================================]--
                                                              [kHANAN/cOp]

 - - - - - - - - - - - - - - - - - END  - - - - - - - - - - - - - - - - -

 This text will come to your screen when 'FutureTracker' is replacing the
 files on your harddisk.


 Here is some info about the program:

 Archive name......: TRSI-FT.LHA
 Archive size......: 278290 bytes
 Files in archive..: FutureTracker      317608 bytes
                     FILE_ID.DIZ           360 bytes
                     FutureTracker.cfg    1065 bytes
                     FutureTracker.doc      90 bytes


 The FILE_ID.DIZ looks like this:

          _ _ __________________________- --.
 .--------\\_   ___/___    /  ______/--^-|.
 |  bACk tO  |    |   __/  _/______  \     |:
 | tHe rOOTs l____|___/     \_________\____||
 |-------------------/_______\----------cDr-|
 | FutureTracker - ProTracker Clone by PSI! |
 | 6 channels, 256 samples, full MIDI port! |
 `------------------------------------------'

 This thing is on it's way to every wellknown antivirus programmer, who
 will accept new virus from 'Virus Help'.

 Thanx to Kim B. for uploading this thing to our BBS.

 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


    DO NOT START THE 'VIRUSWORKSHOP' FROM THE ARCHIVE 'TRSI-VW5.LHA'
    ----------------------------------------------------------------

  There has just been released a FAKE  version of 'VirusWorkShop v5.0',
  when you try  to run the program,  some music will start, and that is
  all that I can find out.  I can not se that it writes anything to any
  drives. But I'll let some others, test it on there systems.

  I can tell you, that Markus Schmall has never made a version 5.0, and
  that he never will release VirusWorkShop with the version string v5.0

  This is  said to  be antoher  'COP' (Circle Of Power) release,  but I
  can not get it to infect my system.


  Here is some info about the program:

  Archive name........: TRSI-VW5.LHA
  Archive size........: 221737 bytes
  VirusWorkShop Size..: 135744 bytes


  The FILE_ID.DIZ looks like this:

  _________________  ____________
  \  .   ___.___._\/  ____/_____)  TRiSTAR &
   \/|  .|  |  | _/_____\|    |
     |  ||  |   : \   V \    ||     RSi
     |___|  |___|___\______/_____|
  +*#*+^TRN!|____\+*#*V^+*#*+PRESENT!
              VIRUS-WORKSHOP 5.0


 This thing is on it's way to every wellknown antivirus programmer, who
 will accept new virus from 'Virus Help'.

 By the way.. The newest version of VirusWorkShop at this date is v4.9,
 and the size is 136556 bytes.

 Thanx to Kim B. for uploading this thing to our BBS.

 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


        THE ARCHIVE 'ABASE.DMS' IS INFECTED WITH SADDAM VIRUS
        -----------------------------------------------------

 There has been spread a demo version of a program with the name 'ABASE',
 it is an adress base from Poland. This archive contains the Saddam virus
 which is inside the 'l:Disk-validator'.
 This info is for the Amiga user that still runs with KickStart 1.3, that
 is because that Saddam Virus can not run under kickstart 2.0 -> 3.1.


 Here is some info about the program:

 Archive Name.......: ABASE.DMS
 Archive Size.......: 222609 Bytes
 ABase program......: 83096 Bytes, PowerPacked (138332 Bytes Unpacked)
 Saddan Virus.......: L:Disk-Validator (1848 bytes).


 Again thanx to Kim B. (Great Virus-Hunter).....

 Regards...
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


 WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING
      WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING


                DO NOT START THE PROGRAM 'CCHACK2.exe'
                --------------------------------------

 There has been released a program that is said to be a CallingCard Hacker,
 if you  start the program it  will look for a BBS: assign,  and  then read
 the user.data file. This textstring is coded in the the file. Why a hacker
 program for CallingCards, want to read the 'BBS:User.Data', I do not know,
 but do not trust this program....

 Here is some info about the trojan:

 Name.....: CCHACK2.exe
 Size.....: 11216 Bytes (unpacked)


 If you start the program this will be displayed:

 MCI CallingCard Hacker by ByTePaCkEr/Finland 1995

 Usage: CChack2.exe <CALLINGCARD.NR.>


 VT v2.72 will find this 'thing', but in the doc to VT, Heiner states that
 the file has a size of 11368 Bytes (unpacked), so maybe there is an other
 version of this trojan,  and maybe the name of this is 'CCHACK.EXE', I do
 not know.

 This 'thing' is on it's way to every wellknown antivirus programmer, that
 will accept new virus from us.

 Thanx again to Kim B. a great virushunter, for uploading it to us.....
 And to Markus Schmall for the first info about this 'thing'...

 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/X@! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


 WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING
      WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING


          DO NOT START THE 'Acp' FROM THE ARVHIVE 'PSG-AE5.LHA'
          -----------------------------------------------------

 There has been released  a program that is said to be a new version of the
 BBS program AmyExpress v5.0,  but it is another  'Circle Of Power' trojan,
 it will replace every file in DEVS: and S: dir,  with a textfile where you
 can read:

 [cOp]: Khanan :[cOp]

 Inside  the fake  'AmiExpress v5.0'  file 'Acp',  you can read this is the
 ASCII text:

 $VER: ACP V5.0 (C)-95 JOSEPH HODGE


 In the File_ID.Diz, you can read:

 AmiExpress v5.0


 If you start the program,  a shell window will pop up,  where you can read
 this:

 [cOp]:              The Circle Of Power did it AGAIN!               :[cOp]
 [cOp]:                                                              :[cOp]
 [cOp]:      THE TERROR WILL NEVER STOP, PHEAR THE MIGHTY COP!       :[cOp]


 Here is some info about the archive it is spread in:

 Archive Name..: PSG-AE5.LHA
 Archive Size..: 71982 Bytes (Striped For BBS adds)
 Trojan Name...: Acp
 Trojan Size...: 71904 Bytes


 Someone must  know this 'Khanan' or other  members of 'COP'.  If you know
 anything about these stupid guy's, please contact us....

 This 'thing' is on it's way to every wellknown antivirus programmer, that
 will accept new virus from us.

 Thanx again to Kim B. for uploading this 'sucker' to our BBS.....

 Regards....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


 WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING
      WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING


     DO NOT START THE PROGRAM 'Copkiller' FROM THE ARCHIVE 'COPKILL1.LHA'
     --------------------------------------------------------------------

 Okay there is another 'Circle Of Power' trojan on the loose. This time
 it will rewrite the  files in DEVS:,  and in the new file you can read
 this:

 [cOp]: Scotch & Khanan on tour '95 :[cOp]

 Here is some info about the file it is spread in:

 Archive name: Copkill1.LHA
 Archive size: 9801 Bytes
 Cop Trojan  : Copkiller (8428 bytes)

 In the FILE_ID.DIZ you can read this:


>--------- FILE_ID.DIZ START --------------<

     _____ ______ ___  DIRECT UPLOAD FROM
  __/ ___//  /  //  /\     SAFE HEX
  \___  // _/  //  / /   INTERNATIONAL
  /  / // __  //  / /    -------------
 /____//__/__//__/ /  AGAIN A NEW TOP-HIT!
 \____\__\__\__\/      -------------

     ->> PRESENTS C.O.P. Killer v1.1  <<-
 An excellent trojankiller that recognises
 the new encoding system used by C.O.P.
 Also read about the SHI reward >$5000<
 for the name of a virus programmer.

۲  Update 18-05-95 ۲

>--------- FILE_ID.DIZ END ----------------<

 But this is not a release from SHI.....

 This 'sucker is now on its way to every antivirus programmer, that will
 accept new virus from 'Virus Help Denmark'.

 Thanx to Bahrat Asar for uploading this 'sucker' to our BBS.


 Regards.....
                                       _________    _
 Jan Andersen.                    ____/"""./###/____)\_____________
 Virus Help - Denmark.           /"""/   //_______   /"""/""./"___/_HELP!
                                /   /   //"""/"  / //   /  //____   \_
 FidoNet:   2:235/112.0         \      //   /  ____/   /  //""""/[email protected]! /
 AmyNet :  39:141/142.0          \_____/\__/___/ ""\______/_________/
 VirNet :   9:451/247.0                       /____/


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


  DO NOT START THE PROGRAM 'CALLERSLOF.SFX' FROM THE ARCHIVE 'MST-CA12.LHA'
  -------------------------------------------------------------------------

 There has been found a new 'COP' trojan in a fake program. It was released
 about the 28'th of May.  Here is some info about the trojan:

 Archive Name: MST-CA12.LHA
 Archive Size: 19349 Bytes (Ripped for BBS add's)
 Trojan Name : cALLERSLOG.SFX
 Trojan Size : 8428 Bytes (Is not a SFX. Archive)


 Here is what the File_ID.DIZ will tell you:

   .--------[____ mYSTIC ____]--------.
   |__ ______\   \____  /   /_________|____
  /   |  \   /   /___/_/  ___/______/  ___/__
 /        \___  /____  \   \   /    \  \    /
 \___\/   /____/    /  /______/_____/______/
   | /___/   \________/AdN!          _|_
   |                                 \_/
   |  cALLERSLOG 1.2 fOR lOGIC bBS    |
   | 100% fIXED - iNC iFF sCREENsHOT  |
   |                                  |
   `-[LoGIC DeVELOPeMENT]-[/X cOMPAT]-'



 This new trojan will replace everything in your DEVS: dir. With a text 41
 bytes long, where you can read this:

 [cOp]: Scotch & Khanan on tour '95 :[cOp]

 This new 'COP' trojan is now on it's way to every wellknown antivirus
 programmer that will accept new virus from Virus Help Denmark.

 Thanx again to KIM B. for uploading this our BBS.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


 There has just been released another  Trojan. It was uploaded to a BBS in
 Sweden by Gryzor (Member of Circle Of Power). The name of the archive is:

 TRSi-INS.LHA
 (Size about 40000 bytes)

 The FILE ID.DIZ says that this is an installer for several games.

 But TRSI has nothing to do with this sucker.

 We can at  this time not say anything  more about this trojan, bacause we
 have written this warning out of a phone call from Markus Schmall, but we
 will here more when Markus has tested this thing.


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0

  Click here  to read Markus Schmall's test of the archiv.


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hi All.....

There has just been found a fake Virus_Checker v6.60. Do not use this trojan
at all.  The VC.guide is just a rewritten v6.57. Here is some info about the
sucker:

Archive name... : VCHCK660.lzx
Archive Size... : About 122.000 bytes (Ripped for BBS adds)
VC v6.60 Size.. : 52400 bytes

The newest version of Virus_Checker is at this time v6.58 (Brain v1.20)

This new trojan is on its way to every wellknown antivirus programmer, that
will accept new virus and trojan from us.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


 Hi All...

 There has been released a new COP trojan. This time it is a fake
 'QuaterBackTools'. This thimg will replace everything in your S:,
 LIBS;, BBS:, m.m with a text string of 75 bytes.

 The file_id.diz of this trojan looks like this:

  ____  ___   ____   _   ___  ___  ____
 ::::: / . \_/ ___)_/_)/ .__)(___)/ ___)::::.
 :::::/    \___  \   \    \/   \___  \:::::
 :::::\_____/___  /_  /__|   \_  /___  /:::::
  `--[RD10/CodX]\/--\/--____\/---\/---'
         QUARTER BACK TOOLS DIAMOND
  SUPPORTS AFS FILE SYSTEM, XPK PARTITIONS,
  REORGANIZES BETTER THEN REORG, AND USES A
  SAFETY DISK WHEN REORGANIZING! NO CRASH!
  RELEASED BY : ERICO / OSIRIS


 Info about the trojan:

 Archive name: ORS-QBD.LHA
 Archive Size: About 128654 Bytes
 Trojan Name : QBTools3
 Trojan Size : 227716 Bytes

 This new trojan is on its way to every wellknown antivirus programmer
 that will accept new virus from Virus Help.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK            VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hello everybody.....

The mad guys from 'Circle Of Power' is back. This time it is a faked program
called 'DiskMaster v1.4'. It will replace files in LIBS:, DEVS:, S:, with a
new file with the length of 41 bytes, and in this file you can read this
text:

FausT / cIRCLE oF pOWER'95 - TRUE POWER!

The file_id of this program look's like this:

       _________    _
  ____/"""./###/____)\_____________
 /"""/   //_______   /"""/""./"___/_
/   /   //"""/"  / //   /  //____   \_
\      //   /  ____/   /  //""""/X@!/
 \_____/\__/___/ ""\______/_________/
--><!VIRUS!<></____/-><>-!WARNING!-<><--
Brought To You Diskmaster V5.1 Debugged
And Updated With VirusX2.4 VirusKiller!!
>>>----------------------------------<<<

This is nothing that Virus_Help has anything to do with. But I'm sure that
you all know that by now.

This littel 'sucker' is on it's way to every wellknown anti-virus programmer
that will accept new virus from Virus Help Denmark.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hi All !!!!!

There is a lot of trojans comming right now from 'The Party 5', but I'm
pretty sure that the files are from the 'COP' idiots.

The archive 'TP5-SPAC.LHA' with a size about 45000 bytes (ripped from all
BBS adds) the mainfile 'TP5_Spaceballs.exe' has a size of 38060 bytes.

The program is trying to lock on NComm:, just like tha old COP trojan's.

Here is the FILE_ID from the archive:

.------------------------------------------.
|        DIRECTLY FROM THE PARTY 5         |
`------------------------------------------'
.------------------------------------------.
|                                          |
|       Spaceballs 40k intro called        |
|              'Ice Frontier'              |
|                                          |
`------------------------------------------'

Please do not start the program. The archive is on it's way to every
wellknown anti-virus programmer that will accept virus from us.

Thanx to 'Tauno Pinni' for bringing this to us......


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hi All !!!!!

There is a lot of trojans comming right now from 'The Party 5', but I'm
pretty sure that the files are from the 'COP' idiots.

The archive 'TP5-ANDR.LHA' with a size about 47000 bytes (ripped from
all BBS adds) the mainfile 'TP5_Andromeda.exe has a size of 40216 bytes.

The program is trying to lock on NComm:, just like tha old COP trojan's.

Here is the FILE_ID from the archive:

.------------------------------------------.
|        DIRECTLY FROM THE PARTY 5         |
`------------------------------------------'
.------------------------------------------.
|                                          |
| Andromeda's 40k intro called 'feelings'. |
|                                          |
`------------------------------------------'

Please do not start the program. The archive is on it's way to every
wellknown anti-virus programmer that will accept virus from us.

Thanx to 'Tauno Pinni' for bringing this to us......


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/       VIRUS HELP DENMARK       VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hi All !!!!!

There is a lot of trojans comming right now from 'The Party 5', but I'm
pretty sure that the files are from the 'COP' idiots.

The archive 'TP5-TSL.LHA' with a size about 46000 bytes (ripped from
all BBS adds) the mainfile 'TP5_SilentsDK.exe' has a size of 39440 bytes.

The program is trying to lock on NComm:, just like tha old COP trojan's.

Here is the FILE_ID from the archive:

.------------------------------------------.
|        DIRECTLY FROM THE PARTY 5         |
`------------------------------------------'
.------------------------------------------.
|                                          |
|      Silents DK's 40k intro called       |
|              'Byte Kitchen'              |
|                                          |
`------------------------------------------'

Please do not start the program. The archive is on it's way to every
wellknown anti-virus programmer that will accept virus from us.

Thanx to 'Tauno Pinni' for bringing this to us.......


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


Hi All !!!!!

There is a lot of trojans comming right now from 'The Party 5', but I'm
pretty sure that the files are from the 'COP' idiots.

The archive 'TP5-PRLX.LHA' with a size about 41000 bytes (ripped from
all BBS adds) the mainfile 'TP5_Parallax.exe' has a size of 39980 bytes.

The program is trying to lock on NComm:, just like tha old COP trojan's.

Here is the FILE_ID from the archive:

.------------------------------------------.
|        DIRECTLY FROM THE PARTY 5         |
`------------------------------------------'
.------------------------------------------.
|                                          |
|   Parallax's 40k intro called 'Cubic'.   |
|                                          |
`------------------------------------------'

Please do not start the program. The archive is on it's way to every
wellknown anti-virus programmer that will accept virus from us.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

Hi All...

A new archive is now spread with an 'old' virus in it.  The archive name is
'TMTC90.LHA'. The virus in the archive is 'Disaster Master 2', and it is in
the C: dir. in the cls command.

Every wellknown viruskiller can find this virus. Just make sure that you
don't use or install the 'cls' command on your HD.


The FILE_ID.DIZ look's like this:

_________________+ Ti/\/\eTr/\cE
\______   ______/_________________
     |    _|__  +\______   ______/
 +   |   |    \+ _____|     |
   + |___|     \/     /     |
         |_____/     /|_____|
     Released /_____/ Today
 Chicago 90  HD and AGA Fixed
 Done by >TORCH< Leader of TmT

That is all for now.... Happy new year everybody....

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK            VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


   Hi All...

   A new archive is now spread with a virus in it.  The archive name is
   'NC210.LZX' or 'NC210.LHA'. The virus in the archive is the new link
   virus called 'Happy New Year 96'.


   At this time only 3 viruskillers can find this 'sucker'.

   VirusWorkshop v5.8... By Markus Schmall
   VT v2.79............. By Heiner Schneegold
   VirusZ II v1.27...... By Georg Hoermann


 The FILE_ID.DIZ look's like this:

   Get file description from comprograms +
   Name: NC210.lha
   Path: Aminet/comm/misc
   Best: Aces High SW, 5 Ndz

That is all for now.... Happy new year everybody....

Thanx to 'ENZO' for saving this for us.......

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/       VIRUS HELP DENMARK            VirNet :   9:451/247.0


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

   Hi All...

   A new archive is now spread with a virus in it.  The archive name is
   'SIGN.LHA'.  The virus in  the archive is  the new link virus called
   'Happy New Year 96'.

   Archive Name.....: SIGN.LHA
   Size.............: 25261 bytes (Ripped for BBS adds).
   Infected file....: DancePoolModTro.exe (25484 Bytes Packed with STC)


   At this time only 3 viruskillers can find this 'sucker'.

   VirusWorkshop v5.9... By Markus Schmall
   VT v2.80............. By Heiner Schneegold
   VirusZ II v1.27...... By Georg Hoermann


 The FILE_ID.DIZ look's like this:

.------------------------------------------.
|              fGHt AGANSt               |
|                 FASCSM.                 |
|                                          |
|           fRENDShP RUlEZ...            |
|               WORlDWDE !!               |
`------------------------------------------'
              !!sIGn&sPREAd!!

That is all for now.... Happy new year everybody....

Thanx to 'Morten Johan Leerhoy' sending the archive to us...


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/       VIRUS HELP DENMARK            VirNet :   9:451/247.0


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!


 Hi All...

 A new archive is now spread with a virus in it. The archive name is
 'C!S-NS1.DMS'. The virus in the archive is the 'Ebola' Link virus.

 Archive Name.....: C!S-NS1.DMS
 Size.............: 546381 bytes (DMS Packed)
 Infected file....: No_Sence1 (60048 Bytes Packed with STC)


 At this time only 3 viruskillers can find this 'sucker'.

 VirusWorkshop v5.9... By Markus Schmall
 VT v2.80............. By Heiner Schneegold
 VirusZ II v1.27...... By Georg Hoermann


 The FILE_ID.DIZ look's like this:
  ___________________________________________
           _   _    ,  __   _  ,  __
          | ) (_)   ) (_/_ | ) ) (_/_

           n   o    s   e   n  s  e
     m a g a z i n e  -  d i s k   p u b l.

        a   C - L O U S   diskmagazine

    The First Issue of No Sense Magazine -
  Disk Publication (Includes Swedish chart.)
  ___________________________________________


 Well, that is all for now.....

 Thanx to 'Kim B.' sending the archive to us...

 IMPORTANT: Virus Help DK BBS, new phone number +45 4659 6867.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


  WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
       WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

 Hi All...

 A new archive is now spread with a virus in it. The archive name is
 'TXC-Z11.LHA'. The virus in the archive is the 'Ebola' Link virus.

 Archive Name.....: TXC-Z11.LHA
 Size.............: 197233 bytes (LHA Packed)
 Infected file....: UnARJ.... ( 9100 Bytes)
                    UnRAR.... (24176 Bytes)
                    Install.. ( 4132 Bytes)

 At this time only 3 viruskillers can find this 'sucker'.

 VirusWorkshop v5.9... By Markus Schmall
 VT v2.80............. By Heiner Schneegold
 VirusZ II v1.28...... By Georg Hoermann


 The FILE_ID. look's like this:
   __ ______  __.__________
  \//  _).\( |  )__) .__)
.--/  /    \     \  |  \----------------.
| /   \_____/  |__/__|____/TOXiC GIVES YA: |
|-\___/-----\_|---------------------------|
|            ZAP V1.1 *FREEWARE*           |
| EXTRACTS LHA/LZH/LZX/DMS/ARJ/ZIP/ZOO/RAR |
|   EASY GUI, PREFS EDITOR + SAVE PREFS    |
|    FILE/DIRECTORY/DEVICE REQUESTERS      |
|  ALL EXTRACTORS INCLUDED,STATUS DISPLAY  |
|  NEW MANUAL + NEW INSTALLER + NEW ICONS  |
|      PLAY MUSIC WHILE EXTRACTING         |
|    FASTER SOURCE CODE, FASTER PROGRAM    |
`----TOXiC'S-2:ND-RELEAS-DOWNLOAD-&-TRY----'


 Well, that is all for now.....

 Thanx to 'Torben Danoe' sending the archive to us...

 IMPORTANT: Virus Help DK BBS, new phone number +45 4659 6867.

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:235/112.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VirNet :   9:451/247.0


  Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !

       ABlank11 Trojan:
       ----------------

       other possible names: KUK Crew Trojan

       Length: 1056 bytes (PP40 lib) or 1352 bytes unpacked

       Nothing tricky at all. It will be tried to initialize SYS:
       again and then to create several files (and dirs) on the
       device. Code isn`t that good written, equalities to existing
       trojans can be found, but I cannot remember which one exactly.

       Thanks must go to Jan Andersen and Flemming Slabiak sending me
       this one.

       Visible texts in the unpacked file:


        '> KUK CREW < A New and Evil Group has come t'
        'o spread TERROR and DESTRUCTiON to the Amiga'
        ' Scene! HAHAHAaaaaaaaaaah',0
        'dos.library',0
        'SYS:',0,0
        'KUK_CREW!',0
        'KUK_CREW!:Haha!',0
        'KUK_CREW!:Mr.Fitta_%ld',0,0
        'KUK_CREW!:Dr.Klitta_%ld',0
        'KUK_CREW!:Kuk+Fitta=Barn_%ld',0,0
        'KUK_CREW!:Kiss&BajsrNice_%ld',0


        Greets Markus Schmall (Programmer of VirusWorkshop)!!!!!

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !

Hi !

Warning ! The file "TP5-TRSI.lha" contains a COP trojan and it is NO
TRSI release. In the file_id it`s said that this is a 40K intro from
TRSi. It`s the same code as found in the pha-xmas.lha trojan.

The file didn`t appear up to now (28.12. 19.00 o`clock) on german
systems. The file was on some boards in Denmark. I have informed in
a public letter the Aminet moderators, so that this thing will be
hopefully not uploaded to it.

The File_Id looked like this:

.------------------------------------------.
|        DIRECTLY FROM THE PARTY 5         |
`------------------------------------------'
.------------------------------------------.
|                                          |
|   TRSI's 40k intro called 'Domination'   |
|                                          |
`------------------------------------------'

Special thanks must go to Jan Andersen of Virus Help DK and Kim B.
for the support. Thanks !

Greets

         Markus Schmall.  (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Hi ! Back in the street...

  Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !

  The archiv "PHA-XMAS.lha" contains a new trojan. The code looks like
  the COP trojans, but this time no word from them. Via the access of
  DosLists it will be tried to access the files and overwrite them with
  a $1f byte long string, which look like this:

  "+46-620-13141 - DUNGEON OF DOOM"

  A swedish number, I suppose.

  If the sys partition is protected, the following text will be up:

  'Phenomena DOS-Extender V1.1 ',$A9,'1993 by Photon'
  'Unable to write Swapfile. Remove write-protection and retry'
  'Creating new Swapfile. Please hold...'

  Of course Photon has nothing to do with it.

  The FileID of this files looks like this:

  .------------------------------------------.
  : Phenomena presents ' merry x-mas ! '     :
  : Pha's very last production on the Amiga! :
  :                                          :
  : Code & Graphics : Photon, Color & Twins  :
  : Music           : Tip & Mantronix        :
  `------------------------------------------'

  But it`s only a little lame trojan.

  The archive already popped up in Germany on 24.12., but the archive
  was corrupted. 2 days later I found it as intact archive on the
  D-o-E BBS, where I want to thank Mercury for his freedl, otherwise
  I wouldn`t have been able to analyse this one.

  Some people had real luck. E.g. Hitpoint downloaded the corrupted
  archive and could so not start the shit (hi Dieter !)...

  Ok, that is all for now, it`s morning time and I want to sleep...

  Greets

        Markus Schmall (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !

       Hi ! I just recieved a new (old?) trojan, here the
       analyse of it:

       Susi_Drive_Stepper Trojan:
       --------------------------

       Filelength:    904 bytes unpacked
       Programmed in: Assembly language
       Processors:    MC68000-MC68040(?)
                      On MC68060 it did not work

       Typ: Trojan

       This is a very easy programmed trojan. Via the use of
       Disk Resource it will be tried to access a device (0)
       and some IDs will be changed. The whole new "created"
       DiskResource struct is not correct and contains a lot
       of not understandable code. The trojan is not reset-
       proof, it just tries the above mentioned diskresource
       manipulation and some little hardwarehacks.The trojan
       selects unit 0 and steps with the head around. The
       direction will be changed at every loop and the head
       moves always one track. The timing is so bad managed,
       that the controller gets irritated and quits work
       temporarly.

       The name of the new created port is "susi". You can
       see at the end of the file some names, but nothing
       more. All in all a simple trojan.


       0260: 00000000 00000000 00006469 736B2E72    ..........disk.r
       0270: 65736F75 72636500 73757369 00616E64    esource.susi.and
       0280: 72656100 76616C65 6E74696E 6100696E    rea.valentina.in
       0290: 67726964 00636872 69730000 0A000120    grid.chris.....

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


       A special hello and thanks goes out to Jan Andersen for
       his really great help all the time and all his work. He sended
       me this trojan. Thanks Jan.


    - Merry X-mas to all of you - Have a nice christmas celebration time -

    Greets
            Markus Schmall (Programmer of VirusWorkshop)


 Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !


     vmk12.lha (a file which came from an eastern country), which
     is said to be VMK 1.2 contains a new lame bootblockvirus.
     The maincode is 3452 bytes long and contains the old vmk +
     the installer for this little bb virus.

     Next versions of VT, VZ and VW will surely recognize it.

     signed
              Markus Schmall (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Hi #?

 A new little linkvirus appeared yesterday on the gobal stations. It`s
 called HNY96 (Happy_New_Year_96) and is 540 bytes long and infects
 normal executable files. The infection is done via LoadSeg(). We
 recieved this virus from the US, Holland, Switzerland and Germany. It
 seems to be on the wild, so there will be an update of VT very soon
 to kick the bastard. VW 5.7 is too new to stress the users with a
 600 kb release again. Since the installer isn`t known, I will release
 a blockersystem in the coming days.

 Greets

           Markus Schmall (Programmer of VirusWorkShop)


 P.S.: Ebola linkvirus is found in dvd!-def.lha. Don`t start it...

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Warning ! M-hac.lha and Bloody.exe contain LINKVIRUSES ! BE CAREFULL !

  Here a first BETA ANALYSE of it:

  ConMan 1995 Linkvirus:
  ----------------------

  Other possible names: M-Hac Virus, Bloody Virus
  Detected in: M-hac.lha and Bloody.EXE
  Detected when: August 1995/Germany SOS
  Linking method: 4eb9 (!!!!)
  Resident: NO
  Length: 1836 bytes


  This is a new type of linkvirus. There are 2 installers known yet.
  It simply creates a new process with the known CONMAN code , but
  now with different names.

  Possible names are:

  C:DIR
  ramlib
  Background_Process
  RAm
  L:FastFileSystem
  LIBS: gadtools.library
  Workbench
  DF0
  addbuffers
  CON
  LIB:req.library
  CLI(0): no command loaded
  CLI(1): no command loaded

  Please note that several of this takss can appear in normal systems,
  too.

  The speciality of this virus is, that it uses a intern 4eb9 linker
  to link to files. Quite tricky. Viruskillers like VT, VZ_II and
  VW should so be able to detect the infected files.

  The linking routine knows the following hunksymbols: $3f2,$3f3,$3ec
  and $3eb. The code is a little bit dangerous, but I will implent
  in VirusWorkshop a complete reverse analyzed routine, so it should
  be no problem to repair even not working infected files.

  The virus adds 4 hunks to the file and the linked code is partly
  packed. It is packed with StoneCracker 4.04 and then afterwards
  manipulated.

  The virus is not memory resident.

  Some words about the installers:

  m-hack.lha FILE_ID.DIZ

  .-------------------------------.
  | MASTER AMIEX ONLINE PW HACKER |
  | PREVIOUS VERSION HAVE A BUG!  |
  `-------------------------------'

  The programm hack (4388 bytes long) contains the trojan.

  bloody.exe FILE_ID.DIZ:

  NON DOS DISK READER >>>>-BEST!

  The programm is including this ID 25560 bytes unpacked long.

  Greets
          Markus Schmall (Programmer of VirusWorkShop)

  P.S.: This analyse is copyrighted and strictly forbidden to be used
        in any SHI production....


   Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !


  The archiv 'srn-db33.lha' is a  possible  installer  of a new linkvirus
  called Strange Atmosphere.  We have here the first infected files.  The
  files become 1232 bytes longer and the linkvirus contains a destructive
  routine, which is able to format harddiscs. We will give you as soon as
  possible a viruskiller update, which can kill this little bastard !

  Thanks to RD10/ORS  for the testsamples  and to Maestro for his general
  great work !

  Greets

          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)

   Analysis made by Markus Schmall 


 THIS IS A BETA ANALYSIS, WHICH BE CHANGE UNTIL THE FINAL RELEASE OF THE
 NEXT VIRUSWORKSHOP VERSION !

 KNOWN INSTALLERS OF THE LINKVIRUS ARE: SRN-DB33.LHA AND TCR-RESC.DMS !



Entry...............: Strange Atmosphere
Alias(es)...........: SA Virus (as called in VW)
Virus Strain........: -
Virus detected when.: 2/1996
              where.: Germany
Classification......: Link virus, memory-resident
Length of Virus.....: 1. Length on storage medium:      1232 Bytes
                      2. Length in RAM:                $2710 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
                      Caches may cause problems during the decoding
                      process

--------------------- Attributes ---------------------------------------

Easy Identification.: None

Type of infection...: Linkvirus

                      Self-identification method in files:
                      -  Searches for $1080402 at the end of the first
                         codehunk


                      Self-identification method in memory:
                      -  Checks for $3d385e29 at position -6 of the
                         LoadSeg() adress

                      System infection:
                      -  RAM resident, infects the LoadSeg() DOS function
                      -  DoIO() exec function and Coolcapture will be
                         infected only under special conditions

                      Infection preconditions:
                       - File to be infected is bigger then $a28 bytes
                       - The file is not already infected
                       - HUNK_HEADER and HUNK_CODE are found
                       - HUNK_HEADER structure is valid
                       - There must be 4 free blocks on the disc
                       - File is shorter than 290000 bytes
                       - The lenght of the first hunk must be exactly the
                         same as written in the hunkheader structure

Infection Trigger...: Accessing the file

Storage media affected: all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - Files will be trashed (depends on the Rasterbeam)
                        Devices will be overwritten (depends on the
Rasterbeam)
                      Transient damage:
                      -System gets locked while reset and a new copperlist
                        will be shown.

Damage Trigger......: Permanent damage:
                      - Internal counter
                      Transient damage:
                      - Internal counter

Particularities.....: The crypt/decrypt routines are not aware of
                      processor caches. The installer code in several
                      files is working correct with higher processors.
                      The linkcode checks for correct length of the first
                      hunk to remove problems with extra ordinary packers.

Similarities........: Link-method in the executable files is the simple
                      "link behind the first hunk" method without any
                      special tricks.

Stealth.............: The viruses uses normal dos commands (no tunneling
                      via packets) and normal DOS call watchers like
                      SnoopDos can proof the infection behavior.
                      There are no stealth routines build in.

Armouring...........: The virus is only one armouring technique to protect
                      it`s code. It uses a normal crypt routine to hide
                      the viral structures. Heuristik checkers like the
                      one in VirusWorkshop can find the dangerous parts
                      and VW gives you the rating "Virus!".

Name................: In the crypted part there is the following string:
                             '-+* Strange Atmosphere [gOOd] *+-'

                      If the internal counter reaches 50, the word "gOOd"
                      will be replaced by "eVIL" and the destructive code
                      will be activated.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.0 (VT follows soon)
Countermeasures successful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 04.03.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: March 1996
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall
Special note........: Virus Test Center Hamburg and Virus Help Team DK
                      are strictly allowed to use this analyse in their
                      own productions. All other groups/institutions may
                      please contact me first.

===================== End of Strange Atmosphere Virus ===================


       A short beta analyse of the chkmount.lha trojan !

       THIS IS COPYRIGHTED MATERIAL ! NOT ALLOWED TO BE USED IN ANY SHI
       PRODUCTION !


       WireFace Trojan Typ G:
       ----------------------

       Found in   : chkmount.lha
       Type       : destructive trojan
       Protection : *Art
       Filesize   : 4672 Bytes (partly packed)


       This is another trojan from the WireFace series. This trojan looks
       in parts like  Biomechanic trojans,  some byterow comparecode  are
       for sure copied. I haven`t test up to the end, but the code  looks
       like a comparable code as in the icond biomechanic stuff.

       If you start it  and a  destruction is  not  possible (devices not
       found) a text will be printed on screen saying several times:

       [email protected]

       It has some visible texts at the end of the virus. The virus itself
       is protected and then afterwards packed with StoneCracker 4.04. The
       final filesize is 5868 bytes.

       The following devices are tried to be accessed and the 39 first
       sectors are going to be cleared:

       'scsi.device'
       'icddisk.device'
       'oktagon.device'
       'SoftSCSI_OktagonC9X.device'

       Other visible texts are:

       '(TrojanName: iLSKNA ANDREAS v1.1) WiREFACE / dEMONS oF tHE "
       " pENTAGRAM strikes again with another stunning release (trojan) "
       " hahaha. Send postcards, money, bugreports or COMPLAINTS'
       'to me at this email adress: [email protected] CU in another
       relase!'
       '[email protected]'      (This is the printed text)

       The programm looks like created with an old compiler. Some special
       1.x programming technics are used, which won`t be used nowaday
       normally anymore.

       VirusWorkshop and VT will give you the warning, that a $3e8 hunk is
       in the file. This is the protection from the trojan. Simple, but
       effective.

       Something more to wonder about: I have downloaded this file from SOS
       at 8.8.1995. and I have only used the name MOUNT-972 in one warning
       in AMiganet and the german Z-net, so the viruscoder must read it,
       too.

       The trojan is supplied with a little documentation:

                          Mount-972 Virus Checker
                          -----------------------
                  by Robert Wolvestein ([email protected])

       This small checker finds and eliminates the Mount-972 virus
       that resently popped up! The virus must have been spread
       via Aminet or thru BBS's coz it is EVERYWHERE, almost 40% of
       my 'scene-friends' had it in some way or another.

       Regards Robert.

       (ED: A cool fake, better play with your joystick)


       Greets..

          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 It is said to be trojan in "BIO-WARN.LHA". This is spreaded under
 the name of Virus Help Team Denmark and contains a file called flake013.txt
 and flake_killer_bio.exe and advertisements from the ASYLUM bbs.

 The text flake013 is a analyse/warning from me, which was spreaded under
 the name of Virus Help Team DK some days ago. The executable file is not
 known to me.

 The upload user of the archiv is known (the handle) and we will force the
 sysop of Asylum to close this account.

 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)

  Click here  to read the reel Flake013.txt


  Warning !

  VcKey110.lha is a trojan ! DON~T START IT ! YOU HAVE BEEN WARNED !
  Here is my BETA analyse of the file.

  VCKey 1.10 Trojan:
  ------------------

  other possible names: none
  Kickstart: V37 and higher
  Filelength: 9088 bytes (partly packed)
  found in/when: VkKey110.lha/Jul95


  This is said to be a cracked keyfile creator for the wellknown Virus-
  Checker antivirusprogramm.

  The FILE ID looks like this:

  "
  MakeKey v1.10 Keyfilemaker
  for Virus Checker Cracked.
  -----------------------( EAGLE's NEST! )----
  "


  In reality this file contains a nasty trojan, which tries to format
  your SYS: device (DOS1 bootcode) and give it the new name "Snupp!".
  If I can read my autodocs correct, only a quickformat will be done.
  Try to use Disksalv to recover the data on your sys: device.

  In the unpacked code you can read:

  "WiREFACE / dEMONS oF tHE pENTAGRAM * WHiPPED YOUR HD, SUKKAH !! We Look "
  "Down Your Nose (Laughter)!"

  The dangerous code was linked using the 4eb9 linking method on the normal
  makekey programm from the actual VirusChecker distribution. The dangerous
  code is packed with powerpacker 4.0 (5848 bytes long). This was probably
  done to shorten the whole file and to crypt the visible texts. The unpacked
  viruscode is 7588 bytes long.

  (Do you really think that such a lame protection can stop a good antivirus-
   researcher from doing its job ????)

  VT 2.74 and VW 5.2 atleast recognize a $4eb9 linker in the file. Another
  viruskiller, which claims to recognize 4eb9 files, does not detect it.


  There is a little document in this archive called MakeKey.readme:
  -----------------------------------------------------------------

  "
  MakeKey v1.00 cracked... presenting MakeKey v1.10 :)

  This is a specially written program to allow users who have
  registered to make a keyfile from the information they recieve.

  *** But now you can enter any serial numbers you want ! ***
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  It can be run from SHELL or WORKBENCH and opens a GUI.
  It requires WB2.04 or better to run. Enter the data into the
  gadgets and click on MakeKey and the keyfile will be generated.

  "

  Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


        Warning ! The archive "gvp-hs15.lha" contains a new trojan !

        Here is my first analyse:

        Karai Trojan Virus:
        ---------------------

        Filelength packed:    1460 Bytes (Rob Northern !!!)
                              1924 Bytes (unpacked)

        Other possible names: GVP-HS15 Trojan

        Works only with Kickstart 3.0 and ahead (V39 funtions will be
        used).

        Some other suspicius fact is, that the programm was packed using
        the Rob Northern cruncher, also called Propack. The file was
        afterwards modified a little bit, so that no existing depacker
        can unpack it.

        This trojan is programmed quite simple. The needed libraries will
        be opened and it will we checked for the old SnoopDos task.

        Then the file "s:nothere" will be tested. If it exists, no damage
        will be caused.

        Then a TimeDisplayAlert (timer some seconds) will pop up and show
        you:

                           LMB> Kill system RMB>Reboot


        The code analyzer behind is programmed like this:

        1.If the user gave no input in the 5 seconds and/or presses the
          right mousebutton, the system will be trashed using some basic
          format and delete routines.

        2.If the user presses the left mousebutton, then a ColdReboot
          will be performed.



        SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS, THEN RESET
        YOUR AMIGA BY HAND !


        The routine to show the Alert is a Kickstart V39 function. It will
        be not tested, if the used system is really V39 or higher.

        FileID of this archive (GVP-HS15.lha):

        HardDiskSpeeder v1.5 GVP Inc. 1995
        (a little cache program for HDs!)
        ...

        If you start the programm, it will show you the following text:

        'HardDiskSpeeder v1.5 installed ...'


        If you start it using a "?", then the following text will show
        up:

        'HardDiskSpeeder v1.5 by GVP Inc. 1995'


        The trojan tries to destroy the following directories and devices:

        dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c:

        The formatted new devices will have the name:

        '"Karai Virus strikes back"'


    Greets

          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 The file TRSi-INS.lha is NO TRSi release and contains a fucking trojan !
 In the middle of the 10.6.1995. one of our members (NIKE/TRSi) got a call
 on the BBS from a guy called GRYZOR, who is supposed to be the leader of
 Circle of Power (COP), and this guy said to NIKE that TRSi is lame and
 such things. Later he uploaded there a file called TRSi-INS.lha to this
 board and NIKE wondered a little bit and contacted me and the other TRSi
 guys. So this virus is now (10.6.1995. 18:30 o`clock) about 6 hours old.
 Let us stop this bastard and finally get a solution for the COP problem
 (hi Apollo and Noise Belch).

 Here is my first analysis of the virus, which is a little bit short, but
 I ran totally out of time. Sorry dudes..

 Biomechanic Trojan
 ------------------

 other possible names: TRSI-INS Trojan
 Type: Destruction only
 Destruction caused by: simple bytemodification

 This is NO TRSi release ! It is just a FAKE !

 In the File-ID it is stated that this are some hd installers for actual
 games. In real this is just a trojan, which will manipulate your files
 on your HD.

 The contents of the archive:

 ViroCop-HD_install.exe           5912 ----rwed 02-Sep-92  12:49:54
 SWOS-HD_install.exe              9588 ----rwed 02-Sep-92  12:51:12
 SensibleGolf-HD_install.exe      4776 ----rwed 02-Sep-92  12:51:24
 Mortal-Kombat2-HD_install.exe    5512 ----rwed 02-Sep-92  12:50:12
 MCI-CARDS4-FREE.EXE              5912 ----rwed 02-Sep-92  12:49:30
 Embryo-HD_install.exe            6764 ----rwed 02-Sep-92  12:50:24


 The virus is looking for a special enviroment and then manipulates the
 files:

 Here a original PGP signed message:

 0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../I.R o.uE
 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..A...~Y9-,
 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    IO..!y\1 U\.
 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    O3R._5N.p"A.
 0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5    "5 7CyI@z <-

 Here the manipulated one:

 0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../I.R o.uE
 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..A...~Y9-,
 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    IO..!y\1 U\.
 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    O3R._5N.p"A.
 0040: 2235ABB5 BE37E843 79CC0002 B37800A5    "5 7CyI..3x. <-

 If you start the virus (it is in all the above listed files), a little
 text will show up:

                 - b i o m e c h a n i c -

 and the work begins. If the work is completed, the following text will
 be printed out, too:

                  ... trashed your hd ...

 and a directory named "biomechanic trashed your hd !!" will be created,
 which is empty.

 The code looks quite good. This is not the work of a real beginner. The
 guy behind has some programming knowledge. This way of programming is
 better than from the COP viruses. The programm uses indirect adressing
 and a lot of stackusage, which cannot be done by a beginner (atleast I
 think so).


 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 A faked VirusZ_II 1.19 is going around. The filename is 'vzii-119.lha'
 and contains some parts of the actual vzii-118.lha release from Georg
 Hoermann. The mainprogramm seems to be an older version of VirusZ with
 a filelength of 64664 bytes. I found no trojan in it. Please just
 delete the file. I called Georg and he told me, that he not released
 VirusZ_II 1.19 !

 File ID of the fake:

        _________    _
   ____/"""./###/____)\_____________
  /"""/   //_______   /"""/""./"___/_HELP!
 /   /   //"""/"  / //   /  //____   \_
 \      //   /  ____/   /  //""""/X@!/
  \_____/\__/___/ ""\______/_________/
 --><><><><><></____/-><>- Presents-<><--
       VirusZ II v1.19 - (09.06.95)
 >>>----------------------------------<<<

 Probably just again somebody, who wants to destroy the good reputation
 of Virus Help and Georg Hoermann.


 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  WARNING !

  Fileghost 3 Linkvirus:
  ----------------------

  MC68040 and MC68060: yes
  Kickstart V35 and above
  Patched vectors: DOS LoadSeg()
  Increases filelength by 1288 bytes
  Detected: Jun`95 in the south of Germany

  This is another linkvirus out of the Fileghost series. This linkviruses
  just add their code to the end of the first hunk and then search for the
  last "rts" and modify it to a "bsr.b" to get activated. So the relochunks
  will stay unchanged.

  Differences to the previous versions of the virusfamily:

  1. Some more indirect adressing
  2. Test, if SnoopDos (FindTask "SnoopDos") is active
  3. It will be searched for 2 longwords in the first hunk

        $53460C46 at offset $2A from the loadseg() memptr
        $2F49003C at offset $3A      "       "      "

     If you know, which programm has such longs in the first hunk, please
     let me know. Thanks.

  4. The cryptroutine is a little bit advanced.
  5. The word $1994 will be used to check, if the virus already infected the
     LoadSeg() vector. This routine is comparable to Fileghost2 and to
     the Polygonifrikator viruses.
  6. Depending on a spreading counter, the virus will set new windowtitles
     (see at the bottom of the description).

  The fileghost virus contains no destructive routine. As on every type of
  this type of virus, it is possible that programms, which need a 100%
  correct hunkstructure (e.g. some packers) will get problems and will
  not work.

  The virus is, in my opinion, not from the author of the last Fileghost
  viruses. This one has display routines and will be recognized by the
  infected user in this way very fast. The last versions of Fileghost just
  worked around in the background.


  New texts for the windowtitles:
  -------------------------------

  'AUA! schlag nicht so auf die Tasten!'
  'FileGhost3 - the nightmare continues!'
  'Hallo DEPP!'
  'Was machst Du denn als nchstes ?'
  'Weit Du eigentlich, da Du dumm bist ?'
  'Und schon wieder eine Datei weniger!'
  'Gib mir mal `n Bier!'
  'Ttet alle Nazis + RAPER!'
  'AMIGA kills PC! (HEHE)'
  'INTeL Outside !'


  Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 The file lzx130.lha with the File ID:

 LZX Version 1.30 (Evaluation) Jun 5, 1995

 and the following files:

 LZX_68040                  65384 ----rwed Gestern    07:55:44
 LZX_68020                  64896 ----rwed Gestern    07:55:34
 LZX_68000EC                67680 ----rwed Gestern    07:55:20

 contains a COP trojan ! Don`t start it, it will trash your HD !
 It tries to fuck up the following dirs:

 'ncomm'
 'bbs'
 'devs'
 's'
 'envarc'
 'libs'


 All files will be overwritten with the following text and NO rescue is
 possible:

                             =CIRCLE OF POcER=
                 [ THE RETURN OF THE POcER PEOPLE! PHEAR US! ]


 The destruction routine is the same as in the last one and does not
 seem to be from a prof. coder.


 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


      Warning to all :
      ----------------

      Packing type: Turbo Squeezer

      The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv
      contains the file Hackt.exe, which is Turbo Squeezed.

      packed:   12692 Bytes
      unpacked: 12312 Bytes

      It installs a new process with the name CLI(0):console.device and
      writes a new file called C:Iprefs. This Iprefs is packed several
      times and uses the 4eb9 linker method to unlink some strange stuff.

      packed:    10820 Bytes
      unpacked:  14216 Bytes

      The file itself contains an very old IPrefs and an, again packed,
      destructive virus from a guy called CONMAN. It will try to destroy
      many sectors by filling them with the word "CONMAN 1995". There is
      no rescue for such sectors.

      Due to no viruskiller for this bastard it is best for the infected
      users to do the following: Boot from the orginal WB disks and
      simply copy a new IPREFS to your HD and it should work again !

      The ConMan viruses were mostly BBS hackers, now this guy reached a
      new dimension. I got yesterday a phonecall from an irritated user
      (someone of Krypton or so ?) and he told me about his file. He got
      it from a BBS in Berlin, which is thought to be the homeplace
      of CONMAN. This guy told me that he had downloaded it around 6.4.1995,
      so this virus is on the wild.

      Sorry for this short analysis, I just got the thing packed in a
      warning from RD10/Osiris (NEVER SPREAD THE VIRUS IN A WARNING MAN !
      IF YOU WANT TO DO SOMETHING GOOD, THEN DON`T SPREAD IT IN THIS
      WAY !) and wanted to give you some information than RD10. It is
      weekend for me now, too and I want to go to a party, so wait for
      the first viruskillers to recognize this bastard.


      Greets

          Markus Schmall   (Programmer of VirusWorkshop)

          Special hellos to IXXy and Simone....

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


       VirusWarning ! VirusWarning ! VirusWarning ! VirusWarning !

       The archiv Gath95-!.lha contains a trojan ! DELETE IT !


 Gath95-! Trojan:
 ----------------

 Filelength: 14032 bytes unpacked (crypted with a simple loop)

 other possible names: Achtung(.exe) trojan

 This is a very simple trojan. It tries to format your dh0: using quick-
 format and afterwards it will be tried to fill your dh0: using files
 with the following names: dh0:lamer.aaaaa. The filesnames can differ in
 the last chars (possible to really fill up the drive).

 The trojan writes a new file with the name:

 "ram:verwirrung" (a german word, which means irritation)


 The the executecommand for the quickformat will be started. The new name
 of the dh0: device is then LAMER.

 This trojan is much more dangerous than the ordinary quickformat stuff,
 because of the high amount of new written files (lamer.aaaax), the intern
 structures of the qickformatted directory will be changed and a data loss
 is in most cases not to prevent.

 This trojan was spreaded as intro for the Gathering`95 party in Oslo.


 File_ID.DIZ:

 +------------------------------------------+
 |Virtual Dreams, Melon and Rage's New Intros
 +------------------------------------------+
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
  THE GATHERING PARTY INVETATIONS. 3 OF THEM
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 +------------------------------------------+
 |The BEST CODE of 1994/95. Defintly! Get it!
 +------------------------{ cSo/('g5! }---+


 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Special thanks to Mario/TRSi for keeping this virus for me !
                    Euronymous/TRSi for the warning !
                    Ixxy/TRSi for calling Mario



 Warning !

 Caution ! The file "dpl-dc99.lha" contains a trojan, which can format
 your SYS: device. If you have started this one, then check your loadwb
 command. If it is 2088 Bytes long, replace it ! It is a new written
 command from the virus !!!

 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 The file cry_206.lha is a trojan ! It contains the DMS 2.06 fake
 trojan like the DMS206.lha archiv in the last week !!!! It`s a FastCall
 hacker ! Don`t start it !

 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


  Warning !!

  Caution ! The file "Istrip21.lha" is a trojan and contains a BBS hacker !
  Be careful and delete this file !

  Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


    Warning !

    (This analyse was made in a hurry and is still beta!!!)


    Pestilence Bootblockvirus 1.15:
    -------------------------------

    Kickstart 1.x : not working
    Kickstart 3.1 and MC68040 : working

    Patched vectors:

    Exec-Disable
    TD`s BeginIO
    Exec-Coldcapture
    Exec-KicksumData       (not repairable)
    Intuition-DisplayAlert (not repairable)

    First appearance (as far as I know): Heilbronn/Germany

    This is a new bootblockvirus with some nasty inner workings:

    The last both patched vectors cannot be repaired, because the
    virus does not store the original value. Sorry guys ! All other
    patched vectors can be corrected by VirusWorkshop.

    It crypts all read blocks (T-DATA) with an eor-loop. If the
    virus is active in memory, all crypted blocks will be decrypted
    online. If you remove the virus from memory, several checksum-
    errors will appear on your screen. VirusWorkshop 4.6 and higher
    are able to repair the crypted blocks, because there is no magic
    in this cryptroutine.

    Such routines (online-(de)crypting) were first seen on the AMIGA
    in the "Saddam" diskvalidator viruses and then in "The Curse of
    little Sven" bootblockvirus.

    The whole virus is crypted with a simple eor-loop and looks like
    the work from a quite sober`n clean programmer. At the end of
    the virus you can read (after decrypting it):

    'trackdisk.device'
    'intuition.library'
    'PESTILENCE v1.15 (c) 14/05/94!'


   Greets

          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


 Warning !

 Warning ! The archive "removcmd.lha" contains an installer for
 the Commander Linkvirus ! This installer appeared around the
 globe around 24.10.1994. and is descriped as follows:

 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!  Have you got probs. with the COMMANDER !
 !! virus by Brian Blister? It's a link-vir !
 !! that eats your mem like hell.. brand new!
 !! and not killable with VirZ or VirKiller !
 !! or any other killer.. Except this one   !
 !! brought to you by Coma/FD and Bigmama/FD!
 !! Download and be happy!!!!!!!!!!!!!!!!!!!!


 Don`t start this file ! It`s a installer for the fucking Commander
 Linkvirus, which can be removed 100% from VT 2.68 and VW4.3.

 The archive contains the file "kill" with the filelength 2252
 bytes ! This is the installer !

 The virus first appeared in scandinavia and it`s spreading was nearly
 stopped by some motivated members of SHI (special hi in this case
 to Jan Andersen and Bo Krohn). Now the Commander virus is spreaden
 worldwide......

 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)


                                             Date: 17 Apr 96  6:18:37

 Hi !

 A new link-virus appeared called  BBS TRaveller . It`s an EBOLA clone
 with some  codes  from the  'Strange Atmosphere' link-virus.  It only
 activates, if the following programms are not in memory:

 Virus_Checker
 SnoopDos (all versions)
 VirusZ II
 SetfunktionMananger
 VW-Save!

 If VT will be started, the virus removes itself.

 THERE IS NO INSTALLER KNOWN AT THE MOMENT !

 So keep the eyes open !

 Greets

     Markus Schmall (Progammer of VirusWorkshop).


Warning ! A new linkvirus is out. The first known infected file is

lop_mi2.lha. The FILE_ID.DIZ looks like this:

                .
    ____     .::     ______
   /    |.:::::'    |  __  \_
   \   _|::  ::.::::.   ___/
.-- \____::  ::::  ::     \  --.
|        `::::'::  ::_____/    |
|    LP      `::::'          |
|                              |
|  MASTER ISO 1.22 100% CRC    |
|    THIS IS THE IMPROVED      |
|   INTENSITY-VERSION ...      |
`------------------------------'


The virus is linked on it normally. It doesn`t seems to be an installer,
probably the guys behind it didn`t know about this infection.

Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It
seems to be spreaded global. Since a Hf guy tried this archiv before
release 3 things for Hf Emacs checked for me this 3 releases and all
of them were virusfree.

! Special thanks at this time to Lenny Dee/HF for the fast warning !

Ok, here the analyse of the little bastard:



Entry...............: BBS Traveller Virus
Alias(es)...........: Ebola-II
Virus Strain........: -
Virus detected when.: 17.04.1996
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     1536  Bytes
                      2. Length in RAM:                12000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      -  Searches for $ab1590ef at the end of the first Hunk.
                         (this longword comes from the EBOLA-I virus)

                      -  Searches for $24121996 at the end of the first hunk
                         (selfrecognition)

                      -  Searches for $1080402 at the end of the first hunk
                         (this is the recognition of the Strange Atmosphere
                          linkvirus)

                      Self-identification method in memory:

                      Searches for $3D385E29 at offset -6 from the Dos
LoadSeg()
                      function.
                      If $1020304 will be found at this position, the
destruction
                      counter will be manipulated (somekind of test for the
                      programmer of this virus ?)

                      System infection:
                      -  non RAM resident, infects the following functions:
                         Dos LoadSeg(), Dos ReadARGS(), Exec Findname(),
                         Exec Findtask, Exec SetFunktion() and Exec Addport()


                      Infection preconditions:
                       - File to be infected is bigger then 2600 bytes and
                         smaller then 290000 bytes
                       - Device must have more than 6000 sectors
                       - First hunk contains a $4eaexxxx command in the 16
                         bit range to the end of the file (test for the first
                         entry)
                       - the file is not already infected (the at long of the
                         end of the hunk)
                       - HUNK_HEADER and HUNK_CODE are found



Infection Trigger...: Accessing files via LoadSeg()
                      Files starting with "v","V","." or "-" will be NOT
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - Formatting the drive
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - Formatting the drive, when an internal counter reaches
                        5000.
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      simple retro technics to stop viruskillers searching
                      for itself.

Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus. Damage routine is taken from the
                      Strange Atmosphere linkvirus. The virus is a typical
                      mixture from the EBOLA and the Strange Atmosphere
                      linkviruses. We think that all 3 ones come from the
                      same programmer, probably in the east or north of
                      Germany.

Stealth.............: If the viruskiller VT up to version 2.82 will be
started,
                      the virus removes itself completly from memory. If one
of
                      the following programms will be found in memory, no link
                      try will be started:

                      SetFunktionManager
                      VirusChecker
                      VirusZ_II
                      SnoopDos
                      SnoopDos 3
                      VW-Save!

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code based on the
                      position of the rasterbeam.

Comments............: The name EBOLA is the name of a virus, which humans
                      can get infected with. CARO rules say, that no names
                      of persons etc. may be used to call a virus, but I
                      spoke to other persons and they already recognized
                      this virus in this way. The virus contains the string
                      "BBS Traveller", but this is just a clone from the
                      EBOLA linkvirus with some enhancements.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.1 beta
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 19.04.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: April,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of BBS Traveller Virus =========================


Greets

        Markus Schmall


Hi #?

A new linkvirus appeared on 17.05. in Austria, Finland and Sweden. it`s called
Hitch Hiker 1.10 linkvirus. Here the analyse of it:


Entry...............: Hitch Hiker 1.10
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 18.05.1996
              where.: Austria, Finland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 1700 Bytes
                      (uses a primitiv polymorphic technic)
                      2. Length in RAM:                    3000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for $ABBAFAb4 at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), Dos Write()

                      (librarychecksum will be recalculated)

                      Infection preconditions:
                       - Device must have more than 8000 sectors and
                         is smaller than $20000 bytes or file is
                         bigger than $8000 bytes
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - 10 free blocks on the device
                       - hunk_code must contain the same
                         length as in the header.

Infection Trigger...: Accessing files via LoadSeg() or Write()
                      Files containing a "." or a "-" will be not
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      special things at the fileinfection (buggy) and at the
                      library opencode.

Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus.

Stealth.............: no stealth functions found

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code and uses
                      a very simple length polymorphism code. The heuristic
                      scanner of VirusWorkshop detects this one already
                      as virus.


Comments............: The first infected file is probably lzx121crk.lha.
                      This is the old SHOOT version of LZX1.21r with the
                      infected file. As I got reports from Austria and
                      Finland, I suppose it has gone through internet
                      channels as this file didn`t appear on scene boards.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.1
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 19.05.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: May,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Hitch-Hiker 1.10 =========================


VW 6.1 (release on 19.5. in the evening hours) is able to remove this
little bastard. Special note: The heuristic scanner of VW 6.0 already
detected this one (see v-nl19.txt on the boards).

Greets

       Markus Schmall


Entry...............: Hitch Hiker 3.00
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: 13.07.1996
              where.: Germany, USA, ISRAEL
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 3020 Bytes
                      (uses a polymorphic technic)
                      2. Length in RAM:                    8000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for $FAB4FAB4 at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), Dos Write()

                      (librarychecksum will be recalculated and it
                       will be tried to cheat some viruskillers)

                      Infection preconditions:
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - 10 free blocks on the device
                       - hunk_code must contain the same
                         length as in the header.
                       - File must be between $1f40 and $20000
                         bytes (not working)
                        
Infection Trigger...: Accessing files via LoadSeg() or Write()
                      It`s a typical infector. It cannot be rated as
                      fast infector as it only infects at the above
                      mentioned operations.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - Due to a adressacess behind the viruscode it`s
                        possible that trashed code results out of an
                        infection.

                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are polymorphic and
                      consists of some logical stuff. The virus uses some
                      special things at the fileinfection (buggy) and at the
                      library offsetcode.

Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus and the first HitchHiker viruses. 

Stealth.............: no stealth function found. the only things to mention
                      is the library negoffset value.

Armouring...........: The virus is heavily armoured with a $100 byte long
                      polymorphic decryptor. Not only the registers are
                      changing, even the operations will be mixed. This
                      polymorphic routine can be seen right now as one of
                      the best available routine for the AMIGA. The routine
                      mixes a lot of codes and uses a normal polymorphic
                      scheme. No slow polymorphism code was found. The decrypt
                      header is static $100 bytes long and initialises a
                      circular decryption. The decryption code uses anti
                      heuristik stuff and only a full implented code emulation
                      would be able to crack this one.

                      The polymorphism is working in the normal scheme (with
                      $dff006 and $dff007 usage) and uses not the modern
                      technics like slow polymorphism.

                      ("White paper" analyse of this engine can be obtained
                       from me or from the Virus Test Center in Hamburg. We
                       need special information about you before we give such
                       information away.)

Comments............: Maybe interesting for the reader is that the programmer
                      of the virus wrote some more text in it than in the last
                      ones:

                      'The Hitch-Hiker Generation:  00000308 - Version 3.00'
                      'Last in series.
                      "Dedicated to Heiner Markus ZIB and Georg"

                      It would be interesting to know, who this ZIB is.

--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.86 and VW 6.2
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 17.07.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: July, 17. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Hitch-Hiker 3.00 =========================

Greets

       Markus Schmall


  Lately the HitchHiker 3.00 linkvirus appeared and everybody
  was searching for an installer. One day for the release of
  VirusWorkshop 6.2 the archiv patchhh.lzx with the following
  File_ID.DIZ arrived at my place:


  PatchHH 1.0 by ZIB. This anti-virus util
  will stop the propagation of all known
  Hitch-Hiker viri. (1.10/2.01/3.00).
  Not THAT user-friendly but it was made in
  a fucking hurry.....(So no local support
  ! :))


  ...

  I was very surprised, because ZIB was the fourth name in the
  dedicated list of HitchHiker 3.00 and I don`t know that person.


  The document looks like this:
  -----------------------------

  Here's a little utility that will stop the propagation of the Hitch-Hiker
  virus series (currently 1.10/2.01/3.00).
  This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned
  above will not start their devious work. When a version of HH is already
  active you'll get a warning.

  It's better of course to get the latest virus-killer. Like VirusZ or VT,
  however at the time I wrote this proggy only VT recognised 2.01 and none of
  them 3.00. Hope I spared you a lot of probs with this proggy :)

                                                                 ZIB.


  Sounds like a viruskiller. In reality some names of C: programms will be
  decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and
  this files will be infected from this nasty linkvirus.


  Detection tested 20.07.1996.

Greets

       Markus Schmall


*** About: Mutation Nation linkvirus

Entry...............: Mutation Nation
Alias(es)...........: none
Virus Strain........: Ebola series (Ebola, BBS traveller, Strange At.)
Virus detected when.: 21.05.1996
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         1316 Bytes
                      (uses a primitiv polymorphic technic)
                      2. Length in RAM:                    $ba8 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - searching for DEADC0DE at the end of the
                        first hunk

                      Self-identification method in memory:

                      - 213f at the LoadSeg entry (like EBola?)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), Exec FindTask()


                      Infection preconditions:


                      - File is between $7d0 and $43e90 bytes long
                      - HUnk Code is found (virus overruns $3e8 etc. hunks)
                      - File is not infected already
                      - device is validated
                      - device contains free blocks


Infection Trigger...: Accessing files via LoadSeg()
                      Files containing a "." or a "-" and then at offset
                      2 one of this characters "aen" will be not
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - Reset
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - Counter reaches $14

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff at the use of registers.
                      
Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus. Like in a lot of trojan it will
                      be searched for a special task ("Dupe"). If this one is
                      found, the virus will be not activated. Probably this
                      is somekind of security backdoor for the programmer.

Stealth.............: no stealth functions found
                      The virus does not work with SnoopDos (1,2,3) started
                      Fileflags will be restored, but length will be visible
                      changed.

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code and uses
                      a very simple register polymorphism code. The heuristic
                      scanner of VirusWorkshop 6.1 isn`t able to detect this
                      virus. The heuristic in VW6.2 is able to break the
                      cryptcode.

Comments............: We recieved this file from a sysop in the south of
                      Germany. As it has a lot of similarities to the
                      Ebola etc. viruses we suppose this programmer of
                      this viruses comes from the south or east from
                      Germany and has normal programming knowledge.

                      The virus contains the string:

                      '-=* Mutation Nation V1.0 by AIZ *=-'

                      Same length and comparable stuff as in BBS-traveller
                      etc.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.2, VT2.84
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 25.05.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: May,25. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Mutation Nation =========================


Greets
         Markus Schmall


 Hi All..

 There is a new trojan out that will change the names on the files in your
 system,  please do not execute this program. Here is some info about this
 archive:

 Archive Name.......: dph-vos.lha
 Archive Size.......: 225750 Bytes (lha.Packed)
 Trojan File Name...: Voxel_Svind.exe
 Trojan File Size...: 179860 Bytes


 Here is the File-Id.DIZ from the archive:

   /\___  /\___/\_/\____/\
   \___ \/ ___/ _ \_  _/ /_
   / // / __// ___// //  _ \  presents
  /____/\___/\_\   \_\_//_/
         .our.new.demo.
          VOXEL SVIND!


 This archive is on it's way to every wellknown antivirus programmer.


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


  Hi All..

  Well.. Martin Wulffeld has just released a new version of his great text
  reader. And whitin a few hours a Cracked version was out. But the trojan
  'Alfons Eberg 2.0' (Another WireFace trojan) is  in the  archive. It  is
  said to be an 'HF-INTRO',  if you start this intro, it will fuck up your
  system. Delete this intro and you have no problems.


  File_Id.Diz:


  .----/   /   /___\-------------------------.
  |:::/  __   /___\/     AdVoCaTe Of         |
  |::/   /   /  \_/  HELLFiRE TOOL DiViSiON  |
  |:/___/___/\___\         CRACKED           |
  +-\___\___\/___/---------------------------+
  +                       Vinci 2.4          +
  +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
  + A cool textviewer with lots of features  +
  + Check it out!                  REGISTER  +


  And some info about the archive:

  Archive Name.......: hf-vc24.lha
  Archive Size.......: 210068 Bytes (lha.Packed)
  Trojan File Name...: HF-INTRO.EXE
  Trojan File Size...: 2876 Bytes



  Hmm.... just thinking, I guess that 'AdVoCaTe Of HELLFiRE' should check
  there intro for virus, before releasing archives......


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


  Lately the HitchHiker 3.00 linkvirus appeared and everybody
  was searching for an installer. One day for the release of
  VirusWorkshop 6.2 the archiv patchhh.lzx with the following
  File_ID.DIZ arrived at my place:


  PatchHH 1.0 by ZIB. This anti-virus util
  will stop the propagation of all known
  Hitch-Hiker viri. (1.10/2.01/3.00).
  Not THAT user-friendly but it was made in
  a fucking hurry.....(So no local support
  ! :))


  ...

  I was very surprised, because ZIB was the fourth name in the
  dedicated list of HitchHiker 3.00 and I don`t know that person.


  The document looks like this:
  -----------------------------

  Here's a little utility that will stop the propagation of the Hitch-Hiker
  virus series (currently 1.10/2.01/3.00).
  This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned
  above will not start their devious work. When a version of HH is already
  active you'll get a warning.

  It's better of course to get the latest virus-killer. Like VirusZ or VT,
  however at the time I wrote this proggy only VT recognised 2.01 and none of
  them 3.00. Hope I spared you a lot of probs with this proggy :)

                                                                 ZIB.


  Sounds like a viruskiller. In reality some names of C: programms will be
  decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and
  this files will be infected from this nasty linkvirus.

  -Markus


Hi All.....

This time I have got some bad news for you. The guy's from 'CoP' are back,
with the same shit as always.  A program that  rewrites everything in your
systems DEVS:, LIBS:, and S: dir's with a file 41 bytes long. In this file
you can read:

 FausT / cIRCLE oF pOWER'95 - TRUE POWER!

The archive names is these new CoP trojan's are:

Archive name.....: HF-TETA1.LHA
Archive size.....: 646347 bytes
Trojan name......: TETRIS.EXE
Trojan size......: 21244 bytes
File_Id.Diz......:
                   _ ____________________________________
                  / I \_ ___\   /   / ___\__/____  \_ __/
                 /  _  / __)/  /\  /\  _//  \|  /  // __)
                /   ! /  ! /  / / /  \ |/    |  \  \  !  \
                \___! \____\____\____/ |\____|  |\__\____/
                ----|     \--------|   |-----|  |PreSENtS
                TETRIS ATTACK *FULL RELEASE*         [1/2]



Archive name.....: HF-TETA2.LHA
Archive size.....: 550826 bytes
Trojan name......: TETRIS.EXE
Trojan size......: 21244 bytes
File_Id.Diz......:
                   _ ____________________________________
                  / I \_ ___\   /   / ___\__/____  \_ __/
                 /  _  / __)/  /\  /\  _//  \|  /  // __)
                /   ! /  ! /  / / /  \ |/    |  \  \  !  \
                \___! \____\____\____/ |\____|  |\__\____/
                ----|     \--------|   |-----|  |PreSENtS
                TETRIS ATTACK *FULL RELEASE*         [2/2]


Don't start these programs.....

We hoped that the shitheads behind 'CoP' had grown up, and left the
kindergarden, but we must be wrong.....


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


Hi All.....

Well, there is a new littel trojan out, that will format your system if
you run the 'sucker'.
In the file-Id.diz you can read "Small...(~3k)", well it is packed with
PowerPacker v4.0 after unpacking  it the file  size is 20200 bytes.  If
you take a closer look in the file you can read:

run >NIL: hdprotect.data
run >NIL: format drive dh0: name LURAD
run >NIL: format drive dh1: name LURAD QUICK
run >NIL: format drive dh2: name HOR_UNGE QUICK


Here is a littel info about this archive:

Archive name.....: HDPRO624.lha
Archive size.....: 40590 bytes
Trojan name......: HDprotect
Trojan size......: 20200 bytes unpacked
Trojan size......: 3984 bytes packed
File-Id.Diz......: HD PROTECT V6.24
                   Track protect any HD
                   Boot protect any HD
                   Have three different Passwords
                   Nice bootup picture
                   Creat logfile to (ANY PATH:)
                   Small...(~3k)


Don't start this programs.....

Thanx to Dennis Bay for the first warning about this 'sucker'.....


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


Hi All.....

Well, there is a new littel trojan out, that will do some strange things
to your system. The way it is done, looks like the 'CoP' guy's again.
The archive "HF-CED40.LHA" is said to be "CygnusEd v4.0", and I guess
that if anyone thinks that a new update of CED only has the size of
53380 bytes when v3.5 has a size of 156108 bytes, that is to much...
Also if you take a look inside the archive you can read 'AMOS' many
times, and the guys behind 'CED' do not program in AMOS....


Here is a littel info about this archive:

Archive name.....: HF-CED40.LHA
Archive size.....: 40316 bytes
Trojan name......: CygnusEd
Trojan size......: 53380 bytes
File-Id.Diz......:     _ ____________________________________
                      / I \_ ___\   /   / ___\__/____  \_ __/
                     /  _  / __)/  /\  /\  _//  \|  /  // __)
                    /   ! /  ! /  / / /  \ |/    |  \  \  !  \
                    \___! \____\____\____/ |\____|  |\__\____/
                    ----|     \--------|   |-----|  |PreSENtS
                    [----------------------------------------]
                        Cygnus Editor Pro v4.0 HOT UPDATE!
                    [----------------------------------------]


Don't start this programs.....


     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


Hi All.....

Well, there is a new littel trojan out. I have for the last 3 hours been
trying to infect my system with this 'sucker' but it will not. Maybe the
reason is something with AMOS,  if you read inside the program,  you can
find the text AMOS many times.

The trojan type is just like the  HF-CED40.LHA  (CygnusEd 4.0) trojan,
it is the same crap you can read in the archive.

Here is a littel info about this archive:

Archive name.....: tbl-abdu.lha
Archive size.....: 369928 bytes
Trojan name......: Abducted
Trojan size......: 53408 bytes
File-Id.Diz......:
                   the black lotus

                    " abduction "

           small demo dedicated to x-files


Another thing about this 'sucker', there are 5 .bin files in the archive
but here is what these .bin files really are:

Abducted1.bin : HotHelpLibrary 3.00
Abducted2.bin : muimaster.library 16.160 (1996/07/21)
Abducted3.bin : RUSH 37.4908 (1993/07/18)
Abducted4.bin : wizard.library 37.137 (1996/07/ 3)
Abducted5.bin : gtlayout.library 32.3 (1996/01/14)


Don't start this programs.....

     Regards....
      __
 __  ///       Jan Andersen         FidoNet:   2:236/120.0
 \\///       --------------            AmyNet :  39:141/142.0
  \XX/      VIRUS HELP DENMARK             VH BBS  : +45 4659 6867


Hi All.....

Well, there is a new linkvirus out. It is a new "Happy New Year 97" link
virus. At this time there  is no known installer of this new virus, only
an infected archive.

Here is some info about the infected archive:

Archive name.....: darkfuck.lha
Archive size.....: 9820 bytes (ripped for BBS adds)
Infected name....: NOTRICK.EXE
Infected size....: 9256 bytes (packed with Stonecracker)
File-Id.Diz......: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

                   LESEN UND VERBREITEN!!!!!

                   DARKLORD HAT EIN NEUES HANDLE!

                   BZW. GLAUBT MAN JEDENFALLS!!!

                   MEIN FREUND WURDE AUCH GEBUSTET

                   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



VT will be released on Sunday the 22 of December 1996, and it will be
abel to clear infected files.

In an ohther warning about this achive it is said to contain an new
"AFFE" virus, but that is not true.

  Click Here  to read Markus Schmall test of HNY Virus.

Thanx to Markus Schmall for info about 'HNY 97'


Don't start this programs.....


   Regards....
      __
 __  ///       Jan Andersen           FidoNet.: 2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


Hi All.....

Well another archive has been spread with the new 'Happy New Year 97'
link virus.  Just use  VirusWorkshop v6.4 or  VT v2.94, to remove the
virus. 4 programs in the archive is infected with the virus:


Here is some info about the infected archive:

Archive name.....: TBF-F175.LHA
Archive size.....: 305454 bytes (ripped for BBS adds)
Infected name....: AmFTP/AmFTP          (Infected size: 116124)
                   AmFTP/AmFTP020       (Infected size: 115700)
                   AmFTP/AmFTPPrefs     (Infected size: 33308)
                   AmFTP/RegisterAmFTP  (Infected size: 37036)

File-Id.Diz......:  ___________.  ________________ ____________
                   _)          l__\______        /_)         _)
                   \.          ./      |/     __/|          ./
                    |          |      _l\        \          |
                    |__________|______\__________//______+sD+
                    .                                       .
                    | AMFTP V1.75 [68000 & 020+]  *CRACKED* |
                    | Cracker     : rEdCROW^tBF             |
                    | ReleaseDate : 19.02.97                |
                    |                                       |
                    `---------------------------------------'


Don't start this program.....

  Click Here  to read Markus Schmall test of HNY Virus.


   Regards....
      __
 __  ///       Jan Andersen           FidoNet.: 2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK     E-Mail..: [email protected]


Hi All.....

Well, another linkvirus has seen the daylight. It is a new version of the
known "HitchHicker", the new virus has been named "HitchHicker 4". If you
look inside the infected file,  within the first 100 bytes you can find a
text saying  "CopyCat Decruncher V1.01",  this file is infected with this
new string of "HitchHicker 4" link-virus. At this time the only killer to
remove this sucker is Heiner Schneegold's 'VT v2.95' viruskiller. But I'm
sure that the other major viruskillers, will find it in the next update.


The first known archive with this virus in it is: MAPUS200.LZX

Here is some info about the infected archive:

Archive name.....: MAPUS200.LZX
Archive size.....: 37529 bytes (ripped for BBS adds)
Infected name....: Mapus/Bin/MaPuS.200
Infected size....: 21156 bytes
File-Id.Diz......: mapus 2.0 the dms checker

Virus Removal....: VT v2.95, by Heiner Schneegold. (VT295K.LHA)

 Read  Markus Schmall's  test of Hitch Hiker v4.11 link-virus.


   Regards....
      __
 __  ///       Jan Andersen           FidoNet.: 2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


Entry...............: HitchHiker 4.11
Alias(es)...........: CopyCat Decruncher 1.01
Virus Strain........: -
Virus detected when.: Febuary 1997
              where.: Germany and Italy
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 3052 Bytes
                      2. Length in RAM:                    3500 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
                      The virus heavy problems with the 060 cache

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - length of hunk 1

                      Self-identification method in memory:

                      - test for the changed jump command from
                        Exec PutMsg() and a longword in the trapcode.

                      System infection:

                      - The entryjump of Exec PutMsg() will be patched
                        to a trap code.
                      - A new trapcode will be installed.
                      - a process with a library name will be started,
                        which installs the patches again

                      Infection preconditions:

                       - HUNK_HEADER is found
                       - device is validated
                       - to be infected file is bigger than $be8
                       - 10 free diskblocks

Infection Trigger...: The infection is based on the packet handling
                      system of AMIGA OS. Every started file will be
                      infected. All synchron dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: A trapvector in the vectorbase will be changed

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - The stealth/fileinfect engine performs a wrap
                        around copy of the originalfile as we saw it
                        already in the BEOL3 virus, which source was
                        made public by the programmer.


Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are not 100% aware of processor
                      caches. The packet handling works in even on the new developer
                      OS versions, but some codes have problems with task functions.

                      The virus is incompatible to the new versions of EXEC,
                      as it uses some commands only legal in V37-V41 versions
                      of the task handling.

                      The virus tunnels doscall watcher like SnoopDos etc. by
                      using only lowlevel packet routines.
                      
Similarities........: The link method has been seen in the BEOL3 linkvirus
                      already. A new hunkheader will be added and the origfile
                      will be seen as datahunk. In this way the virus doesnt
                      need to perform a errorfull hinkcorrection. The first
                      codehunk contains the virus itself.

Stealth.............: Second working directory and file stealth code in a virus.

Armouring...........: The virus is not armoured with a special tricky crypting
                      code. By adding the strings "CopyCat Decruncher 1.01"
                      and "FLK!" and "-TRSi-" the virusprogrammer wanted
                      probably hide his actions as the first 20 bytes of the
                      hunk could really look like an unpacker.

                      Some parts of the code will be manipulated online (data
                      reuse) and some functions refuses to work properly in
                      a testsuite.

Specialities........: As always the virus contains a crypted part:

                      'The Bastard is Back!',$0A
                      'The Hitch-Hiker',$0A
                      '- Version 4.11 ',$0A
                      'Greetings going like a scrolltext in the sky to:'
                      'Georg, Heiner, Markus, Johann, Pius, Zib, Ariel,'
                      'InFekt, UFO and all the guys on #amielit'
                      'Not yet deactivated by Flake!'

                      The last string depends probably on my removal code
                      for the hitchhiker 3 linkvirus, which overwrote parts
                      of the virus with a special other string.

--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.95, VW 6.5
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 01.03.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Mar, 01. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of HitchHiker 4.11 Virus =========================


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

Well, we do not know much about this trojan. We have been looking all over
the world for this archive, but we can not find it. If you have it, please
send it to us.

Here is some info about the infected archive that we know of:

Archive Name.... : dcn-ib2.lha
Archive size.....: ?
Infected name....: ?
Infected size....: ?
File-Id.Diz......: Ibrowse v2.0

If you have this archive,  Send it to us !!!!!! 


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

Hi All.....

Well, another linkvirus has seen the daylight. It is a new version of the
known "HitchHicker", the new virus has been named "HitchHicker 4". If you
look inside the infected file,  within the first 100 bytes you can find a
text saying  "CopyCat Decruncher V1.01",  this file is infected with this
new string of "HitchHicker 4" link-virus. At this time the only killer to
remove this sucker is Heiner Schneegold's 'VT v2.95' viruskiller. But I'm
sure that the other major viruskillers, will find it in the next update.


The first known archive with this virus in it is: MAPUS200.LZX

Here is some info about the infected archive:

Archive name.....: MAPUS200.LZX
Archive size.....: 37529 bytes (ripped for BBS adds)
Infected name....: Mapus/Bin/MaPuS.200
Infected size....: 21156 bytes
File-Id.Diz......: mapus 2.0 the dms checker

Virus Removal....: VT v2.95, by Heiner Schneegold. (VT295K.LHA)



   Regards....
      __
 __  ///       Jan Andersen           FidoNet.: 2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

Hi All....

There is a new trojan out. It will replace your startup-sequence
with a old VirusScanlist by Jan Hendrik Lots (size 4924), and it
will replace your user-startup, with an Devil-Check2.0 Bugreport
(Size 4660 bytes).

The trojan is pretty lame.


Here is some info about this trojan & archive:

Archive name.....: IO4-INVI.LHA
Archive size.....: 69396 bytes (ripped for BBS adds)
Trojan name......: io4-invi/IO4-INVI.EXE
Trojan size......: 63484 bytes (PowerPacked) - Unpacked 100348 bytes.

File-Id.Diz......:       ___   ____        ___   ___  __
                   .-//-/  /- /    \------/  /--/  /-/  /-//--.
                   | / /  /  /  /  /     /  /  /  //  /  /    |
                   |  /__/   \____/     /__/  /_____/         |
                   |                                          |
                   |   Intel Outside 4 Invitation Demo!       |
                   |      12-13 JULI 1997 WLOCLAWEK           |
                   |                                          |
                   `------------------------------------------'


Don't start this program.....


Thanx to Mr. Heiner Schneegold, for checking this archive. I'm sure that
the next version of VT will find this sucker....


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!
      WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!!

 Hi All....

 There is a new trojan out. The trojan in inside Xtruder v3.5.  If you use a
 fakekey or the keyfile "Alex Holst #5",  Xtruder v3.5 will delete your SYS:
 partition. Virus Help Team Denmark can not support this kind of programming
 by an antivirus programmer, and will not support Xtruder with new viruses.


 Here is a copy of a letter that Martin Wulffeld mailed in Virus_Amy:

 >------------------------------ START LETTER ------------------------------

 *** Area : VIRUS_AMY                               Date: 30 Jun 97 20:40:01
 *** From : Martin Wulffeld (39:141/124.53)
 *** To   : All
 *** About: Xtruder 3.5

 Hi

 As some of you may know Xtruder 3.5 has done a bit of damage to peoples files.
 However, it has only affected those people who used a fake keyfile and
 hopefully also the criminal Bxxxx Pxxxxxxx (2:xxx/xx) who still owes my friend
 Alex Holst somewhere around 7000 Dkr. I hope all you fucknuts learned a
 lesson. From v3.6 and forward I will remove this behaviour.

 Peace out!

  . martin . kozmiq . [email protected] .
  . see ya at roskilde'98 .

 --- Spot 1.3a Unregistered
 * Origin: Roskilde'97 - FANTASTIC! (39:141/124.53)

 >------------------------------- END LETTER -------------------------------



 Here is some info about this trojan & archive:

 Archive name.....: xtruder35.lha or xtrude35,lha
 Archive size.....: 447128 bytes (ripped for BBS adds)
 Trojan name......: Xtruder
 Trojan size......: 183700 bytes Unpacked.
 File-Id.Diz......: Xtruder 3.5 by Martin Wulffeld. This virus
                    killer can detect more than 248 filevira.
                    Has a screen mode- and font sensitive GUI
                    along with a comprehensive ARexx interface
                    and locale support.


 Don't start this program.....


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 There is a new trojan out.  The trojan in  inside a Fake Ibrowse v2.0 If you
 run Ibrowse a picture will be shown  with a face, and a text that is telling
 you that ScareCrow has done damage to your system. When I tested the archive
 on my test  system (68000), everything it did was to replace my userstart-up
 and startup-sequence, with a text file. If it does damage to other systems
 I don't know at the moment, but it will be testet very soon.

 Here is text:

>------------------------------ START LETTER -------------------------------

ScareCrow

Since i now have your undevided attention while you are trying to save
what is left of your hard-disk i might as well begin.
Your first question will be why? The why is becose i am playing a fair
game with someone for some time now, his name is Jan Hendrik Lots of
Virus Help team NL. He and his little buddies of AGA tryed to catch me
last year with no succes, but what would you expect if you relay on their
help lead by a clowns character calling himself KleinDuimpje. Yes,
KleinDuimpje, you better start up that board again becose we havnt finished
yet. Hunting season is open again fans, and these trojans i have been
spreading are just mearly the beginning of it. i would also like to invite
some of the people i admire: Nr. 1 is L.I.S.A. (lamers in serious agony)
They did a great job, and they inspired me. Nr. 2 is C.O.P. (faust, circle
of power) Damn, i loved that Tetris attack! Nr. 3 is smooth criminal aldo
the boy has no taste, im inviting him to this party. What have i cooked up?
i am planning to make a competition out of this, who ever wants to compete
is invited. Who can make the most trojans and virusses, who can put down the
most boards. Who can make the most hits and i am listing them all. The list
will be released in a trojan by the end of each month. time to play.

>------------------------------- END LETTER -------------------------------

 I guess that Jan Hendrik Lots must know something about this guy, I'll get
 in contact with Jan Hendrik Lots and have a talk with him.

 Anyway, we know ScareCrow's real name, adress, phone number (the new one),
 and a lot of other things about this guy. Actions might be taken later on.

 Well...... But everybody should think before installing programs like this
 one. A new update of Ibrowse ?????. version 2.0 ?????. Don't install these
 programs that  you are not 100% sure that is okay. If you want to, try and
 install the programs like this on on floppy disks,  it takes a bit longer,
 but it might save your system........



 Here is some info about this trojan & archive:

 Archive name.....: DCN-IB2.LHA or DCN-IB2.LZX
 Archive size.....: 595211 bytes (ripped for BBS adds)
 Trojan name......: Ibrowse
 Trojan size......: 327848 bytes Unpacked.
 File-Id.Diz......:       /\             _         _
                      ___/  \___________(_)_______(_)__________
                     / ________  /  ___/ \  _____/ ____  ____  \
                    /  /  /  ___/  /  /  /\__  \/  /  /  /  /  /
                    \____/\___________ __________ /\____/\_/\_/|
                    .--aMiGA iLLEGAl--\/--------\/Rr!----------.
                    |        IBrowse 2.00 FINAL 68030+         |
                    `----[1/1]------------------[28-04-97]-----'


 Don't start this program.....


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 There is an infected archive out. The archive is infected with a new string
 of the linkvirus "Happy New Year". It is said to be a patch for MUI written
 by Dave Jones. But Dave Jones didi not program this patch, some stupid guy
 must be trying to damage Dave's name. Pretty lame.......

 VT v2.99 by Heiner Schneegold (28.08.97), will find and remove this sucker.


 Here is some info about this trojan & archive:

> ----------------------------- INFO START --------------------------------

 Archive name.....: MUI020.LHA
 Archive size.....: 2709 bytes (ripped for BBS adds)
 Trojan name......: MUI_Patch
 Trojan size......: 2696 bytes (Unpacked).
 Archive text.....:

           ========================================================
               Patch MUI 020+ version 1.1 by DJ (you know who!)
           ========================================================


******
Usage:
******

Simply unpack the archive into a directory and run the MUI_Patch program
which will then try to locate MUI:muimaster.library and make the necessary
modifications/optimizations to the libraries internals for an increase in
performance of some routines upto 35%

...Now when is Stefan going to release a truely written 020+ MUI???

> ------------------------------ INFO END ---------------------------------


Pretty lame text.


 Don't start this program.....


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 There is a BBS trojan out. But the SysOp of the board has to run the program
 to start the trojan. After the trojan  has been executet, it will delete the
 caller.log, that way you can't see  what the trojan  did. Then  it will copy
 the user.dat to Libs: as TTA.library.  In that way the sysop will have to be
 fool'ed to give the 'hacker' the TTA.library (renamed user.data).

 VT v2.99, VirusZ II v1.39, VirusWorkshop v6.6 and FastViruskiller v1.8, will
 find this trojan....


 Here is some info about this trojan & archive:

> ------------------------------- INFO START --------------------------------

 Archive name.....: DEC-SCP.LHA
 Archive size.....: 41892 bytes (ripped for BBS adds)
 Trojan name......: AmixHack0.Exe
                    AmixHack1.Exe
                    AmixHack2.Exe
                    AmixHack3.Exe
                    AmixHack4.Exe
 Trojan size......: 8348 bytes (11644 bytes Unpacked).
 File id.Diz......: ..................................
                    . ______ _____ _____ _____ _____ .
                    .|      |     |     |     |     |.
                    .|   ___|   __|  O  |  O  |   O |.
                    .|___   |     |     |     |  ___|.
                    .|______|_____|_____|_____|_|.....
                    ..................................
                    .....sCOOP V1.0 - /X hACKER.......
                    ..................................
                    ........mADE bY dECODER...........
                    ..................................
                    ..................................
                    ......DO NOT RUN ON YOUR HD!......


> -------------------------------- INFO END ---------------------------------


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 There is a link-virus out. It is a new version of "HitchHicker",  this time
 it is up to v4.23. At this time none of the big antivirus programs can find
 and remove it, but the programmers  has recived an infected file, so in the
 new updates  the removal  code should be included. I have  now recived four
 archives  with this new link-virus,  so there is a pretty good chance  that
 the "HitchHicker v4.23" is on the run. So take care of what you execute.

 Gideon Zenz the programmer of AntiBeol, has made a small update of his anti
 virus program  AntiBeol v1.33a.  In the archive of v1.33a,  is there a tiny
 tool which desinfects files, the virus only gets disabled, not removed. But
 this in  the only  program that  will find  the HitchHicker v4.23 linkvirus
 right now. This program is availble from VHT-DK BBS or our Homepage:

                      http://home4.inet.tele.dk/vht-dk


 After this warning was send out the first time, also VT v3.00 and FastVirus-
 Killer v1.10, VirusWorkshop v6.7 is now abel to find and remove this virus.

 Read also  Markus Schmall's test  about HitchHiker v4.23


 Here is some info about the four infected archives:

> ------------------------------- INFO START --------------------------------

 Archive name.....: DC-AmFTP.lha (or lzx)
 Archive size.....: 117186 bytes (ripped for BBS adds)
 Infected File....: AmFTP
 Infected Size....: 119148 bytes (Unpacked).
 File id.Diz......: AmFTP 1.90 (1997/09/10)



 Archive name.....: IDEFix191.lha (or lzx)
 Archive size.....: 117186 bytes (ripped for BBS adds)
 Infected File....: IDE-fix/c/IDEfix
                    26620 Bytes (Unpacked).
 Infected File....: IDE-Fix/l/CacheCDFS
                    38312 Bytes (Unpacked).
 File id.Diz......:         .________________
                        ________  (   _____/__  - -------------
                      _/     ___/ _/\_  T     \_   diGiTAL   
                    .-\     /    7--7  l       /  cORRUPTiON 
                    |  \____.-----  ----.____/------- -  -   -
                    |                
                    |   IDEfix97 v1.91 - CDROM driver software
                    |                   Cracked 100%
                    |
                    |      IMPORTANT!  READ THE .NFO FILE!
                    |
                    `-[10/09/97]-------------------------[ 7eN ]



 Archive name.....: MSR-A71P.lha (or lzx)
 Archive size.....: 224271 bytes (ripped for BBS adds)
 Infected File....: AmIRC1_71/AmIRC
                    209540 bytes (not packed)
 Infected File....: AmIRC1_71/AmIRC020
                    208564 bytes (not packed)
 File id.Diz......:   -mSR'97- ________  ()      _____________
                        ______|       _|___()___|     ____   /
                       |   __ |  /   /   ______/|    |  ____/_
                    .- |_____\__/___/_________  |____|_______/
                    | - --mYSTERiOUS- - /__________|-wARPsTAH!.
                    |
                    |        AmIRC 1.71 Keyless 100 %!!!
                    |              Exe's only !!!
                    |
                    `-[10-09-97]---------[1-1]---------[lIZARD]



 Archive name.....: slt-m21g.lha (or lzx)
 Archive size.....: 852280 bytes (ripped for BBS adds)
 Infected File....: Miami/Miami.000
                    415384 bytes (not packed)
 Infected File....: Miami/Miami.020
                    410516 bytes (not packed)
 File id.Diz......: _ _____    ____    _____  _ _______________.
                   //    /___/   /___/     \_                 |
                   .\___    \   /   \_     _/  ShEltER 1997  ||
                   |   / ___/________/_____|                 |
                   |____/----sTZ!/sE--------------------------'
                   :
                   | Miami 2.1g - 000/020/MAIN/EVA + KEYS
                   |
                   `-(o9/o9/97)--------------------(FUCK^YOU)->


> -------------------------------- INFO END ---------------------------------

 Thanx to Gideon Zenz, for the fast test of HitchHicker v4.23.
 Thanx to Ramon, for sending the archives to me...



   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


Entry...............: HitchHiker 4.23
Alias(es)...........: HitchHiker 4
Virus Strain........: -
Virus detected when.: September 1997
              where.: Germany, Denmark and England
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 2912 Bytes
                      2. Length in RAM:                    3200 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
                      The virus has problems with higher processors and
                      OS versions

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: - linkvirus. It changes the whole files to 2 hunked
                        file and copies 2908 bytes from the filestart to
                        the end


Self-identification method in files:

                      - checks for $DEAD at a special fileposition. In this
                        way the stealth mechanism is locating the infected
                        files, too.

Self-identification method in memory:

                      - test for the changed jump command from
                        Exec PutMsg()

System infection:

                      - The entryjump of Exec PutMsg() will be patched
                        to a trap code.
                      - A new trapcode will be installed.
                      - tries to modifies entry points of the bsdsocket.library,
                        which is used by connectiontools like AmiTCP and Miami.


                      Infection preconditions:

                       - HUNK_HEADER is found
                       - device is validated
                       - to be infected file is bigger than 2908 (exact viruslength)
                       - 10 free diskblocks

Infection Trigger...: The infection is based on the packet handling
                      system of AMIGA OS. Every started file will be
                      infected. All synchron dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: A trapvector in the vectorbase will be changed

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - The stealth/fileinfect engine performs a wrap
                        around copy of the originalfile as we saw it
                        already in the BEOL3 virus, which source was
                        made public by the programmer.


Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are not 100% aware of processor
                      caches. The packet handling works in even on the new developer
                      OS versions, but some codes have problems with task functions.

                      The virus tunnels doscall watcher like SnoopDos etc. by
                      using only lowlevel packet routines.
                      
Similarities........: The link method has been seen in the BEOL3 linkvirus
                      already. A new hunkheader will be added and the origfile
                      will be seen as datahunk. In this way the virus doesnt
                      need to perform a errorfull hinkcorrection. The first
                      codehunk contains the virus itself.

Stealth.............: Second working directory and file stealth code in a virus.

Armouring...........: The virus is not armoured with a special tricky crypting
                      code.


Specialities........: As always the virus contains a crypted part:

                      "LHALZXZOOZIP"
                      "bsdsocket.library"
                      "POST"
                      "DATA"
                      "QUIT"
                      "The Hitch-Hiker 4.23  - Generation #00001036"

                      The first string is for the special ability to keep the
                      files infected, even if they get crunched. This trick, which
                      was used to remove common pc stealth linkviruses is not working
                      here.


--------------------- Agents -------------------------------------------

Countermeasures.....: VT 3.00, AntiBeol 1.33, FastKill and VW 6.7
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 26.09.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 29. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of HitchHiker 4.23 Virus =========================


 Hi All....


 There is a new trojan out. It is said to be a killer for "Ebola 97'" virus,
 but this is just a fake.  The trojan will replase every file in SYS: with a
 file 10 bytes long,  where you can read "LiSA FUCKUP v3.0".  In the archive
 there is  a read.me text,  with a description of  how to get this trojan to
 work, but you better not do it.

 This trojan  have been  send to all the major anti-virus programmers in the
 world, and will be included in the next update. So until, then take care...


 Here is some info about the trojan archive:


> ------------------------------- INFO START --------------------------------

 Archive name.....: SEBOLA97.LHA (or lzx)
 Archive size.....: 5856 bytes (ripped for BBS adds)
 Infected File....: ScanEbola97
 Infected Size....: 7004 bytes (Unpacked).
 File id.Diz......: ScanEbola97: Scans your hard-drive for the
                    Ebola97-virus.

> ------------------------------- INFO END ----------------------------------

 Thanx to Heiner Schneegold, for the fast test of this trojan.


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:236/120.0
 \\///       --------------          AmyNet..: 39:141/142.0
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....


 Another archive has been found around the world, that is infected with the
 link-virus  "Hitch Hiker v4.11" link-virus.  In the archive seven files is
 infected with "Hitch Hiker" virus.  All you got to do is to run one of the
 major antivirus programs, and let the killer remove this virus.


 Here is some info about the trojan archive:


> ------------------------------- INFO START ------------------------------

 Archive name.....: NUP-SLOS.LHA (or lzx)
 Archive size.....: 223697 bytes (ripped for BBS adds)
 Infected File....: Scalos (109500 bytes)
                    Scalos/prefs/Scalos (39916 bytes)
                                 Scalos Menu (26916 bytes)
                                 Scalos Palette (16968 bytes)
                                 Scalos Pattern (21452 bytes)
                    Scalos/tools/OpenLocation_CA (11776 bytes)
                                 OpenLocation_MUI (6580 bytes)
 File id.Diz......:                    _____
                          _________   /    /___   _________
                         /         \_/    /    \_/         \_
                    .:.:/   ___     /    /      /      /    /.:.
                    :::/      /    /    /      /      /____/::::
                    ::/______/    /___________/______/::::::::::
                    .-------/____/-[pRESENTS]------------------.
                    |                                          |
                    |           S  C  A  L  O  S          |
                    |                                          |
                    | vERSION 39.154 - nICE wORKbENCH rEPLACE! |
                    |                                          |
                    `-[ #37 ]---------------------[ 10/27/97]-'


> ------------------------------- INFO END --------------------------------


 Thanx to Darryl Peters, for the info about this archive.

 Read  Markus Schmall's  test of Hitch Hiker v4.11 link-virus.

   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....


 Another archive has been found around the world, that is infected with the
 link-virus "Ebola" link-virus.  In the archive, two files is infected with
 this "Ebola" linkvirus. All you got to do is to run one of the major anti-
 virus programs  (VirusZ, VT and VirusWorkshop),  and let the killer remove
 this virus.


 Here is some info about the trojan archive:


> ------------------------------- INFO START ------------------------------

 Archive name.....: PSY-HAL.LHA (or lzx)
 Archive size.....: 294041 bytes (ripped for BBS adds)
 Infected File....: halloween/Copy (6612 bytes)
                             /play (20048 bytes)

 File id.Diz......:    PROPHESY PRESENT
                       HALLOWEEN DEMO 97
                          entitled
                       "Trick or Treat"


> ------------------------------- INFO END --------------------------------


 Thanx to Jon Adams, for the info about this archive.

 Read Markus Schmall's test of the  Ebola Virus 

   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 A new link-virus has been spread the last days. At this time no viruskiller
 is abel to find  and kill this sucker.  The virus has been send to all  the
 major  AntiVirus programmers,  so it is only  a matter of  time, before the
 viruskillers can find and remove this 'sucker'.

 There is no known program or archive that spreads this new virus.  All that
 we know of this  new virus,  is that it will add 1260 bytes to all programs
 that is executed.  And with in these 1260 bytes that  is added you can read
 "TRSi".

 Well, I don't think that TRSi has anything to do with this.

 As soon as a killer is released  that will kill this virus, we will let you
 know so check your contacts or our homepage.

 Heiner Schneegold,  programmer of VT  has made a quick test of this sucker,
 and here is what he found out:

 ZIB-Virus
 verbogener Vektor: Loadseg
 LastAlert: "TRSi"
 Eigener Process: ZIB
 Fileverlaengerung: #1260 Bytes
 Link hinter 1.Hunk
 RTS wird in bra.s umgewandelt
 falls bsdsocket.lib vorhanden, Veraenderungen


 Well, this is all we know for now.

 After we wrote the warning, a few killers has been updated so the they will
 be abel to find and kill this "ZIB" virus.

 VT v3.01              (30.11.97) - Heiner Schneegold
 FastVirusKiller v1.12 (29.11.97) - By Dave Jones
 AntiBeol v1.34a       (29.11.97) - By Gideon Zenz
 KillAnother v1.00     (29.11.97) - By Harry Sintonen

 You can download these killers from our homepage or support BBS.

 Thanx to Dave Jones, Harry Sintonen and Jakob Anderson for sending this new
 virus to us. It is on it's way to all major antivirus programmers.

  Click here  to read Markus Schmall's test of the ZIB virus.


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All !!!

 After many  month, and we  have been  looking for this archive all over the
 world, we finally got it. Thanx to John.

 Well if you belive this archive, it is said to remove the Hitch Hiker virus
 but what it does is,  that it will install the Hitch Hiker v2.11 link-virus
 in your system.


 Okay here is a little test of it:

> ------------------------------- INFO START ------------------------------

 Archive name.....: kilhitch.lha (or lzx)
 Archive size.....: 7765 bytes (ripped for BBS adds)
 Infected File....: removehitcher/KillHitcher
 Infected size....: 3000 bytes.
 File id.Diz......: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                    !!  Have you got probs. with the HitchHiker!
                    !! virus? It's a link-vir that can corrupt !
                    !! your archives....brand new and not kill-!
                    !! able with VirusZ or VWS or VT or any    !
                    !! other killer.. Except this one..Brought !
                    !! to you by Blister/PP and MAX/PP         !
                    !! Download and be happy!!!!!!!!!!!!!!!!!!!!

> ------------------------------- INFO END --------------------------------


 Thanx to John for mailing us this archive.


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....

 Well, now we finaly found the  archive that installs the "ZIB" link-virus.
 It s the command 'spatch' that will install this link-virus. I don't think
 that this  version  of 'spatch' came  from GP Soft, some one have replaced
 the orginal 'spatch' with  the installer version. So there for,  take care
 when ever  you meet the 'spatch'  in an archive, and if  the size is 16716
 bytes, don't use it.


 Here is some info about this archive:

 Archive name...: opus566p.lzx
 Archive size...: 138502 bytes (LZX packed)
 Infector name..: spatch
 Infector size..: 16716 bytes (not packed)
 Archive info...: Directory Opus 5 Magellan version 5.66 to 5.661
                  Upgrade Patch. (fake archive)


 At ths time, no viruskiller will find this infector. But some of the anti-
 virus programs, will find and remove this 'ZIP' virus:

 VT v3.01 - By Heiner Schneegold
 FastVirusKiller v1.12 - By Dave Jines
 AntiBeol v1.34a - By Gideon Zenz
 Killanother1 v1.0 - By Harry Sintonen.

 Thanx to Jakob Anderson for sending us this archive.

  Click here  to read Markus Schmall's test of the ZIB virus.

   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


Entry...............: ZIB
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: December 97
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 1260/1264 Bytes
                      (uses a polymorphic technic)
                      2. Length in RAM:                    xxxx Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for "TRSi" at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), bsdsocket.library baseptrs

 
                      Infection preconditions:
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - File must be smaller than $1e848
                         bytes
                        
Infection Trigger...: Accessing files via LoadSeg()
                      It`s a typical infector. It cannot be rated as
                      fast infector as it only infects at the above
                      mentioned operations. Slow polymorphism
                      technology or stealth techniques wasn`t found
                      in this one.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non-polymorphic and
                      consists of some logical stuff. The cryptword is
                      $BABE.


Similarities........: The linkmethod is camparable to all the HNY viruses. It
                      will be tried to step $3e words back and check for an
                      "rts" or a "nop" at the hunkend.

                      The use of the bsdsocket library etc. shows some equalities
                      to the latest hitchhiker viruses.

                      NOTE: The installer itself links a 4 byte longer part to
                      the original "c:\loadwb" and uses 2 patchcodes. Most
                      viruskillers does not recognize this correct. VT 3.03
                      is doing it 100% right and VW should so, too.


Stealth.............: no stealth function found.

Armouring...........: readable text is crypted with a normal eor loop.

Specialities........: The virus sends mails to the virusworkshop mailinglist.
                      The list can be accessed using the [email protected]
                      account and was accessible even from external persons
                      at that time. Now Vampire fixed this problem.

                      The subject was: "Another 1 bites the dust"
                      In the body the text: "Greetz to BEOL und BOKOR" can
                      be found. The mail be remote send via the mailserver
                      from the teuto.de domain via a special account.


Comments............: The name ZIB appeared in the latest HitchHiker viruses, too.
                      I suppose that this is somekind of virusclique pushing
                      their actions.


--------------------- Agents -------------------------------------------

Countermeasures.....: VT, VZ, FVK, VW
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hildesheim, Germany 17.01.1998.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Jan, 01. 1998
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of ZIB virus =========================


 Hi All....


 Another archive has been found around the world, that is infected with the
 link-virus "Ebola" link-virus. In the archive seven files is infected with
 "Ebola" virus.  All you  got to do  is to run one  of the  major antivirus
 programs eg. VirusZ,  VT or  VirusWorkshop, and let the viruskiller remove
 this virus.


 Here is some info about the trojan archive:


> ------------------------------- INFO START ------------------------------

 Archive name.....: CPU-MV31.LHA (or lzx)
 Archive size.....: 108665 bytes (ripped for BBS adds)
 Infected File....: CPU-MULTIVIEW.LHA/MultiView (8772 Bytes)

 File id.Diz......:  ________ ________ ____ t!
                    _\    ._/_\_     /    /---/_ _____________ _
                    /     |_   /____/    /   ///   c . p . u
                    \______/______| \________\
                    .
                    .
                    .         MultiView (version 3.1)
                    .         100% denerved!
                    .
                    .
                    .10.12.97.                    .yELLOW wATER.

> ------------------------------- INFO END --------------------------------


 Thanx to Johnny Sandstroem, for the info about this archive.

  Click here  to read Markus Schmall's test of Ebola link-virus.


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....


 A few archives has been found that contains "Happy New Year 96" and "Ebola"
 link-virus. All you got to do is to run one of the major antivirus programs
 eg. VirusZ, VT or VirusWorkshop, and let the viruskiller remove this virus.

 I found a warning  written by 'CHILL' about these infected archives. And he
 wrote about a virus called 'Vera 2.3',  I had never heard about this virus,
 I found the archive,  and made a test of the file. Is NOT a virus/trojan it
 is a fail recog. by VirusZ II.  I'll post a letter to the programmer, and I
 guess that it will removed in the next update.  So there is NO virus in the
 archive 'DS-POC.LHA'.


 Here is some info about the infected archives:


> ------------------------------- INFO START ------------------------------

 Archive name.....: D-S_MK2.LHA (or lzx)
 Archive size.....: 2832772 bytes.
 Infected File....: MK2
 Infected with....: Ebola Link-virus

 File id.Diz......:      .---- \/
                      ___|__   /  __/__ !!MERRY  X-MAS!!
                    .--./     /   \____   \.--------------.
                    |;)|_    /|   ___/     |mORtAL kOMbAT2|
                    |   /_________\^/      ! ORG. PAL VER |
                    | <-   -  -- --- -----!   hD Fixed    |
                    |      hAvE PhUN!!!!!                 |
                    `--------------------------[17.12.97]-'

 Click here  to read the Ebola Test by Markus Schmall.



 Archive name.....: D-S_ZW2.LHA (or lzx)
 Archive size.....: 488796 Bytes
 Infected Files...: Zeewolf2_HD
                    Z2Boot
 Infected with....: Ebola Link-virus

 File id.Diz......:      .---- \/
                      ___|__   /  __/__ !!MERRY  X-MAS!!
                    .--./     /   \____   \.--------------.
                    |;)|_    /|   ___/     |  Zeewolf iI  |
                    |   /_________\^/      !              |
                    | <-   -  -- --- -----!   hD Fixed    |
                    |      hAvE PhUN!!!!!                 |
                    `--------------------------[17.12.97]-'

 Click here  to read the Ebola Test by Markus Schmall.



 Archive name.....: ORG3_3.LHA (or lzx)
 Archive size.....: 569935 bytes.
 Infected File....: aSCi.exe
 Infected with....: Happy New Year 96 Link-virus

 File id.Diz......: _ _                                _
                      ___     _____    ______   __  __
                    _( _(____( ___(____)    /___) \/ (_.
                    \______    (/_        /  _  \/  |
                     /  \) ______\   _.  /)   /__/    |
                    /_______(      \_( |______/  /_____|
                     sCUm pRESENTs - oRGAZm iSSUe #3 3/3
                    _ ________________________________ _


 Click here  to read the HNY 96' Test by Markus Schmall.


> ------------------------------- INFO END --------------------------------


 Thanx to Chill, for the info about this archives.



   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]


 Hi All....


 Happy New Year 98 to you all.  There is a little more behind these words, a
 new linkvirus has been found, and  it is " Happy New Year 98 ". It will add
 920 bytes to every executed file.  You can within the  last 30 bytes of the
 infected file read "Happy New Year 98". We do not know of any installers or
 infected archives with this new virus, so if you find the installer, please
 mail it to me.

 The  famos virus-killer VT by Mr. Heiner Schneegold has now been updated to
 version 3.03, and it will find and remove the Happy New Year 98' virus.

 You can get the VT v3.03 archive from our homepage, or a BBS near you.

 Thanx to Gerald Schnabel for sending us the infected file.

 Read about the first found archive infected with "Happy New Year 98" virus.


   Regards....
      __                              VirNet..:  9:451/247.0
 __  ///       Jan Andersen           FidoNet.:  2:237/38.100
 \\///       --------------          AmyNet..: 39:140/127.100
  \XX/      VIRUS HELP DENMARK        E-Mail..: [email protected]
      http://home4.inet.tele.dk/vht-dk


 Hi All....


 The first infected archive with the new "Happy New Year 98" linkvirus has
 now been found. We don't think that this archive is the installer of this
 new virus,  so I guess that we are still looking for  the it. If you find
 it, plaese mail it to us, or supload it to one of our support BBS'es.

 If your system has been infected, plaese use VT v3.03 to remove it.

 Here is some info about the infected archives:


> ------------------------------- INFO START ------------------------------

 Archive name.....: w9-sex.lzx
 Archive size.....: 187786 bytes (Ripped for BBS adds).
 Infected File....: SeXtrO
 Infected Size....: 212396 bytes (Packed with CrunchyDat 1.0)
                    892996 bytes (unpacked)
 Infected with....: Happy New Year 98 Link-virus.

 File id.Diz......:  ______  _____ ______  ______
                    _\    /__\    _\  __ \_\  __ \
                         /_ /  (       / /     / /n
                    _   /       _                 i
                     \___    ___/  \     \        n
                     ry! \__   /____\/____\ ___\  e
                     ______ _  W A R P  9  _ _____
                    |       p.r.e.s.e.n.t.s       |
                    |   -  - ------------- -  -   |
                    |         S E X T R O         |
                    |                             |
                    |  TiTTEN-TuSSiS-GuTe LAUNe   |
                    |                             |
                    `-[W9]---  -       -  --------'


> ------------------------------- INFO END --------------------------------


 Thanx to Ramon, for sending this archive to us.

  Read our first  warning about the "Happy New Year 98" virus.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....


 Another infected archive with the new "Happy New Year 98"  linkvirus  has
 now been found. We don't think that this archive is the installer of this
 new virus,  so I guess that we are still looking for  the it. If you find
 it, plaese mail it to us, or supload it to one of our support BBS'es.

 If your system has been infected, plaese use VT v3.03, VirusWorkshop v6.8
 Virus_Checker II v1.1 (brain v2.2),  VirusZ II v1.42 (bug-Fixed) and also
 FastVirusKiller v1.17 to remove it.

 Here is some info about the infected archives:


> ------------------------------- INFO START ------------------------------

 Archive name.....: CNS-BGE.LHA
 Archive size.....: 35564 bytes (Ripped for BBS adds).
 Infected File....: BGEDIT/BGEDIT
 Infected Size....: 27068 bytes (Packed with CrunchMania Normal)
 Infected File....: BGEDIT/LIBS/iff.library
                    4080 bytes (not packed)
 Infected with....: Happy New Year 98 Link-virus

 File id.Diz......:   ___ ______  __ __________ _____
                     /   |  .\  \|  |  _/ .\   |  __/
                    /  ._|_ | \ \  |__ \ | \ -|-._)_
                    \  `  / `  \ \  |    \`  \   |  /
                     \___/_____/_|__|____/___/___|_/
                    ((((( H E L L   A M I G A  ))))))
                    |                               |
                    |     AMiGA-Tool to convert     |
                    |  SNES, NES, SATURN, PSX, PCE! |
                    |Graphics to IFF-AMIGA Format!! |
                    |                               |
                    `-------------------------------'



> ------------------------------- INFO END --------------------------------


 Thanx to Arne Jensen, for sending this archive to us.



   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 I'm sorry to say this, but I was to fast when I wrote about the archive
 'CBS-ETIT.LZX' and the 'happy New Year 96' linkvirus. At this time only
 VT 3.04 and VirusZ II v1.42a can find this HNY-96 'hunk 11' virus.

 Thanx to Mr. Schneegold for correcting me in this matter....


 Here is some info about the infected archives:


> ------------------------------- INFO START ------------------------------

 Archive name.....: CBS-ETIT.LZX
 Archive size.....: 27678 bytes (Ripped for BBS adds).
 Infected File....: CBS-Intro/Eternity.exe
 Infected Size....: 26736 bytes (Packed with StoneCracker 4.04)
                    58068 bytes unpacked.
 Infected with....: Happy New Year 96 link-virus (hunk 11)

 File id.Diz......:     .__  .____.____.____.____.___ ._
                      |    |_  /|   /|   /|_  /|  /_|`---.  
                    .---\__\`  / `  / `  / `  / ` __/`/___|---.
                    |        - take us to your dealer! -       |
                    |presents:                                 |
                    |          BBSIntro for ETERNiTY           |
                    |                                          |
                    `------------------------------------------'


> ------------------------------- INFO END --------------------------------


 Thanx to Johnny Hansen, for sending this archive to us.



   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....


 Well, I't looks like some little stupid guy  someware in England, has been
 starting writing trojan's in AMOS.  These trojan's are made to destroy the
 BBS system 'MAX'. It will delete almost every BBS  file on the system, and
 also files like Startup-Sequence, c:dir and more. The guy behind these new
 trojans are a  guy that calls himself "Cactus^Jack". And he must be trying
 to  remove anything  about him  self, as this trojan is looking for a file
 with the name "bbs:userfiles/cactus", if this is found it will be deleted.

 This warning is for the archive "JC_SpiceGirls.LHA". If you run this shit,
 a picture will be shown on your screen, with the text:

 Juraccis Cactus
    Presents
  Spice Girls
    Megamix

 Byt here is some info about the trojan:


> ------------------------------- INFO START ------------------------------

 Archive name.....: JC_SpiceGirls.LHA
 Archive size.....: 60482 bytes (Ripped for BBS adds).
 Trojan File......: Jc-Spice.exe
 Trojan Size......: 111524 bytes (Packed with AMOS Pro Compiler v2.00)

 File id.Diz......: Jurasic Cactus

                       Present

                      Spice Girl Megamix Demo !

                      Coded By : c-jack
                      Musax By : Bigo H

                      release at The Gathering 97 demo comp


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley, for sending this archive to us.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, I't looks like some little stupid guy  someware in England, has been
 starting writing trojan's in AMOS.  These trojan's are made to destroy the
 BBS system 'MAX'. It will delete almost every BBS  file on the system, and
 also files like Startup-Sequence, c:dir and more. The guy behind these new
 trojans are a  guy that calls himself "Cactus^Jack". And he must be trying
 to  remove anything  about him  self, as this trojan is looking for a file
 with the name "bbs:userfiles/cactus", if this is found it will be deleted.

 This warning is for the archive "nce-tri9.lha".

 Here is some info about the trojan:


> ------------------------------- INFO START ------------------------------

 Archive name.....: nce-tri9.lha
 Archive size.....: 47587 bytes (Ripped for BBS adds).
 Trojan File......: Trilobyte!_9.exe
 Trojan Size......: 46264 bytes (Packed with Powerpacker 4)
                    71468 bytes unpacked.

 File id.Diz......:      ______ __ _    _____  ___ _
                     ___/.__.\_________/.__.\_/  \____
                    / .__: :_._  ______: :___/\_____\
                    ? : \ :| | \/ ._\  \ :| _ // ___//
                    | |: \ || : \ _/ \ \ ||  \/\ _)__\_
                    | || |\_|____/_|  \|\_|____/__  /  ?
                    |-|__|---------|____\----------\/---|
                    | ...brings ya...                   |
                    |                ...Trilobyte! #9!  |
                    |                                   |
                    |  tHIS iS tHE bEST yET dOODZ!!!!!! |
                    `-----------------------------------'


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley, for sending this archive to us.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark           AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, I't looks like some little stupid guy  someware in England, has been
 starting writing trojan's in AMOS.  These trojan's are made to destroy the
 BBS system 'MAX'. It will delete almost every BBS  file on the system, and
 also files like Startup-Sequence, c:dir and more. The guy behind these new
 trojans are a  guy that calls himself "Cactus^Jack". And he must be trying
 to  remove anything  about him  self, as this trojan is looking for a file
 with the name "bbs:userfiles/cactus", if this is found it will be deleted.

 This warning is for the archive "SPICE_POWER.lha"

 Here is some info about the trojan:


> ------------------------------- INFO START ------------------------------

 Archive name.....: SPICE_POWER.lha
 Archive size.....: 36539 bytes (Ripped for BBS adds).
 Trojan File......: SpicePower97
 Trojan Size......: 57820 bytes (AMOS Pro Compiler v2.00 Cruncher)

 File id.Diz......: ZENGO SPICE POWER MEGAMIX 1997!

                    If ya like the Spice Girls, GET THIS!


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley, for sending this archive to us.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, I't looks like some little stupid guy  someware in England, has been
 starting writing trojan's in AMOS.  These trojan's are made to destroy the
 BBS system 'MAX'. It will delete almost every BBS  file on the system, and
 also files like Startup-Sequence, c:dir and more. The guy behind these new
 trojans are a  guy that calls himself "Cactus^Jack". And he must be trying
 to  remove anything  about him  self, as this trojan is looking for a file
 with the name "bbs:userfiles/cactus", if this is found it will be deleted.

 This warning is for the archive "Mpeopledemo.lha"

 This archive was corupt when  I recived it, and I could only unpack a part
 of it, but the  trojan code in in there. I could not  run the trojan on my
 system, so I don't know if it works.

 Here is some info about the trojan:


> ------------------------------- INFO START ------------------------------

 Archive name.....: Mpeopledemo.lha
 Archive size.....: 49137 bytes (Ripped for BBS adds).
 Trojan File......: Mpeople.exe
 Trojan Size......: 122408 bytes (Packed ????? don't know)

 File id.Diz......: .------------------------------------------.
                    |            M-PEOPLE SLIDESHOW            |
                    |                                          |
                    |          CODED BY THE TRS CREW           |
                    |           MUSAK BY : UNKNOWN             |
                    |        DIGI PICS BY : IVAN GORGU         |
                    `------------------------------------------'


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley, for sending this archive to us.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, I't looks like these 'AMOS' programmed trojans are comming. I
 have recived the archive via InterNet. It has been online on Aminet,
 so if you have downloaded it there, take care.....

 The trojan will delete (SnoopDOS.log):

 Count Process Name Action     Target Name             Res.
 ----- ------------ ------     -----------             ----
 1     ReOrgIt.exe  Delete     DH0:S/startup-sequence  OK
 2     ReOrgIt.exe  Delete     DH0:S/User-startup      OK
 3     ReOrgIt.exe  Delete     DH0:S/*.*               Fail


 Here is some of the text strings you can read in the file:

 HAHAHA, your HD is stuffed
 Prepare to DIE

 Here is some info about the trojan:


> ------------------------------- INFO START ---------------------------

 Archive name.....: ReOrgIt.lha
 Archive size.....: 52279 bytes (Ripped for BBS adds).
 Trojan File......: ReOrgIt.exe
 Trojan Size......: 60732 bytes (Packed ????? don't know)

 File info........: EXCELLENT HD Reoganizer program 65% speed.

> ------------------------------- INFO END -----------------------------


 Thanx to Raymond Lagerwey, for sending this archive to us.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, a new  trojan has been found. The programs say's that it will
 check if your fake miami keyfiles is okay to you. Don't belive this
 at all. It will infect your system.

 But there is a rescue. Heiner Schneegold has released a new update
 of his great viruskiller "VT" today.  VT v3.08 can be found on our
  homepage.... 

 Here is some info about the trojan:

> ------------------------------- INFO START ---------------------------

 Archive name.....: PHK-MKEY.lzx
 Archive size.....: 2185 bytes (Ripped for BBS adds).
 Trojan File......: mkey.exe
 Trojan Size......: 1880 bytes

 File info........: .--------------------------------------.
                    |So rumour has it Holger has released a|
                    |virus to harm users with fake miami   |
                    |keyfiles. This will check your keys to|
                    |ensure its safe to use, dEN saves ya  |
                    |and fists Holgers ass!                |
                    `--------------------------------------'
                         }-- dEN 3/3/98   pHuKeRs --{

> ------------------------------- INFO END -----------------------------


 Thanx to Heiner Schneegold for the info about this archive.

 This archive is on it's way to every antivirus programmer, that accepts
 new viruses/trojans from us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, a new archive has been found that is infected with the 'Happy
 New Year 96' linkvirus.  And there should be no problems, since all
 the major antivirus programs can find and remove this virus.


 Here is some info about the trojan:


> ------------------------------- INFO START ---------------------------

 Archive name.....: PHT-Suns.lzx
 Archive size.....: 4755 bytes (Ripped for BBS adds).
 Infected File....: Sunscream.exe
 Infected Size....: 4368 bytes (Packed with StoneCracker 4.04)

 File info........: Phase Truce - 4kb intro for Rush Hours'98

> ------------------------------- INFO END -----------------------------

  Click Here  to read the VTC test of Happy New Year virus.

 Thanx to Peter Hansen, for the info about this archive.



   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Well, a new archive has been found that is infected with the 'Happy
 New Year 96' linkvirus.  And there should be no problems, since all
 the major antivirus  programs can find  and remove this virus. Just
 remember to remove the virus, before starting the program.....


 Here is some info about the trojan:


> ------------------------------- INFO START ---------------------------

 Archive name.....: FFFF.LHA
 Archive size.....: 454.455 bytes (Ripped for BBS adds).
 Infected File....: NlsForFun.exe
 Infected Size....: 34792 bytes (Packed with PowerPacker 4)
                    160108 bytes (Unpacked)
 Infected with....: Happy New Year 1996 - Linkvirus.

 File info........:  ___    __ __ __ ___ __   ____  __ __ ___
                       `--  Y    ' _/  -  __)  Y   --'-.
                    |     |  !  |    \|  ' |  -'|  !  |---- |
                    `---'--^-----^--!___)----^-----^-----^-----'
                    NUKLEUS gives you a GAME with suprises...!!
                    ____     ____      ____    ____    /\    !
                   |::::|   |::::|    |::::|  |::::|  //\FREE!
                   |::__    |::__     |::__   |::__  ///\COOL!
                   |::::|   |::::|    |::::|  |::::| \\/NICE!
                   |::|     |::|      |::|    |::|    \//   !
                   |::| ist |::| ight |::| or |::| reedom   !!
                   ---------------------------------------bZ-'

> ------------------------------- INFO END -----------------------------

  Click Here  to read the VTC test of Happy New Year virus.

 Thanx to Torben Danoe, for the info about this archive.



   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....


 Another infected archive with the new "Happy New Year 96'" linkvirus  has
 now been found. The archive have been spread via AmiNet, but we have told
 the people behind AmiNet  about this archive,  and we hope that they will
 remove it.

 If your system has been infected, plaese use VT v3.08, VirusWorkshop v6.9
 Virus_Checker II v1.5 and VirusZ II v1.43.

 Here is some info about the infected archives:


> ------------------------------- INFO START -----------------------------

 Archive name.....: WinTool.lha
 Archive size.....: 13461 bytes (Ripped for BBS adds).
 Infected File....: WinTool (version 1.1)
 Infected Size....: 15296 bytes
 Infected with....: Happy New Year 96 Link-virus

 Archive info.....: This program will get information from another window,
                    and give the option to manipulate it. Close it, change
                    it, move it... Full source included. It is compiled in
                    debug mode, so it will be easy to find bugs. It should
                    be really easy to recompile it with no debug.

> ------------------------------- INFO END --------------------------------


  Click Here  to read the VTC test of Happy New Year virus.

 Thanx to George Barkouris, for sending this archive to us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....


 A new trojan has been found. Again it is aimed for 'Max BBS' systems. The
 trojan will (if you run it), make 4 files in RAM: runit, runit.info, yes,
 yes.info., and within the next seconds the system will reboot and execute
 "RAM:runit < ram.yes d scsi.device", and will write 0 RIGID. It is 'only'
 SCSI device and 'only' unit '0' that is going to be damaged.

 The archive has been send to all the major antivirus programmers....

 Here is some info trojan archive:


> ------------------------------- INFO START -----------------------------

 Archive name.....: maxsafe.lha
 Archive size.....: 12136 bytes (Ripped for BBS adds).
 Infected File....: maxsafe
 Infected Size....: 5008 bytes
 File_id.diz......: Help stop your BBS from crashing
                    by finding those faulty doors


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley and Colin Wilson, for sending this archive to us.

 Thanx to Mr.Heiner Schneegold for the test of this archive


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 A new trojan has been found. Again it is aimed for 'Max BBS' systems. The
 trojan will (if you run it), delete almost everything from your system. I
 will also delete it self at the end. At this time we do not have the hole
 archive, we only have the trojan it self.

 The file has been send to all the major antivirus programmers....

 Here is some info trojan archive:


> ------------------------------- INFO START -----------------------------

 Archive name.....: ?
 Archive size.....: ? bytes (Ripped for BBS adds).
 Infected File....: UnpackJPEG
 Infected Size....: 27856 bytes
 File_id.diz......:


> ------------------------------- INFO END --------------------------------


 Thanx to Dave Buckley, for sending this file to us.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Another new linkvirus has been found.  The archives name is still unknown
 all we have is the main file. It is a fake version of AMFTP v1.91. If you
 run this program,  5000 bytes will be added to every file that is run. If
 you decode the virus, you can read "POLISHPOWER-Virus" in the text.

 Here is some info about the infected file:


> ------------------------------- INFO START -----------------------------

 Archive name.....: ?
 Archive size.....: ? bytes (Ripped for BBS adds).
 Infected File....: AMFTP (version 1.91)
 Infected Size....: 126316 bytes
 Archive info.....:

> ------------------------------- INFO END --------------------------------


 If you find an archive that contains AMFTP with the size "126316" bytes,
 please send it to me, or upload it to one of our support BBS'es.


 Thanx to Mr. Heiner Schneegold for the fast test of this file.



   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 Another new virus has been found.  The installer and infected archives is
 still unknown.  All we have is some  infected files. If you have this new
 virus on your system, every infected file will be added 760 bytes. If you
 decode the virus part, you can read "fungus/lsd" in a text-string.

 The major anti-virus programs "VT",  "VirusChecker II" and "VirusZ", will
 be released in the near  future, and they will be abel to find and remove
 this new virus.

 BUT:
 "Digital Corruption" has  released a littel "fungus killer/disable", that
 will disable the virus. So if your system is infected with this new virus
 use the program from "Digital Corruption". The archive name of the littel
 disabler is "DC-FNG11.LHA". You  should be abel to  find the archive on a
 BBS near you, or get it from Virus Help Denmarks homepage. (Adress in the
 sign.)


 Thanx to "RAM", for this little killer/disabler...

 Thanx to Mr. Heiner Schneegold for the fast test of this file.

 Thanx to Kisa and Jeff German for sending me the infected files.


 PS.  Click here  to read about the installer of 'Fungus/lsd' virus.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 The archive  that installs  the new "fungus" virus  is found.  I have now
 recived  4 archives from  all over the world (Australia, USA, Germany and
 Denmark). Everyone  of  the contains  the  same files, and the  same file
 contains the 'fungus' virus in every archive.

 Here is some info about the 'fungus' archive:


> ------------------------------- INFO START -----------------------------

 Archive name.....: M31H_CRK.LHA
 Archive size.....: 436085 bytes (Ripped for BBS adds).
 Infected File....: Miami_BETA/MUI.MiamiGui
 Infected Size....: 127360 bytes
 File_id.diz......: .------------------------------------------.
                    |                                          |
                    |             Miami 3.1h BETA              |
                    |                                          |
                    | TOTALLY CRACKED AND ALL HOLGER BACKDOOR  |
                    |      SHIT REMOVED FOR YOUR PLEASURE!     |
                    |     CANT THE BIG GROUPS CRACK THIS???    |
                    |                                          |
                    |    CRACKED FOR YOU BY HOLGWHORE KRUDE    |
                    |                                          |
                    `------------------------------------------'

> ------------------------------- INFO END --------------------------------


 Thanx to Ian, Michael, Peter and Thomas, for sending this file to us.


 PS.  Click here  to read the first warning about the 'Fungus/lsd' virus.


   Regards....
      __           Jan Andersen         E-Mail..:  [email protected]
 __  ///          --------------           FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/   http://home4.inet.tele.dk/vht-dk        VirNet..: 9:451/247.0


 Hi All....

 A new  trojan has been  found. This trojan was on AmiNet, but it has been
 removed  now.  It is a fake 'datatypes.library v45.5'. And it will if you
 are on InterNet and using 'Miami', send a e-mail to a Hotmail adress with
 your name and password. So if you have installed this version, get rid of
 it and install the v4.54 update (You can find this on AmiNet).


 Here is some info about the fake 'datatypes.library':

> ------------------------------- INFO START -----------------------------

 Archive name.....: dtypes455upd.lha
 Archive size.....: 27.990 bytes
 Trojan File......: datatypes.library
 Trojan Size......: 32748 bytes

> ------------------------------- INFO END -------------------------------

 Note:
 In  May  1988,  the  same  datatypes.library  trojan  was found, but with
 another file lenght (32832 Bytes). VT v3.10 will find this version, but
 not the new (yet!).

 In a few other text files, DC has been blamed for this and other trojans,
 I think that it is not true. Why should DC do this?.

 Thanks to Matthew  for sending archives, and to Mr. Heiner Schneegold and
 Fridrik for the test and info.


   Regards....
      __          Jan  Andersen         E-Mail..:  [email protected]
 __  ///          -------------            FidoNet.:  2:237/38.100
 \\///       Virus Help Team Denmark         AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk                  VirNet..: 9:451/247.0


 Hi All....


 A new trojan has been found. This trojan was found on AmiNet, but we hope
 that it has been removed there. It is said to be a AGA Demo, made by some
 guy called SubZero.  It will send a e-mail to a Hotmail adress (just like
 the datatypes.library trojan),  but this time it will also  install a new
 linkvirus. This virus will add about 15k, to some files on your system.
 At this time there is no cure for this trojan/virus.  As soon as there is
 a program  to remove this 'sucker',  we will have it on our homepage, you
 can find it there.

 If  your system  has been infected  with this trojan/virus, you can check
 the date for infected files,  if you installed it  on the 15'th, the date
 will be the 15'th on your system.  Just replace every file with this date
 woth clean one's, for fresh archives of floppy disk's. This is all that
 you can do for now (sorry).


 Here is some info about the trojan/virus:

> ------------------------------- INFO START -----------------------------

 Archive name.....: birthday.lha
 Archive size.....: 497.365 bytes
 Trojan File......: birthday
 Trojan Size......: 703.664 bytes
 Virus Size.......: About 15.000 bytes

> ------------------------------- INFO END -------------------------------


 We hope to have a killer ready for this very soon.

 Note (27 Dec. 1998):
 --------------------
 xvs.library v33.15 has been released, and will find and repair infected
 files. You can use xvs.library with these antivirus programs VirusZ II,
 VirusChecker II and VirusExecutor.


 Thanks to Ramon, Buzz, Paul Pacheco and many more, for sending archives
 and infected files.


   Regards....
      __          Jan  Andersen         E-Mail..:  [email protected]
 __  ///          -------------            FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark         AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk            VirNet..: 9:451/247.0


 Hi All....

 A new virus trojan has been found.  It is said to be a new update of the
 wellknown program  'CygnusEd v4.17". But if you start CED it will change
 the  size of your 'c:mount' command and  add 800 bytes, and make the new
 size 7388 bytes.

 Here is some info about the trojan/virus:

> ------------------------------- INFO START -----------------------------

 Archive name.....: HF-CD417.LHA
 Archive size.....: 306.382 bytes
 Trojan File......: CygnusED/CED
 Trojan Size......: 169.872 bytes
 Virus infect.....: c/mount (new size 7388 bytes)
 Virus size.......: 800 bytes

> ------------------------------- INFO END -------------------------------

 We hope to have a killer ready for this very soon.

 Thanks to [email protected], for sending archives and infected files.


   Regards....
      __          Jan  Andersen         E-Mail..:  [email protected]
 __  ///          -------------            FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk                  VirNet..: 9:451/247.0


 Hi All....

 The installer of the new link-virus "STD-Crabs_1"  have been found. It is
 a fake version of "Miami DELUXE 0.9c". If you run the file "MiamiDx.beta"
 from the archive, it will infect every executed file with the "STD-Craps"
 virus.  At this  time only the viruskiller 'VT v3.14' is abel to find and
 remove this  virus. VirusZ, VirusChecker  and xvs.library will be updated
 as soon as possible.


 Here is some info about the trojan/virus:

> ------------------------------- INFO START -----------------------------

 Archive name.....: mdlx09c.lha
 Archive size.....: 882.398 bytes
 Dropper File.....: MiamiDx_Install/MiamiDx.beta
 Dropper Size.....: 439.724 bytes
 Virus installed..: STD-Crap linkvirus

 File_Id.Diz......:     ___    fASt iNT3RNEt sERVCe
                      _(___)   _______   _____   _____
                      \   \ __.\  ._  \__\__  \__\    \__
                      /   /[__   |/   /   /___/_     __/ [sTZ!]
                     /___/    |___|   /.________/_____|
                    -----------/_____|------------------------.
                   |                                          |
                   |           Miami DELUXE 0.9c              |
                   |        keyfiles with this pack           |
                   |                                          |
                   `------------------------------------------'

> ------------------------------- INFO END -------------------------------

 Thanks to David Knell, for sending archives and infected files.


   Regards....
      __          Jan  Andersen         E-Mail..:  [email protected]
 __  ///          -------------            FidoNet.:  2:237/38.100
 \\///         Virus Help Denmark            AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk                  VirNet..: 9:451/247.0


Converted on 20 Jun 1999 with RexxDoesAmigaGuide2HTML by Michael Ranner.