***** VIRUS HELP DENMARK ***** *** PRESENTS *** * * ***** ***** VirusWarning.Guide v2.7 ***** ***** *** *** 5 April 1999 *** *** * * * * >>>>>>>>>>>>>>>>>>>>>>>>>--------------------<<<<<<<<<<<<<<<<<<<<<<<<<< VirusWarning.Guide New warnings in this update of the guide - New's. Virus/Trojan names in alfabetic order - Names list. Virus/Trojan archives in alfabetic order - Names List. Virus/Trojan/Archives that we are looking for! - Help Us. Copyright � 1994-1999 - Copyright. About Virus Help Denmark - Who are we? My PGP public key - PGP Key. Thanks list corncerning VirusWarning.guide - Thanx list. The newest versions of the Amiga Antivirus programs - AV Updates. This guide was made to give you a better look of the files that we have written warnings about.
The newest updates of the Amiga AntiVirus programs -------------------------------------------------- (5 April 1999) xvs.library v33.18.............. (08.03.1999) By Georg Hoermann. VirusChecker II v1.12........... (17.02.1999) By Alex van Niel. VirusSlayer v1.14 (beta)........ (12.02.1999) By Martin Zemblowski. VirusChecker.brain v2.15........ (11.02.1999) By Alex van Niel. VT v3.15........................ (11.02.1999) By Heiner Schneegold. VirusExecutor v1.81b............ (27.12.1998) By Jan Erik Olausen. VirusZ II v1.44................. (06.09.1998) By Georg Hoermann. VirusZ III v0.92b............... (06.09.1998) By Georg Hoermann. VirusWorkshop v6.9.............. (24.03.1998) By Markus Schmall. !!!!! Important news about VirusWorkshop by Markus Schmall !!!!! Please remember to support the antivirus programmers, after all they are helping you....... PS : If you find a new virus or trojan, please upload it to our BBS then we will send it to all the anti-virus programmers that will accept new stuff from us. (use my public PGP Key ) You can get all the latest versions on our homepage, here is the adress: www.vht-dk.dk
Copyright � 1994-99 - Information This guide is written and � Copyrighted 1999, by Jan Andersen of Virus Help Denmark using the warnings that we have been writing and send out on the Net's, with the exceptions of the virus warnings that Markus Schmall has written. But we have his permission to use them. No part of the guide may be altered in any way, without a written permission from Virus Help Denmark . This Guide will be spread every 2 month, with all the new warnings by Markus Schmall and Virus Help Denmark. We will at that time have sent the new Warnings out on all the Nets and BBS'es, that we have access to (InterNet, FidoNet, AmyNet etc.). If you want to use this guide or some of the warnings, please contact one of us and get a written permisssion to do it. If you want to use the warnings that Markus Schmall has written, please contact him to get his permission. This Guide is free to spread in any way, as long as nothing is altered in any way.
Who are Virus Help Danmark: -------------------------------- We are 5 guys who earlier worked for Safe Hex International to prevent the spreading of virus. But as our policy couldn't fit SHI's, we decided to step out from the 31 dec.1994 to start on our own. Our objectives are: 1) To fight and prevent the spreading of computervirus. 2) To aid users with virus related problems. 3) To support all wellknown antivirus programmer with virus. We will coorporate with ALL, who support our sake. We simply don't care if they are Germans, Americans or wherefrom, as long as we can aid the Amiga users in the best possible way... For more info, please contact: Jan Andersen - VHT Denmark Lars P. Kristensen - VHT Denmark --------------------------- -------------------------------- Fido...: 2:237/38.100 E-Mail.: [email protected] VirNet.: 9:451/247.0 AmyNET.: 39:140/127.100 E-Mail.: [email protected] By snail-mail ------------- Jan Andersen Lars P. Kristensen Charlottegaardsvej 131 or Safirvej 25 2640 Hedehusene 3650 Oelstykke DK-Denmark DK-Denmark New Updates on VirusWarning.Guide can be found on these places: --------------------------------------------------------------- Virus Help Denmark on Internet ------------------------------ Homepage....: www.vht-dk.dk
Virus Help Denmark's Support BBS'es ----------------------------------- BBS Name....: XPoint BBS BBS Name....: SouthSide BBS Phone Number: +45 6381 8005 Phone Number: +45 4353 3828. Country.....: Denmark Country.....: Denmark Open........: 24 Hours Open........: 24 Hours. Modem.......: 56.200 X2 & ISDN Modem.......: 33.600 v34+ BBS Name....: Futurelink Amiga BBS BBS Name....: Dave's Place BBS Phone Number: +45 7588 4011 Phone Number: +44 (0)161 339 5695 Country.....: Denmark Country.....: England Open........: 24 Hours Open........: 24 Hours Modem.......: 33.6 v34+ Modem.......: 28.800 BBS Name....: Thunderdome BBS. BBS Name....: ABBS Support BBS Phone Number: +46 171 20586 Phone Number: +47 6935 3097 Country.....: Sweden Country.....: Norway Open........: 24 Hours Open........: 24 Hours Modem.......: 33.600 v34+ Modem.......: 33.600 v34+
The guy's behind Virus Help Denmark. ----------------------------------------- Jan Andersen........: VHT-DK's InterNet support, Virus-Hunter, Contact to Anti-virus programmers. Lars P. Kristensen..: VHT-DK's PR-man, Translator, Virus help. Virus Help Team's World support, BBS support. Henrik Lauridsen....: VHT-DK's InterNet support, Virus help. Torben Danoe........: VHT-DK's translator, Virus help. Jan Nielsen.........: VHT-DK's translator, Virus help. We have no leades of VHT-Denmark, no one is the Boss. We all deside what we do, and how. That is why we are working as a TEAM.
Thanks list corncerning VirusWarning.guide Markus Schmall........: For letting us use his warnings in this guide Thanks must also go to: Jan-Jan, Lars, Henrik, Georg, Heiner, John, Torben, Soenke, Per, Kim B, Enzo, Deliveryman, Martin, Flemming S, Jan, Thomas, Hee-Mann, Ib, Dave, Ramon, Harry, Alex, Cor for collecting trojans and viruses for us. Speciel thanx to the Virus Test Center in Hamburg. (Sorry if I forgot you) All the guys that is helping us collecting the new virus, and the few ones that are helping everybody, by programming a viruskiller.
Please send me the new viruses that you find, so we can keep the support to the anti-virus programmers. You can encrypt it with my public PGP key, in that way the archive/file won't get spread if it ends up in the wrong place. Type Bits/KeyID Date User ID pub 1024/E7B1A755 1999/01/09 Jan Andersen <[email protected]> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQCNAzaX6BIAAAEEANnkhochSsPthVhFlRLPiCCndozo0h2g1RUQXTt4vSEvOpfs j9wTv6hZKeXsi1kE+5UKM/Xt9S+/eftKw+6oiWKyqB2dZqeLtLt5Uj1TXViMygye a0nDSFhub02NXTDehzgnhzO9kE/toqhTzyizygZYXrUD+Onp/CSq+InnsadVAAUR tCNKYW4gQW5kZXJzZW4gPHZodC1ka0Bwb3N0NC50ZWxlLmRrPokAlQMFEDaX6BQk qviJ57GnVQEBkGIEAIyaaerRR7kjLVmW1cshu6VHxq5uRVqg87M9qMTWJf0EfCgI yj5aJODqsjc36DPyW5AJuUgB1nDKPgvjCBCQp27PEvu61+a0S0Cat6sK65S5dxQE O92jtF/VPpaYy0nDsDoQemcFrggGVXxFTlstjNOk1GxatUIvGugBlcETUGO2 =kLIO -----END PGP PUBLIC KEY BLOCK-----
New warnings in this update of the guide New warnings in alfabetic order Warning Name ------------------------------------------------------------------------- Miami DeLuxe v0.9c fake (mdlx09c.lha) - (vht-dk79.lha) CygnusEd v4.17 fake (hf-cd417.lha) - (vht-dk78.lha) ------------------------------------------------------------------------- !!!!! We are looking for a lot of Viruses. please help us! !!!!! !!!!! Important news about VirusWorkshop by Markus Schmall !!!!! ------------------------------------------------------------------------- New warnings in VirusWarning.guide ---------------------------------- v1.0 v1.1 v1.2 v1.3 v1.4 v1.5 v1.6 v1.7 v1.8 v1.9 v2.0 v2.1 v2.2 v2.3 v2.4 v2.5 v2.6
New in VirusWarning.Guide v1.0 ------------------------------ Strange Atmosphere LinkVirus (srn-db33.lha) ....: (Flake023.txt) VirusMemKill v1.2 Trojan (VMK12.LHA) ....: (Flake022.txt)
New in VirusWarning.Guide v1.1 ------------------------------ Ebola 2 Link-Virus ....: (Flake024.txt) BBS Traveller Virus (lop_mi2.lha) ....: (Flake025.txt) Hitch Hiker 1.10 link virus ....: (Flake026.txt)
New in VirusWarning.Guide v1.2 ------------------------------ Mutation Nation linkvirus ....: (Flake027.txt) Hitch Hiker 3.00 link virus ....: (Flake028.txt) Hitch Hiker 3.00 link virus Installer ....: (Flake029.txt)
New in VirusWarning.Guide v1.3 ------------------------------ HitchHiker 3.00 linkvirus (patchhh.lzx) ....: (Flake-28.txt} Voxel_Svind.exe (dph-vos.lha) ....: (Vhelp-35.txt) HF-Intro.exe (hf-vc24.lha) ....: (Vhelp-36.txt) Happy New Year 96' Infected (ABC14.DMS)
New in VirusWarning.Guide v1.4 ------------------------------ CygnusEd v4.0 Trojan (HF-CED40.LHS) (VHelp-39.txt) HD Protect v6.24 trojan (HDPRO624.LHA) (VHelp-38.txt) Tetris Attack Full Release Disk 1 (HF-TETA1.LHA) (VHelp-37.txt) Tetris Attack Full Release Disk 2 (HF-TETA2.LHA) (VHelp-37.txt) The Black Lotus 'Abduction' demo (TBL-ABDU.LHA) (VHelp-40.txt)
New in VirusWarning.Guide v1.5 ------------------------------ Happy New Year 97' virus (DARKFUCK.LHA) (VHelp-40.txt) HNY 97' infected archive (TBF-F175.LHA) (VHelp-41.txt) HitchHicker 4 infected archive (MAPUS200.LZX) (VHelp-42.txt)
New in VirusWarning.Guide v1.6 ------------------------------ IBrowse v2.0 Trojan (DNC-IB2.LHA) HNY 97' infected archive (AMN-PAS1.LHA) HNY 97' infected archive (DXP_LW2R.LHA)
New in VirusWarning.Guide v1.7 ------------------------------ Ibrowse v2.0 (DCN-IB2.LHA) Maups v2.0 (HitchHicker 4 Infected) (MAPUS200.LZX) Intel Outside 4 Trojan (IO4-INVI.LHA) Xtruder v3.5 Trojan (XTRUDE35.LHA)
New in VirusWarning.Guide v1.8 ------------------------------ Ibrowse v2.0 (DCN-IB2.LHA) - VHelp-46.txt Happy New Year 97' new string (MUI020.LHA) - VHelp-47.txt AmixHack Trojan (DEC-SCP.LHA) - VHelp-48.txt HitchHicker v4.23 Link-Virus - VHelp-49.txt
New in VirusWarning.Guide v1.9: ------------------------------- Lisa FuckUp v3.0 (SEBOLA97.LHA) - VHelp-50.txt HitchHicker v4.11 infected (NUP-SLOS.LHA) - VHelp-51.txt Ebola infected (PSY-HAL.LHA) - VHelp-52.txt ZIB linkvirus found - VHelp-53.txt
New in VirusWarning.Guide v2.0: ------------------------------- Happy New Year 98 Infcted archive (w9-sex.lzx) - VHelp-58.txt Happy New Year 98 linkvirus - VHelp-57.txt Happy New Year 96 Infected archive (org3_3.lha) - VHelp-56.txt Ebola infected archive (d-s_zw2.lha) - VHelp-56.txt Ebola infected archive (d-s_mk2.lha) - VHelp-56.txt Ebola infected archive (cpu-mv31.lha) - VHelp-55.txt Happy New Year 96 Infected archive (modtime.lzx) - Hitch Hiker v2.11 installer (kilhitch.lha) - ZIP linkvirus installer (opus566p.lzx) - VHelp-54.txt
New in VirusWarning.Guide v2.1: ------------------------------- Miami Keyfile checker Trojan (PHK-MKEY.lzx) - vht-dk67.lha ReOrgIt Trojan (ReOrgIt.lha) - vht-dk66.lha Max BBS trojan Type D (Mpeopledemo.lha) - vht-dk65.lha Max BBS trojan Type C (SPICE_POWER.lha) - vht-dk64.lha Max BBS trojan Type B (nce-tri9.lha) - vht-dk63.lha Max BBS trojan Type A (JC_SpiceGirls.LHA) - vht-dk62.lha Happy New Year 96 Infected archive (CBS-ETIT.LZX) - vht-dk61.lha Happy New Year 98 Infected archive (CNS-BGE.LHA) - vht-v059.lha
New in VirusWarning.Guide v2.2 ------------------------------ This was a 'buggy' release, sorry for that.........
New in VirusWarning.Guide v2.3 ------------------------------ Happy New Year 96' Infected (PHT-Suns.lzx) ....: (vht-dk68.lha) Happy New Year 96' Infected (FFFF.LHA) ....: (vht-dk69.lha)
New in VirusWarning.Guide v2.4 ------------------------------ Happy New Year 96' Infected (WinTool.lha) - (vht-dk70.lha) Max BBS #4 trojan (maxsafe.lha) - (vht-dk71.lha)
New in VirusWarning.Guide v2.5 ------------------------------ Fungus/lsd installer (m31h_crk.lha - (vht-dk75.lha) Fungus/lsd file virus - (vht-dk74.lha) PolishPower link virus (AMFTP 1.91) - (vht-dk73.lha) New Max BBS trojan (UnpackJPEG) - (vht-dk72.lha)
New in VirusWarning.Guide v2.6 ------------------------------ Birthday Trojan & Dropper (birthday.lha) - (vht-dk77.lha) datatypes.library v45.5 Trojan (dtypes455upd.lha) - (vht-dk76.lha)
All warnings in alfabetic order Warning Name ------------------------------------------------------------------------ Abase infected Saddam Archiv (ABASE.DMS) ....: (Vhelp-15.txt) Achtung.exe Trojan. (GATH95-!.LHA) ....: (Vhelp-05.txt) Achtung.exe Trojan (Gath95-!.lha) ....: (Flake005.lha) Addy v0.99 Trojan. (ADDY099.LHA) ....: (Vhelp-02.txt) Alfons Eberg 2.0 (Wireface) (hf-vc24.lha) ....: (VHelp-36.txt) AMFTP v1.75 Infected (TBF-F175.LHA) ....: (VHelp-42.txt) AmiBlank Trojan (ABLANK11.LHA) ....: (Flake021.txt) AmiExpress v5.0 Trojan (PSG-AE5.LHA) ....: (Vhelp-18.txt) AmixHack Trojan (DEC-SCP.LHA) ....: (Vhelp-48.txt) BBS Traveller Virus (lop_mi2.lha) ....: (Flake025.txt) Birthday Trojan & Dropper (birthday.lha) ....: (vht-dk77.lha) Callerslog v1.2 Trojan (MST-CA12.LHA) ....: (Vhelp-20.txt) CarlingCard Hacker Trojan (CCHACK2.exe) ....: (Vhelp-17.txt) Commander link-virus Infector. (dpl-mam1.dms) ....: (Vhelp-04.txt) Commander link-virus Infector. (Denistro.exe) ....: (Vhelp-00.txt) ConMan Trojan (hackt.lha) ....: (Flake006.txt) ConMan 1995 link-virus (M-hac.lha) ....: (Flake016.txt) CoP Killer v1.1 Trojan (COPKILL1.LHA) ....: (Vhelp-19.txt) Creator v1.0 Trojan (CREATOR.LHA) ....: (Vhelp-12.txt) CygnusEd v4.00 Trojan. (CED4.LHA) ....: (Vhelp-08.txt) CygnusEd v4.0 Trojan (HF-CED40.LHS) ....: (VHelp-39.txt) CygnusEd v4.17 fake (hf-cd417.lha) ....: (vht-dk78.lha) DancePoolModTro.exe Infected (SIGN.LHA) ....: (Vhelp-32.txt) datatypes.library v45.5 (dtypes455upd.lha) ....: (vht-dk76.lha) DirectoryOpus v5.00. (OPUS5.LHA) ....: (Vhelp-09.txt) DiskMaster v5.1 Trojan ....: (Vhelp-25.txt) DMS v2.06 Trojan (cry_206.lha) ....: (Flake003.lha) dpl-dc99.lha trojan (dpl-dc99.lha) ....: (Flake004.lha) Ebola 2 Link-Virus ....: (Flake024.txt) FileGhost 3 LinkVirus ....: (Flake009.txt) Flake013.txt Fake (BIO-WARN.LHA) ....: (Flake014.txt) Fungus/lsd virus ....: (vht-dk74.lha) Fungus/lsd installer (m31h_crk.lha) ....: (vht-dk75.lha) Futuretracker Trojan (TRSI-FT.LHA) ....: (Vhelp-14.txt) Happy_New_Year_96' link virus ....: (Flake017.txt) Happy New Year 96' New String (CBS-ETIT.LZX) ....: (vht-dk61.lha) Happy_New_Year_97' link virus (DARKFUCK.LHA) ....: (VHelp-41.txt) Happy_New_Year_97' New String (MUI020.LHA) ....: (VHelp-47.txt) Happy New Year_98' link virus ....: (VHelp-57.txt) Happy New Year 98 Infcted archive (CNS-BGE.LHA) ....: (vht-v059.lha) HardDiskSpeeder v1.5 �GVP Inc. (GVP-HS15.lha) ....: (Flake012.txt) HD Protect v6.24 trojan (HDPRO624.LHA) ....: (VHelp-38.txt) HF-Intro.exe (hf-vc24.lha) ....: (VHelp-36.txt) Hitch Hicker 1.10 link virus ....: (Flake026.txt) Hitch Hicker 2.11 Installer (kilhitch.lha) ....: Hitch Hicker 3.00 link virus ....: (Flake028.txt) Hitch Hicker 3.00 link virus Installer ....: (Flake029.txt) Hitch Hicker 4.00 link virus ....: (VHelp-42.txt) Hitch Hicker 4.23 link virus ....: (VHelp-49.txt) Ibrowse v2.0 (DCN-IB2.LHA) ....: (VHelp-46.txt) Ibrowse v2.0 (New warning update) (DCN-IB2.LHA) ....: (VHelp-46.txt) Intel Outside 4 Trojan (IO4-INVI.LHA) ....: (VHelp-44.txt) IStrip v2.1 Trojan (Istrip21.lha) ....: (Flake002.lha) KillHitch Trojan (kilhitch.lha) ....: LHA v3.0 Trojan. (LHA30.LHA) ....: (Vhelp-07.txt) Lisa FuckUp v3.0 Trojan (SEBOLA97.LHA) ....: (VHelp-50.txt) LZX v1.30 Trojan (CoP Type F) (LZX130.lha) ....: (Flake007.txt) MakeKey v1.10 For Virus_Checker (VcKey110.lha) ....: (Flake013.txt) Maups v2.0 (HH 4 Infected) (MAPUS200.LZX) ....: (VHelp-43.txt) Max BBS trojan Type A (JC_SpiceGirls.LHA) ....: (vht-dk65.lha) Max BBS trojan Type B (nce-tri9.lha) ....: (vht-dk64.lha) Max BBS trojan Type C (SPICE_POWER.lha) ....: (vht-dk63.lha) Max BBS trojan Type D (Mpeopledemo.lha) ....: (vht-dk62.lha) Max BBS trojan Type E (unpackjpeg) ....: (vht-dk72.lha) Miami DeLuxe v0.9c Fake (mdlx09c.lha) ....: (vht-dk79.lha) Miami Keyfile checker Trojan (PHK-MKEY.lzx) ....: (vht-dk67.lha) MultiView v3.1 (Ebola infected) (CPU-MV31.LHA) ....: (VHelp-55.txt) Mutation Nation linkvirus ....: (Flake027.txt) NC210.LHA and NC210.LZX Infected (NC210.LHA/LZX) ....: (Vhelp-31.txt) NComm v3.2 Trojan. (NCOMM32.LHA) ....: (Vhelp-06.txt) No Sense Diskmagazine Infected (C!S-NS1.DMS) ....: (Vhelp-33.txt) Pestilence Bootblockvirus 1.15 ....: (Flake001.lha) PolishPower link virus (amftp 1.91) ....: (vht-dk73.lha) Phenomena DOS-Extender V1.1 (PHA-XMAS.lha) ....: (Flake019.txt) Quarterback Tools Trojan (ORS-QBD.LHA) ....: (Vhelp-24.txt) Removcmd.lha Trojan (Removcmd.lha) ....: (Flake000.lha) ReOrgIt Trojan (ReOrgIt.lha) ....: (vht-dk66.lha) SInfo v1.00 Trojan (SINFO10.LHA) ....: (Vhelp-11.txt) Surprise Trojan at 'TP 4'. (SURPRISE.DMS) ....: (Vhelp-01.txt) Susi_Drive_Stepper Trojan ....: (Flake018.txt) Strange Atmosphere LinkVirus (srn-db33.lha) ....: (Flake023.txt) Tetris Attack Full Release Disk 1 (HF-TETA1.LHA) ....: (vhelp-37.txt) Tetris Attack Full Release Disk 2 (HF-TETA2.LHA) ....: (vhelp-37.txx) The Black Lotus 'Abduction' demo (TBL-ABDU.LHA) ....: (VHelp-40.txt) TMTC90.LHA Virus Infected (TMTC90.LHA) ....: (Vhelp-30.txt) TP-5 Andromeda Demo Trojan (TP5-ANDR.LHA) ....: (Vhelp-27.txt) TP-5 Parallax Demo Trojan (TP5-PRLX.LHA) ....: (Vhelp-29.txt) TP-5 Silents DK Trojan (TP5-TSL.LHA) ....: (Vhelp-28.txt) TP-5 Spaceballs Demo Trojan (TP5-SPAC.LHA) ....: (Vhelp-26.txt) TP-5 TRSI Trojan (TP5-TRSI.LHA) ....: (Flake020.txt) TRSi Installer Trojan (TRSI-INS.LHA) ....: (Vhelp-21.txt) TRSi Installer Trojan (TRSI-INS.LHA) ....: (Flake011.txt) Voxel_Svind.exe (dph-vos.lha) ....: (Vhelp-35.txt) Virus_Checker v6.60 Trojan (VCHCK660.lzx) ....: (Vhelp-23.txt) VirusWorkshop v5.0 Trojan (TRSI-VW5.LHA) ....: (Vhelp-15.txt) VirusZ II v1.14 - Fake (VZII_114.LHA) ....: (Vhelp-03.txt) VirusZ II v1.19 - Fake (VZII_119.LHA) ....: (Flake010.txt) VirusMemKill v1.2 Trojan (VMK12.LHA) ....: (Flake022.txt) WireFace Trojan Type G (chkmount.lha) ....: (Flake015.txt) Xtruder v3.5 Trojan (XTRUDE35.LHA) ....: (VHelp-45.txt) ZAP v1.1 Unpacker virus infected (TXC-Z11.LHA) ....: (VHelp-34.txt) ZIB linkvirus found ....: (VHelp-53.txt) ZIB linkvirus installer (opus566p.lzx) ....: (Vhelp-54.txt) ---------------------------- End of list -------------------------------
Virus/Trojan Archives In Alfabetic Order ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Archive Name - Archive infected With ! --------------------------------------------------- !ansianim!.lha - Trojan 10000.lha - Ebola Infected Archive a!a-pp2.dms - HNY 96' Infected archive ABASE.DMS - Abase infected Saddam Archiv ABC14.DMS - HNY 96' Infected archive ABLANK11.LHA - AmiBlank Trojan (Kuk Crew) ac0396_1.DMS - HNY 96' Infected archive ACID05.LHA - HNY 96' Infected archive ACID06.LHA - HNY 96' Infected archive ADDY099.LHA - Addy v0.99 Trojan aframe01.lha - Ebola Infected Archive aga_italy2.lzx - Trojan agt-cbsc.lha - HNY 96' Infected archive agt-cowz.lha - HNY 96' Infected archive apt-40kb.lha - HNY 96' Infected archive asp-fx13.lha - HNY 96' Infected archive ASTMA!.LHA - HNY 96' Infected archive ATW-MOD.LHA - HNY 96' Infected archive Birthday.lha - Birthday Trojan & Dropper C!S-NS1.DMS - No Sense Diskmagazine Infected CBS-ETIT.LZX - HNY 96' New String (hunk 11) CCHACK2.exe - CarlingCard Hacker Trojan cdrplay.lha - Ebola Infected Archive CED4.LHA - CygnusEd v4.00 Trojan (CoP) chkmount.lha - WireFace Trojan Type G CNS-BGE.LHA - Happy New Year 98 Infcted cpu-mv31.lha - Ebola infected archive cpu-nfot.lha - Trojan cpucache.lha - Trojan CREATOR.LHA - Creator v1.0 Trojan cry_206.lha - DMS v2.06 Trojan D-S_MK2.LHA - Ebola Infected archive D-S_ZW2.LHA - Ebola Infected archive Darkfuck.lha - HNY 97' Infected archive dat_ho1.lha - HNY 96' Infected archive dat_ho2.lha - HNY 96' Infected archive dat_ho3.lha - HNY 96' Infected archive dat_ho4.lha - HNY 96' Infected archive dat_ho5.lha - HNY 96' Infected archive dat_ho6.lha - HNY 96' Infected archive dat_ho7.lha - HNY 96' Infected archive dat_ho8.lha - HNY 96' Infected archive dat_ho9.lha - HNY 96' Infected archive dat_h10.lha - HNY 96' Infected archive dcodes1_4.lzx - HNY 96' Infected archive dec-scp.lha - AmixHack trojan Denistro.exe - Commander link-virus Infector detag063.lha - HNY 96' Infected archive diceroll.lha - HNY 96' Infected archive digital.lha - HNY 96' Infected archive dive-ing.lzx - HNY 96' Infected archive dop-dm1.dms - HNY 96' Infected archive dlm_prim.dms - Ebola Infected Archive dc-amftp.lha - Hitch Hicker v4.23 Infected arc. dcn-db3p.dms - Trojan dcn-ib2.lha - Ibrowse v2.0 dcn-ib2.lha - Ibrowse v2.0 (Update warning) dph-vos.lha - Voxel_Svind trojan dpl-dc99.lha - dpl-dc99.lha trojan dpl-mam1.dms - Commander link-virus Infector dsy-bul1.lha - HNY 96' Infected archive dtypes455upd.lha - Datatypes.library v45.5 Trojan dvd!-def.lha - Ebola Infected Archive ed-psyo3.lha - HNY 96' Infected archive eft_cc14lha - HNY 96' Infected archive etc!hd.lha - Trojan evilcomm.lha - Trojan FFFF.lha - HNY 96' Infected archive flt1996.lha - Trojan GATH95-!.LHA - Achtung.exe Trojan GVP-HS15.lha - HardDiskSpeeder v1.5 �GVP Inc. h&w-woda.dms - Trojan hackt.lha - ConMan Trojan hdpro624.lha - HD Protect v6.24 trojan hf-cd417.lha - CygnusEd v4.17 fake hf-ced40.lha - CygnusEd v4.0 Trojan hf-lopi1.dms - HNY 96' Infected archive hf-teta1.lha - Cop Trojan (Tetris Attack) hf-teta2.lha - Cop Trojan (Tetris Attack) hf-vc24.lha - Vinci v2.4 (HF intro infected) hf-wttr.lha - Ebola Infected Archive ht-stag1.dms - HNY 96' Infected archive ht-stag2.dms - HNY 96' Infected archive idefix191.lha - Hitch Hicker v4.23 Infected arc. Ins-blf.lha - HNY 96' Infected archive Int-ap21.lha - HNY 96' Infected archive io3-64k.lha - HNY 96' Infected archive IO4-INVI.LHA - Intel Outside 4 Trojan Istrip21.lha - IStrip v2.1 Trojan JC_SpiceGirls.LHA - Max BBS trojan Type A kewlcd.lha - HNY 96' Infected archive kilhitch.lha - Hitch Hiker v2.11 Installer LHA30.LHA - LHA v3.0 Trojan. lop_mi2.lha - BBS Traveller Virus lzx121crk.lha - Trojan LZX130.lha - LZX v1.30 Trojan (CoP Type F) M31H_CRK.LHA - Fungus/lsd installer MAPUS200.LZX - HitchHicker v4.00 Infected mdlx09c.lha - Miami DeLuxe v0.9c fake miamic.lha - HNY 96' Infected archive Modti541.lha - HNY 96' Infected archive modtime.lzx - HNY 96' Infected archive Mpeopledemo.lha - Max BBS trojan Type D msr-a71p.lha - Hitch Hicker v4.23 Infected arc. MST-CA12.LHA - Callerslog v1.2 Trojan mth-gd10.lzx - Ebola Infected Archive MUI020.LHA - Happy New Year 97' New string Nbk-fkt.lha - HNY 96' Infected archive NC210.LHA - Happy New Year 96' Infected NC210.LZX - Happy New Year 96' Infected nce-tri9.lha - Max BBS trojan Type B NCOMM32.lha - NComm v3.2 Trojan (CoP) nhp122.lha - Ebola Infected Archive NUP-SLOS.LHA - HitchHiker v4.11 infected OPUS5.LHA - DirectoryOpus v5.00 (CoP) opus566p.lzx - ZIB linkvirus Installer orb!mk.dms - HNY 96' Infected archive ORG3_3.LHA - HNY 96' Infected archive ORS-QBD.LHA - Quarterback Tools Trojan (CoP) otl-db1d.dms - Ebola Infected Archive patchhh.lzx - HitchHiker 3.00 linkvirus pet-sus5.dms - Ebola Infected Archive PHA-XMAS.lha - Phenomena DOS-Extender V1.1 PHK-MKEY.lzx - Miami Keyfile checker Trojan PHT-Suns.lzx - HNY 96' Infected archive phonebook.lha - HNY 96' Infected archive plo-dm1.dms - HNY 96' Infected archive Plo-dm2.dms - HNY 96' Infected archive PSG-AE5.LHA - AmiExpress v5.0 Trojan psp-64k.lha - HNY 96' Infected archive PSY-HAL.LHA - Ebola infected Removcmd.lha - Removcmd.lha Trojan ReOrgIt.lha - ReOrgit Trojan scansys.lha - Trojan scm-bps1.lha - HNY 96' Infected archive SEBOLA97.LHA - Lisa fuckup v3.0 trojan SIGN.LHA - DancePoolModTro.exe Infected SINFO10.lha - SInfo v1.00 Trojan slt-m21g.lha - Hitch Hicker v4.23 Infected arc. SPICE_POWER.lha - Max BBS trojan Type C srn-db33.lha - Strange Atmosphere LinkVirus Strip64.lha - HNY 96' Infected archive SURPRISE.DMS - Surprise Trojan at 'TP 4' TBF-F175.LHA - AMFTP v1.75 HNY 97' Infected TBL-ABDU.lha - The Black Lotus 'Abduction' demo Timezone.lha - HNY 96' Infected archive toolsd26.lha - CoP Trojan TP5-ANDR.lha - TP-5 Andromeda Demo Trojan TP5-PRLX.lha - TP-5 Parallax Demo Trojan TP5-SPAC.lha - TP-5 Spaceballs Demo Trojan TP5-TSL.lha - TP-5 Silents DK Trojan TP5-TRSI.lha - TP-5 TRSI Trojan trc-resc.lha - Trojan TRSI-BV1DMS - Ebola Infected Archive TRSI-FT.LHA - Futuretracker Trojan TRSI-INS.lha - TRSi Installer Trojan TRSI-vw5.lha - VirusWorkshop v5.0 Trojan (CoP) TXC-Z11.lha - ZAP v1.1 Unpacker virus infected USX-SCFN.lha - HNY 96' Infected archive VCHCK660.lzx - Virus_Checker v6.60 Trojan VcKey110.lha - MakeKey v1.10 For Virus_Checker VMK12.lha - VirusMemKill v1.2 Trojan VZII_114.lha - VirusZ II v1.14 (Fake) VZII_119.LHA - VirusZ II v1.19 (Fake) w9-sex.lzx - Happy New Year 98' Infected XTRUDE35.LHA - Xtruder v3.5 Trojan
After a big HD-Crash in October 1998, a lot of the viruses that Virus Help Denmark has been collecting over the years was lost. We use the viruses for testing of antivirus programs. Please help us.... If you find some of these viruses/trojans then, Please mail them to us or please upload them to one of our Support BBS'es , the sysop will see that it get to us. We have recived a lot of the missing viruses, but we still need your help with the last viruses. Thanx must go to these fine guy's/girls' for sending a lot of the viruses: Dave, Torsten, Dennis, Morten, Buzz, Michael, Martin, Ram, VTC, Soenke, Jan, Markus, Georg Here is a list of the missing viruses: Link-Virus: ----------- EF67A3C3 Irak 3 GlobVec LOBO Weird Prometheus Starcom 1 WECH Xeno 1 File Viruses: ------------- Aibon 2 Installer 2 Alien Life Form 1 Alien Life Form 3 BootJob Exe-BB BootShop Installer 2 Butonics 3,2 Centurions 2 Circle Of Power 10 (ToolsDeamon) Disk-Killer 1,0 General Hunter 3,2 H.N.Y. Clone H.N.Y. Clone Inst. Lha-Check 1,1 Nano 1 NoGuru 2,0 SehrJung LoadWB Str.Atmosphere Inst. 2 SysInfo 2,2 Tai-Pan BB Installer TFC Revenge LoadWB Timedate Installer Vera 2,3 XPR-Speeder 3,2 Send these viruses to Virus Help Denmark or Upload them to one of our Support BBS'es around the world.
Virus/Trojan/Archives we are looking for, help us! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you have some of these archives, please send them to us . Archive name - Kind - Size - Program info ----------------------------------------------------------------------------- aga_italy2.lzx Trojan 117026 Demo from AGA Italy, ruins rdb on hd's. etc!hd.lha Trojan ? Is said to be some kind of trojan. evilcomm.lha Trojan 40044 For Daydream BBS, corrupts hd's & fd's. flt1996.lha Trojan ? Fairlight 1996 production, Trojan. h&w-woda.dms Trojan ? Warrior of darkness AGA, hd formatter. patchhh.lzx Virus ? Install the Hitch Hiker virus. scansys.lha Trojan 12508 Fast optimizer for 68020-68030. srn-db33.lha Virus ? Contains a new link-virus. toolsd26.lha Trojan ? ToolsDeamon v2.6, COP Trojan. ----------------------------------------------------------------------------- Thanx to these guys/girls for sending archives: Ramon for cpu-nfot.lha, John for kilhitch.lha, Bruce for trc-resc.lha.
Hi All....... This trojan or virus has NOT been tested. The reason for this is that we do not have this file/archive in our collection. Please mail it to us if you have it. No names will be written down, unless you want credit for it. It is only the virus that we are looking for. Name and adress will be in the trachcan, if you want it. Please... Help us to support the anti-virus programmers. You can contact Virus Help Denmark, at this adress . -- Thanx for your help... Jan Andersen
BAD NEWS ---------- This must be the worst news in 1998....... Markus Schmall has stopped programming VirusWorkshop. Markus got a new job at a software company that is going to take all his time. There is nothing that we can do about this..... Exept to thank Markus for the time he made one of the best antivirus programs for the Amiga. VirusWorkshop will be missed.. Good luck in the future Markus...... Regrads.... Jan and the rest of the Amiga fan's all over the world.......
This archive in infected with the Ebola linkvirus, please read this analysis that Markus has done: Entry...............: Ebola Virus Alias(es)...........: E1116 (to stay CAROconform) Virus Strain........: - Virus detected when.: 9/1995 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1116 Bytes 2. Length in RAM: 3300 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. Self-identification method in memory: - Checks for $213f at offset -2 of the loadseg() function System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Exec FindTask() and Exec OpenResource() Infection preconditions: - File to be infected is bigger then 2500 bytes and smaller then 130000 bytes - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found Infection Trigger...: Accessing files via LoadSeg() Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - None Transient damage: - none Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some simple retro technics to stop viruskillers searching for Draco and possible for the HochOfen (Trabbi) Virus. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus Stealth.............: No stealth abilities Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code based on the position of the rasterbeam. Comments............: The name EBOLA is the name of a virus, which humans can get infected with. CARO rules say, that no names of persons etc. may be used to call a virus, but I spoke to other persons and they already recognized this virus in this way. --------------------- Agents ------------------------------------------- Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 03.09.1995. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: September,03. 1995 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of EBOLA Virus =========================
Entry...............: H.N.Y.96. / H.N.Y 97 Alias(es)...........: Happy_New_Year_96, Happy_New_Year_97 Known clones........: Aram Doll Virus detected when.: 11/1995 where.: Austria, Germany, Holland, Poland and USA Classification......: Link virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 540 Bytes 2. Length in RAM: 540 Bytes Happy New Year97 uses Filepart() instead of LoadSeg infection and the static length 628 bytes. All other commands are 100% equal. --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96" Type of infection...: Self-identification method in files: - Searches for $65772059 in the first Hunk. Self-identification method in memory: - Checks for $2f08 in the LoadSeg function System infection: - RAM resident, infects the LoadSeg() code of DOS library Infection preconditions: - device has more than 4 free sectors - file is longer than $960 bytes and shorter than $1e460 bytes - Hunk_Code is found in the area behind the HUNK_ header (NO CHECK FOR RUNAWAYS!!!) - The filename contains this not a "-" and does not contains ".l". This is probably to be secure no to infect a library. - $4e75 is found at the end of the first CODEHUNK or $4e75 is in the last $3f words of this hunk. Infection Trigger...: Accessing the volume Storage media affected: all DOS-devices Interrupts hooked...: LoadSeg() of DOS will be used for the infection code. The routine is a little bit buggy and trashes the a1 register. Damage..............: Permanent damage: - None Transient damage: - None Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: This virus uses no encryption routines to hide it`s code. The LoadSeg() patch isn`t 100% clear and trashes the adress register A1. Similarities........: Link-method is comparable to the Crime series. End of the first hunk will be the loc. for the virus and the last "RTS" will be replaced. Stealth.............: no stealth abilities found Armouring...........: The virus uses only some special adresscommands to confuse the AV people. Installers..........: DemoManiac 2.19 fake (dop-dm1.dms) DeTag0.63 (detag063.lha) --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.79, VW 5.8 Countermeasures successful: all of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: (C) Markus Schmall, Hannover, Germany Classification by...: Markus Schmall Documentation by....: Markus Schmall Date................: November,24. 1995 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to use this document in their libraries. SHI is forbidden to use this document in any form. ===================== End of H.N.Y.96. Virus ============================ Notes about the known clones: Aram Doll is a normal linkvirus with 560 byte length. It`s not crypted and uses the LastAlert pointer of Execbase for the selfrecognition in memory. The LoadSeg patch differs a little bit.
WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!!WARNING !!! We have nok found the file that infects your systems with the Commander virus. The infector program is called: DENISTRO.EXE I have two versions of this file, but they both installs the virus: 1.. It has a size of 66592 bytes. 2.. It has a size of 71800 bytes. Do not start this program, it will install the link part of Commander virus, and add 1664 bytes to your LoadWB command. This Virus has now been around for a few month, but now we know. Over 60 BBS'es in scandinavia has now been infected with this new virus. But thanx to the AntiVirusProgrammers that has updated there killers fast, to try and stop this virus. Thanx to: Kim B. Jensen - For sending my the 'Denistro.exe'. The installer of Commander is now on it's way to every well known anti-virus programmer. Regards _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! TROJAN FROM 'THE PARTY 4' CALLED SURPRISE.EXE --------------------------------------------- There is a new warning about a demo that damages your RDB Boot. (Great way of starting the new year) :-((((((((( This demo is called 'SURPRISE.exe', and has a size of 39296 bytes. It makes all your partitions on your HD into, one partition and calls it 'SUCK ME ORGANIZERS'. We think that it only makes damages on SCSI devices, but we are not sure about that. The demo was made at the 'PARTY 94' in Herning, Denmark. And was given to the organizers to compeat in the contest of the best demo. It did do some damage to there HD, but a guy (Benny) did restore there HD. We do not know if it was spred at the party. But if it was, please take care of this demo. This demo is on it's way to every wellknown antivirus programmer. Regards.... __ __ /// Jan Andersen FidoNet: 2:236/116.1 \\/// VIRUS HELP AmyNet : 39:141/142.0 \XX/ DENMARK
WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT EXECUDE THE FILES FROM ADDY099.LHA ----------------------------------------- Do NOT start the 'ADDY0.99.Exe', it will replace your startup-sequence and shell-startup, and add 656 bytes to your c:Dir command. Spread in the archive 'ADDY099.LHA'. It will change your startup.sequence with a new small one: Prompt "AfraId ?..tHe fReAk wAs hEre 2 dEvEstAte NDOS:>" Every time you run a shell it will add a line in your user-startup "Wait 5" and you will the the text above when you are rebooting. I do not know what it does to your 'C:Dir command', but if you have started this program up, the replace the 'c:Dir command', with a new clean one, form your WB disk's. It will work under KS 2.0 and 3.0, have not tested it under KS 1.3 yet. There is a "Readme" text in the archive, this is what is says: ///////////////////////// Addy Ver. 0.99 \\\\\\\\\\\\ �������������� WHAT THE FUCK IS IT ? A small BBS Add maker, for you guys to put in your .lha's :) This Programme is made by me, if you like it, tell me cause i've JUST started learning how to do make small programmes, if there are any bugs in it, please let me know, i can be found at the coolest bbs'es in Sw. ( Sorry about the lame doc, but i just can't wait to release my first programme ). Usage: If you cant figure this one out, you never will. Simply double click And follow the instructions. Easy Huh ? Known Bugs: NONE.. at all.. tested very well.. Wouldent want my first release to be crap.. would I ? Written By The Freak ! \\\\\\\\\\\\\\\\\//////////////////////////////// There is a FILE ID.DIZ to, here is the text: _________________________ : : | _____________________ | | \\\\\/////////// | | \Addy\ver./0.99/// | | \\\my\FIRST//// | | \Release EVER/ | | \\\/////// | | ~~~~~~~~~~~ | | -��bY tHe FreAk��- | | SysOp at | | �Money Talks� | | +44 ELITE ONLY | �_________________________: ------ END ------- The archive is on it's way to every well known antivirus programmer in the world, thanx guys for the great job you are doing..... Thanx to Morph, for sending me this new 'Thing'. Regards _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! WARNING !!!WARNING !!! WARNING !!! WARNING !!! FAKE VIRUSZ II v1.14 ====================== On Thursday 2-2-95, one of my users from Sweden uploaded a new version of VirusZ II v1.14, Released 2-2-95, and it has a size of 64664 bytes. But it is a FAKE VERSION. In the doc' there was added new virus, but they was the same as in version 3.06 of the old VirusZ, and there was some new virus and here is a quote from the FAKE guide: - Added Commander2, Saur�nh, and Recycle viruses! Thanks to Markus Schmall for sending them. - Added Big Bug, MixiMaxiMum '93, BootX Kisser and The Amiga Fucker 15.3 bootviruses. Thanks to Markus Schmall for sending them, as always!. I have called Markus on the phone, and he has never heard of these virus, But he told me that there has been a new release of VirusZ II, but the new original release is v1.13. Remember to check the 'ABOUT' gadget,the size of the file is stated there if the size is not right, do not use that version of VirusZ II. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/
VIRUS WARNING !!! - VIRUS WARNING !!! - VIRUS WARNING !!! VIRUS WARNING !!! - VIRUS WARNING !!! ANOTHER COMMANDER LINK-VIRUS INFECTOR ------------------------------------- We have now found another program, that infects your systems with the Commander virus. The infector program is a Demo or an Intro. If someone knows the name and adress of the programmer of this program, please contact me. The name of the second installer is: "MY MAMA IS A VAMPIRE" It can be found at two archives with the name: Title : dpl-mam1.dms Size : 523162 Desc. : DuPlO DeMo DiViSiOn PrEsEnTs: - --> mY mAMA iS a vAMPiRE! (aGA oNLY) <-- - - --- * Version 3.0 (100% working!)-[1/2]- - Awesome texture effect! - Released 30 Oct 94 Title : dpl-mam2.dms Size : 602250 Desc. : - --> mY mAMA iS a vAMPIRE! (aGA oNLY) <-- - - ---------- * Version 3.0 * ------------- - - - (100% bugfixed and fully working ----- - - -- version, packed in a NON corrupted -- - - --- archive this time!) ---------------- - ------------------------------------[2/2]- - Do not start this program, it will install the Commander virus, and add 1664 bytes to your LoadWB command. And infect everything that you will try to execute. Thanx to: Steffen Rabenborg - For telling me about the new installer. Peter Klein - For finding the new installer to me. The installer of Commander is now on it's way to every well known anti-virus programmer. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START 'ACHTUNG.EXE' FROM THE ARCHIVE 'GATH95-!.LHA' ---------------------------------------------------------- There has just been released a archive called 'GATH95-!.LHA', there are one dectructiv program in the archive: Achtung 14032 Bytes Achtung.exe 14032 Bytes The FILE_ID.DIZ looks like this: +------------------------------------------+ |Virtual Dreams, Melon and Rage's New Intros +------------------------------------------+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] THE GATHERING PARTY INVETATIONS. 3 OF THEM [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] +------------------------------------------+ |The BEST CODE of 1994/95. Defintly! Get it! +------------------------{ cSo/�(�'g5! }---+ This has NOTHING to do with the 'Gathering 95' in Oslo.... Do not start the program 'Achtung.exe' and 'Achtung', will search for DH0:, and then make a lot of files starting with this: LAMER.AAAAAAAA 10240 Bytes (and then change the last letter B) LAMER.AAAAAAAB 10240 Bytes (and then change the last letter C) LAMER.AAAAAAAC 10240 Bytes (and then change the last letter D) And keep doing that until your HD is full. I have talked to a guy in Denmark, that has lost everything on his DH0 drive, and there was some damage to a lot of files, and the name of his system was renamed to 'LAMER:!!!!' due to this little sucker. And I have other reports about HD craches due to 'Achtung.exe'. I have tried it on floppy disks, and the one a called 'DH0:' was filled up with all of these 'LAMER.AAAAAAAA' 880 kb of them. I'm not gonna lose my HD trying to find out some more about this thing. The most improtant thing is: DON'T START THIS SUCKER !!!!!!!! But this little thing is on it's to every wellknown antivirus programmer. Thanx to Brian Overby for the help.... Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START 'NComm v3.2' FROM THE ARCHIVE 'NCOMM32.LHA' ---------------------------------------------------------- There has just been released a archive called 'NCOMM32.LHA', there are a dectructiv program in the archive: NComm 121896 Bytes (Packed with Stonecracker 4.04) NComm 226116 Bytes (Unpacked) The FILE_ID.DIZ looks like this: ******************************************** NCOMM V3.2 *CRACKED* KEYFILE CHECK REMOVED! ******************************************** The 'Sucker' started in the S: directory replacing the data's in EVERY file with the text 'CIRCLE OF POWER 1995', so the startup-sequence and rest of the files in the S dir was totally destroyed. All .info files will be replaced in the same way The archive is now on it's way to every wellknown anti-virus programer. Thanx to Jan Ravn, for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'LHA v3.0' FROM THE ARCHIVE 'LHA30.LHA' ---------------------------------------------------------- There has just been released a archive called 'LHA30.LHA', and there are a dectructiv program in the archive: "LHA3.0 69888 bytes (Packed with Stonecracker 4.04)" "LHA3.0 105808 bytes (Unpacked) The FILE_ID.DIZ looks like this: LHA 3.0 FROM STEFAN BOBERG The "Sucker" started in the S: directory replacing the data's in EVERY file with the text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files in the S dir was totally destroyed. The LHA3.0 looks a lot like the fake 'NComm 3.2', it does the same things to your HD and disk's. The archive is now on it's way to every wellknown anti-virus programer. Thanx to Kim B. and Flemming S., for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'CED4' FROM THE ARCHIVE 'CED4.LHA' ---------------------------------------------------------- There has just been released a archive called 'CED4.LHA', and there are a dectructiv program in the archive: CED4 174500 bytes (Unpacked) The FILE_ID.DIZ looks like this: CYGNUS EDITOR V4.0 (MAIN) The "Sucker" started in the S: directory replacing the data's in EVERY file with the text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files in the S: dir was totally destroyed. This goes for all files in your 'DEVS:' directory to. The CED4 looks a lot like the fake 'NComm 3.2' and 'LHA30.LHA' it does the same things to your HD and disk's. Please take care, there is a lot of fake programs around, that does this thing. Checke everything before you start it. The archive is now on it's way to every wellknown anti-virus programer. Thanx to Kim B., for sending the 'thing' to us.... Best Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'OPUS5' FROM THE ARCHIVE 'OPUS5.LHA' ----------------------------------------------------------- There has been released a archive called 'OPUS5.LHA', and there are a dectructiv program in the archive: I have not seen the archive yet, but I have talked to some people that used this 'thing', and had there data files replaced, It does the same things that 'NCOMM32.LHA', 'CED4.LHA' and 'LHA30.LHA' it will replace the data's in EVERY file with the text: 'CIRCLE OF POWER 1995:' Please take care, there is a lot of fake programs around, that does this thing. Checke everything before you start it. If you find this program, please send it to me, or send it to all the well known antivirus programmers. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ More information about the 'OPUS5.LHA' Trojan
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All !!! I now know some more about the FAKE Opus v5.0, it has a size of 347308 bytes. The archive 'OPUS5.LHA' has a size of 464397 bytes, and in the FILE_ID.DIZ you can read: ------------------------------------------- DIRECTORYOPUS v5.0 ------------------------------------------- * Uses multiple processes for windows. * Full REXX support * Faster dir-routines. * Better archive handeling, supports LZX! ------------------------------------------- No anti-virus program can find this trojan yet, but I have tested it on all the wellknown killers, and there are only 2 that detects something yet, but this trojan is now on it's way to every wellknown anti-virus programmer VirusWorkShop v4.9, can not find it yet, but will give you a requester saying that: "$3f0/$3f1/$3e8 Hunk at the beginning found" VT v2.71 can not find it yet, but will give you a requester saying that: "3E8-Hunk am anfang ist im file" Thanx to Kim B. for uploading this 'thing' to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'Sinfo v1.0' FROM THE ARCHIVE 'SINFO10.LHA' ------------------------------------------------------------ There has been released a program called 'SInfo v1.0', do not start that program it will replace every file in your S:, Libs: and C: with a new file, with a size of 5 bytes, in this file you can read 'cop!'. This is another program from 'CIRCLE OF POWER!', the same lamer that has written 'NComm32.LHA', 'OPUS5.LHA', 'LHA30.LHA' and 'CED4.LHA'. There is another thing, SInfo v1.0 will ask for 'SINFO.library', and the library is in the archive, BUT it is not 'Sinfo.library', it is the reel 'Bootblock.library v3.1' from SHI, why this ???????? SInfo v1.0 is spread in a program called 'SINFO10.LHA', and has a size of 4432 bytes The main program has a size of 2552 bytes. In the FILE_ID.DIZ you can read: .------------------------------------------. | SYSTEMINFO V1.0 BY JURGEN HUNSMANN 1995! | | A VERY GOOD REPLACEMENT OF THE INFO CMD! | `----------------------------------(baron)-' In the DOC you can read this: ---------------------------- QUOTE START --------------------------------- TYPE: SystemInfo ala INFO DESC: Will list all devices available on you're system. AUTH: J�rgen H�nsmann DATE: 01-Apr-95 MAIL: [email protected] FIDO: 2:286/407.19 SInfo v1.0 DOC! ~~~~~~~~~~~~~~~~~ It works just like the WorkBench Info command, but has some features not found in the default INFO command. 1) It will show Meg/Kilo/Bytes left on the device instead of blocks. 2) It is ALOT faster 3) It shows assigns 4) Can force devices to be validated! Contact me at the addresses above! ---------------------------- QUOTE END ----------------------------------- This new 'CIRCLE OF POWER!' thing, is on it's way to every wellknown anti- virus programmer. And to the 'COP!' programmer, STOP the shit you are doing, you must have a big problem somewere. Thanx to Kim B. for uploading this to my BBS. Regards... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:236/116.1 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'CREATOR' FROM THE ARCHIVE 'CREATOR.LHA' --------------------------------------------------------- In the last day or two, a lot of people have uploaded a small program to 'Virus Help BBS' with the name 'cREATOr v1.0', it is stated in the doc that it is a program, that will you choose how fast your HD shall run after every reset. BUT if you run it, it will start to format your hard- disk. The doc says nothing about this. Here is some info about the program: Archive name......: CREATOR.LHA Archive size......: 2757 bytes Files in archive..: CREATOR.DOC 1124 bytes FILE_ID.DIZ 484 bytes C:CREATOR.SCR 40 bytes S:CREATOR.DAT 2880 bytes The FILE_ID.DIZ looks like this: ******************************************* * cREATOr V1.0 (C) 04-10-95 * * * * Thiz Powerful Tool Will Let You Choose * * How Fazt Your HD (Mili Seconds) Shall * * Run After Every Reset !!! Normally Thiz * * Is Only Possible With SCSI-2 HD's And A * * Fazt CPU (020/030/040) But After 1 Year * * Of Hard Coding I've Developed This Good * * Product Which Should Run On All AMIGAS! * ******************************************* So DO NOT start this thing, you will loose your HD. This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to everybody that has uploaded this thing to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/ More about the 'Creator' Traojan
Hi All...... Hmmmmmm, there has been another release of the CREATOR trojan, but there is something wrong again. Again the doc' states that it will let you choose how fast your HD shall run after every reset. But if you try to start the program, you will asked to write 'FORMAT' in a shell, and that would be a stupid thing to do, right ???. This 'new' update will NOT work at any of my Amiga's, so there for I can not tell you what it will do, but I have people testing it right now. Here is some info about the program: Archive name......: CREAT_11.LHA Archive size......: 2757 bytes Files in archive..: CREATOR.DOC 1124 bytes FILE_ID.DIZ 484 bytes C:CREATOR.SCR 40 bytes S:CREATOR.DAT 2880 bytes The FILE_ID.DIZ looks like this: ******************************************* * cREATOr V1.1 (C) 04-11-95 * * * * Thiz Powerful Tool Will Let You Choose * * How Fazt Your HD (Mili Seconds) Shall * * Run After Every Reset !!! Normally Thiz * * Is Only Possible With SCSI-2 HD's And A * * Fazt CPU (020/030/040) But After 1 Year * * Of Hard Coding It Works Very Fine !!! * * FIX VERSION - FIXED VERSION - FIXED VER * ******************************************* This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to everybody that has uploaded this thing to our BBS. Regards.... Jan Andersen.
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'FUTURETRACKER' FROM THE ARCHIVE 'TRSI-FT.LHA' --------------------------------------------------------------- Okay there is another 'Circle Of Power' trojan around. This time it is in a fake ProTracker called 'FutureTracker'. It will do the same thing as the other trojans that 'CoP' has released in the last month, only this time it will rewrite every file in DEVS:, L:, and S:, with another file where you can read this: [cOp]: Khanan / Circle Of Power :[cOp] This time the 'thing' will show a text on the screen (See the Iff.Pic in this archive). Here is what it says: - - - - - - - - - - - - - - - - START - - - - - - - - - - - - - - - - - - .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp cIrcle of pOwer'95 .cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp.cOp --[==================================================================]-- Sweden's no.1, "CIRCLE OF POWER" rammed yer arse again!! Have phun retyping all those valueble config's. haha! Fuck you all! -^( THE TERROR WILL NEWER STOP, PHEAR THE MIGHTY COP! )^- --[==================================================================]-- [kHANAN/cOp] - - - - - - - - - - - - - - - - - END - - - - - - - - - - - - - - - - - This text will come to your screen when 'FutureTracker' is replacing the files on your harddisk. Here is some info about the program: Archive name......: TRSI-FT.LHA Archive size......: 278290 bytes Files in archive..: FutureTracker 317608 bytes FILE_ID.DIZ 360 bytes FutureTracker.cfg 1065 bytes FutureTracker.doc 90 bytes The FILE_ID.DIZ looks like this: _ _ __________________________- --. .--------\\_ ___/___ / ______/--^-|. | bACk tO | | __/ _/______ \ |: | tHe rOOTs l____|___/ \_________\____|| |-------------------/_______\----------cDr-| | FutureTracker - ProTracker Clone by PSI! | | 6 channels, 256 samples, full MIDI port! | `------------------------------------------' This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. Thanx to Kim B. for uploading this thing to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE 'VIRUSWORKSHOP' FROM THE ARCHIVE 'TRSI-VW5.LHA' ---------------------------------------------------------------- There has just been released a FAKE version of 'VirusWorkShop v5.0', when you try to run the program, some music will start, and that is all that I can find out. I can not se that it writes anything to any drives. But I'll let some others, test it on there systems. I can tell you, that Markus Schmall has never made a version 5.0, and that he never will release VirusWorkShop with the version string v5.0 This is said to be antoher 'COP' (Circle Of Power) release, but I can not get it to infect my system. Here is some info about the program: Archive name........: TRSI-VW5.LHA Archive size........: 221737 bytes VirusWorkShop Size..: 135744 bytes The FILE_ID.DIZ looks like this: _________________ ____________ \ . ___.___._�\/ ____/_____) TRiSTAR & \/| .| | �| _/_____�\| �| | || | : �\ �V \ || RSi |___| |___|___\______/_____| �+*#*+�^�TRN!�|____\�+*#*V�^�+*#*+�PRESENT!� VIRUS-WORKSHOP 5.0 This thing is on it's way to every wellknown antivirus programmer, who will accept new virus from 'Virus Help'. By the way.. The newest version of VirusWorkShop at this date is v4.9, and the size is 136556 bytes. Thanx to Kim B. for uploading this thing to our BBS. Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! THE ARCHIVE 'ABASE.DMS' IS INFECTED WITH SADDAM VIRUS ----------------------------------------------------- There has been spread a demo version of a program with the name 'ABASE', it is an adress base from Poland. This archive contains the Saddam virus which is inside the 'l:Disk-validator'. This info is for the Amiga user that still runs with KickStart 1.3, that is because that Saddam Virus can not run under kickstart 2.0 -> 3.1. Here is some info about the program: Archive Name.......: ABASE.DMS Archive Size.......: 222609 Bytes ABase program......: 83096 Bytes, PowerPacked (138332 Bytes Unpacked) Saddan Virus.......: L:Disk-Validator (1848 bytes). Again thanx to Kim B. (Great Virus-Hunter)..... Regards... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING DO NOT START THE PROGRAM 'CCHACK2.exe' -------------------------------------- There has been released a program that is said to be a CallingCard Hacker, if you start the program it will look for a BBS: assign, and then read the user.data file. This textstring is coded in the the file. Why a hacker program for CallingCards, want to read the 'BBS:User.Data', I do not know, but do not trust this program.... Here is some info about the trojan: Name.....: CCHACK2.exe Size.....: 11216 Bytes (unpacked) If you start the program this will be displayed: MCI CallingCard Hacker by ByTePaCkEr/Finland 1995 Usage: CChack2.exe <CALLINGCARD.NR.> VT v2.72 will find this 'thing', but in the doc to VT, Heiner states that the file has a size of 11368 Bytes (unpacked), so maybe there is an other version of this trojan, and maybe the name of this is 'CCHACK.EXE', I do not know. This 'thing' is on it's way to every wellknown antivirus programmer, that will accept new virus from us. Thanx again to Kim B. a great virushunter, for uploading it to us..... And to Markus Schmall for the first info about this 'thing'... Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING DO NOT START THE 'Acp' FROM THE ARVHIVE 'PSG-AE5.LHA' ----------------------------------------------------- There has been released a program that is said to be a new version of the BBS program AmyExpress v5.0, but it is another 'Circle Of Power' trojan, it will replace every file in DEVS: and S: dir, with a textfile where you can read: [cOp]: Khanan :[cOp] Inside the fake 'AmiExpress v5.0' file 'Acp', you can read this is the ASCII text: $VER: ACP V5.0 (C)-95 JOSEPH HODGE In the File_ID.Diz, you can read: AmiExpress v5.0 If you start the program, a shell window will pop up, where you can read this: [cOp]: The Circle Of Power did it AGAIN! :[cOp] [cOp]: :[cOp] [cOp]: THE TERROR WILL NEVER STOP, PHEAR THE MIGHTY COP! :[cOp] Here is some info about the archive it is spread in: Archive Name..: PSG-AE5.LHA Archive Size..: 71982 Bytes (Striped For BBS adds) Trojan Name...: Acp Trojan Size...: 71904 Bytes Someone must know this 'Khanan' or other members of 'COP'. If you know anything about these stupid guy's, please contact us.... This 'thing' is on it's way to every wellknown antivirus programmer, that will accept new virus from us. Thanx again to Kim B. for uploading this 'sucker' to our BBS..... Regards.... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING WARNING !! WARNING !! WARNING !! WARNING !! WARNING !! WARNING DO NOT START THE PROGRAM 'Copkiller' FROM THE ARCHIVE 'COPKILL1.LHA' -------------------------------------------------------------------- Okay there is another 'Circle Of Power' trojan on the loose. This time it will rewrite the files in DEVS:, and in the new file you can read this: [cOp]: Scotch & Khanan on tour '95 :[cOp] Here is some info about the file it is spread in: Archive name: Copkill1.LHA Archive size: 9801 Bytes Cop Trojan : Copkiller (8428 bytes) In the FILE_ID.DIZ you can read this: >--------- FILE_ID.DIZ START --------------< _____ ______ ___ DIRECT UPLOAD FROM __/ ___// / // /\ SAFE HEX \___ // _/ // / / INTERNATIONAL / / // __ // / / ------------- /____//__/__//__/ / AGAIN A NEW TOP-HIT! \____\__\__\__\/ ------------- ->> PRESENTS C.O.P. Killer v1.1 <<- An excellent trojankiller that recognises the new encoding system used by C.O.P. Also read about the SHI reward >$5000< for the name of a virus programmer. ������۲����� Update 18-05-95 ������۲����� >--------- FILE_ID.DIZ END ----------------< But this is not a release from SHI..... This 'sucker is now on its way to every antivirus programmer, that will accept new virus from 'Virus Help Denmark'. Thanx to Bahrat Asar for uploading this 'sucker' to our BBS. Regards..... _________ _ Jan Andersen. ____/"""./###/____)\_____________ Virus Help - Denmark. /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ FidoNet: 2:235/112.0 \ // / ____/ / //""""/X@! / AmyNet : 39:141/142.0 \_____/\__/___/ ""\______/_________/ VirNet : 9:451/247.0 /____/
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! DO NOT START THE PROGRAM 'CALLERSLOF.SFX' FROM THE ARCHIVE 'MST-CA12.LHA' ------------------------------------------------------------------------- There has been found a new 'COP' trojan in a fake program. It was released about the 28'th of May. Here is some info about the trojan: Archive Name: MST-CA12.LHA Archive Size: 19349 Bytes (Ripped for BBS add's) Trojan Name : cALLERSLOG.SFX Trojan Size : 8428 Bytes (Is not a SFX. Archive) Here is what the File_ID.DIZ will tell you: .--------[____ mYSTIC ____]--------. |__ ______\ \____ / /_________|____ / | \ / /___/_/ ___/______/ ___/__ / \___ /____ \ \ / \ \ / \___\/ /____/ / /______/_____/______/ | /___/ \________/AdN! _|_ | \_/ | cALLERSLOG 1.2 fOR lOGIC bBS | | 100% fIXED - iNC iFF sCREENsHOT | | | `-[LoGIC DeVELOPeMENT]-[/X cOMPAT]-' This new trojan will replace everything in your DEVS: dir. With a text 41 bytes long, where you can read this: [cOp]: Scotch & Khanan on tour '95 :[cOp] This new 'COP' trojan is now on it's way to every wellknown antivirus programmer that will accept new virus from Virus Help Denmark. Thanx again to KIM B. for uploading this our BBS. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! There has just been released another Trojan. It was uploaded to a BBS in Sweden by Gryzor (Member of Circle Of Power). The name of the archive is: TRSi-INS.LHA (Size about 40000 bytes) The FILE ID.DIZ says that this is an installer for several games. But TRSI has nothing to do with this sucker. We can at this time not say anything more about this trojan, bacause we have written this warning out of a phone call from Markus Schmall, but we will here more when Markus has tested this thing. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0 Click here to read Markus Schmall's test of the archiv.
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All..... There has just been found a fake Virus_Checker v6.60. Do not use this trojan at all. The VC.guide is just a rewritten v6.57. Here is some info about the sucker: Archive name... : VCHCK660.lzx Archive Size... : About 122.000 bytes (Ripped for BBS adds) VC v6.60 Size.. : 52400 bytes The newest version of Virus_Checker is at this time v6.58 (Brain v1.20) This new trojan is on its way to every wellknown antivirus programmer, that will accept new virus and trojan from us. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... There has been released a new COP trojan. This time it is a fake 'QuaterBackTools'. This thimg will replace everything in your S:, LIBS;, BBS:, m.m with a text string of 75 bytes. The file_id.diz of this trojan looks like this: ____ ___ ____ _ ___ ___ ____ ::::: / . \_/ ___)_/_)/ .__)(___)/ ___)::::. :::::/ � \___ \ \ � \/ \___ \::::: :::::\_____/___ /_ /__| \_ /___ /::::: `--[RD10/CodX]�\/--\/--��____\/---�\/---' QUARTER BACK TOOLS DIAMOND SUPPORTS AFS FILE SYSTEM, XPK PARTITIONS, REORGANIZES BETTER THEN REORG, AND USES A SAFETY DISK WHEN REORGANIZING! NO CRASH! RELEASED BY : ERICO / OSIRIS Info about the trojan: Archive name: ORS-QBD.LHA Archive Size: About 128654 Bytes Trojan Name : QBTools3 Trojan Size : 227716 Bytes This new trojan is on its way to every wellknown antivirus programmer that will accept new virus from Virus Help. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hello everybody..... The mad guys from 'Circle Of Power' is back. This time it is a faked program called 'DiskMaster v1.4'. It will replace files in LIBS:, DEVS:, S:, with a new file with the length of 41 bytes, and in this file you can read this text: FausT / cIRCLE oF pOWER'95 - TRUE POWER! The file_id of this program look's like this: _________ _ ____/"""./###/____)\_____________ /"""/ //_______ /"""/""./"___/_ / / //"""/" / // / //____ \_ \ // / ____/ / //""""/X@!/ \_____/\__/___/ ""\______/_________/ --><!VIRUS!<></____/-><>-!WARNING!-<><-- Brought To You Diskmaster V5.1 Debugged And Updated With VirusX2.4 VirusKiller!! >>>----------------------------------<<< This is nothing that Virus_Help has anything to do with. But I'm sure that you all know that by now. This littel 'sucker' is on it's way to every wellknown anti-virus programmer that will accept new virus from Virus Help Denmark. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All !!!!! There is a lot of trojans comming right now from 'The Party 5', but I'm pretty sure that the files are from the 'COP' idiots. The archive 'TP5-SPAC.LHA' with a size about 45000 bytes (ripped from all BBS adds) the mainfile 'TP5_Spaceballs.exe' has a size of 38060 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. Here is the FILE_ID from the archive: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Spaceballs 40k intro called | | 'Ice Frontier' | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us...... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All !!!!! There is a lot of trojans comming right now from 'The Party 5', but I'm pretty sure that the files are from the 'COP' idiots. The archive 'TP5-ANDR.LHA' with a size about 47000 bytes (ripped from all BBS adds) the mainfile 'TP5_Andromeda.exe has a size of 40216 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. Here is the FILE_ID from the archive: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Andromeda's 40k intro called 'feelings'. | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us...... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All !!!!! There is a lot of trojans comming right now from 'The Party 5', but I'm pretty sure that the files are from the 'COP' idiots. The archive 'TP5-TSL.LHA' with a size about 46000 bytes (ripped from all BBS adds) the mainfile 'TP5_SilentsDK.exe' has a size of 39440 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. Here is the FILE_ID from the archive: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Silents DK's 40k intro called | | 'Byte Kitchen' | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Thanx to 'Tauno Pinni' for bringing this to us....... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All !!!!! There is a lot of trojans comming right now from 'The Party 5', but I'm pretty sure that the files are from the 'COP' idiots. The archive 'TP5-PRLX.LHA' with a size about 41000 bytes (ripped from all BBS adds) the mainfile 'TP5_Parallax.exe' has a size of 39980 bytes. The program is trying to lock on NComm:, just like tha old COP trojan's. Here is the FILE_ID from the archive: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | Parallax's 40k intro called 'Cubic'. | | | `------------------------------------------' Please do not start the program. The archive is on it's way to every wellknown anti-virus programmer that will accept virus from us. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... A new archive is now spread with an 'old' virus in it. The archive name is 'TMTC90.LHA'. The virus in the archive is 'Disaster Master 2', and it is in the C: dir. in the cls command. Every wellknown viruskiller can find this virus. Just make sure that you don't use or install the 'cls' command on your HD. The FILE_ID.DIZ look's like this: _________________+ Ti/\/\eTr/\cE \______ ______/_________________ | _|__ +\______ ______/ + | | \+ _____| | + |___| \/ / | |_____/ /|_____| Released /_____/ Today Chicago 90 HD and AGA Fixed Done by >TORCH< Leader of TmT That is all for now.... Happy new year everybody.... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... A new archive is now spread with a virus in it. The archive name is 'NC210.LZX' or 'NC210.LHA'. The virus in the archive is the new link virus called 'Happy New Year 96'. At this time only 3 viruskillers can find this 'sucker'. VirusWorkshop v5.8... By Markus Schmall VT v2.79............. By Heiner Schneegold VirusZ II v1.27...... By Georg Hoermann The FILE_ID.DIZ look's like this: Get file description from comprograms + Name: NC210.lha Path: Aminet/comm/misc Best: Aces High SW, 5 Ndz That is all for now.... Happy new year everybody.... Thanx to 'ENZO' for saving this for us....... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... A new archive is now spread with a virus in it. The archive name is 'SIGN.LHA'. The virus in the archive is the new link virus called 'Happy New Year 96'. Archive Name.....: SIGN.LHA Size.............: 25261 bytes (Ripped for BBS adds). Infected file....: DancePoolModTro.exe (25484 Bytes Packed with STC) At this time only 3 viruskillers can find this 'sucker'. VirusWorkshop v5.9... By Markus Schmall VT v2.80............. By Heiner Schneegold VirusZ II v1.27...... By Georg Hoermann The FILE_ID.DIZ look's like this: .------------------------------------------. | f�GHt AGA�NSt | | FASC�SM. | | | | fR�ENDSh�P RUlEZ... | | WORlDW�DE !! | `------------------------------------------' !!sIGn&sPREAd!! That is all for now.... Happy new year everybody.... Thanx to 'Morten Johan Leerhoy' sending the archive to us... Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... A new archive is now spread with a virus in it. The archive name is 'C!S-NS1.DMS'. The virus in the archive is the 'Ebola' Link virus. Archive Name.....: C!S-NS1.DMS Size.............: 546381 bytes (DMS Packed) Infected file....: No_Sence1 (60048 Bytes Packed with STC) At this time only 3 viruskillers can find this 'sucker'. VirusWorkshop v5.9... By Markus Schmall VT v2.80............. By Heiner Schneegold VirusZ II v1.27...... By Georg Hoermann The FILE_ID.DIZ look's like this: ___________________________________________ _ _ , __ _ , __ | ) (_) ) (_/_ | ) ) (_/_ n o s e n s e m a g a z i n e - d i s k p u b l. a C - L O U S diskmagazine The First Issue of No Sense Magazine - Disk Publication (Includes Swedish chart.) ___________________________________________ Well, that is all for now..... Thanx to 'Kim B.' sending the archive to us... IMPORTANT: Virus Help DK BBS, new phone number +45 4659 6867. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All... A new archive is now spread with a virus in it. The archive name is 'TXC-Z11.LHA'. The virus in the archive is the 'Ebola' Link virus. Archive Name.....: TXC-Z11.LHA Size.............: 197233 bytes (LHA Packed) Infected file....: UnARJ.... ( 9100 Bytes) UnRAR.... (24176 Bytes) Install.. ( 4132 Bytes) At this time only 3 viruskillers can find this 'sucker'. VirusWorkshop v5.9... By Markus Schmall VT v2.80............. By Heiner Schneegold VirusZ II v1.28...... By Georg Hoermann The FILE_ID. look's like this: __ ______ __.__________ \// _).�\( �| )__) .__) .--/ / � \ \ | � �\----------------. | / \_____/ |__/__|____/TOXiC GIVES YA: | |-\___/-----�\_|---------------------------| | ZAP V1.1 *FREEWARE* | | EXTRACTS LHA/LZH/LZX/DMS/ARJ/ZIP/ZOO/RAR | | EASY GUI, PREFS EDITOR + SAVE PREFS | | FILE/DIRECTORY/DEVICE REQUESTERS | | ALL EXTRACTORS INCLUDED,STATUS DISPLAY | | NEW MANUAL + NEW INSTALLER + NEW ICONS | | PLAY MUSIC WHILE EXTRACTING | | FASTER SOURCE CODE, FASTER PROGRAM | `----TOXiC'S-2:ND-RELEAS-DOWNLOAD-&-TRY----' Well, that is all for now..... Thanx to 'Torben Danoe' sending the archive to us... IMPORTANT: Virus Help DK BBS, new phone number +45 4659 6867. Regards.... __ __ /// Jan Andersen FidoNet: 2:235/112.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VirNet : 9:451/247.0
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! ABlank11 Trojan: ---------------- other possible names: KUK Crew Trojan Length: 1056 bytes (PP40 lib) or 1352 bytes unpacked Nothing tricky at all. It will be tried to initialize SYS: again and then to create several files (and dirs) on the device. Code isn`t that good written, equalities to existing trojans can be found, but I cannot remember which one exactly. Thanks must go to Jan Andersen and Flemming Slabiak sending me this one. Visible texts in the unpacked file: '> KUK CREW < A New and Evil Group has come t' 'o spread TERROR and DESTRUCTiON to the Amiga' ' Scene! HAHAHAaaaaaaaaaah',0 'dos.library',0 'SYS:',0,0 'KUK_CREW!',0 'KUK_CREW!:Haha!',0 'KUK_CREW!:Mr.Fitta_%ld',0,0 'KUK_CREW!:Dr.Klitta_%ld',0 'KUK_CREW!:Kuk+Fitta=Barn_%ld',0,0 'KUK_CREW!:Kiss&Bajs�rNice_%ld',0 Greets Markus Schmall (Programmer of VirusWorkshop)!!!!! (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Hi ! Warning ! The file "TP5-TRSI.lha" contains a COP trojan and it is NO TRSI release. In the file_id it`s said that this is a 40K intro from TRSi. It`s the same code as found in the pha-xmas.lha trojan. The file didn`t appear up to now (28.12. 19.00 o`clock) on german systems. The file was on some boards in Denmark. I have informed in a public letter the Aminet moderators, so that this thing will be hopefully not uploaded to it. The File_Id looked like this: .------------------------------------------. | DIRECTLY FROM THE PARTY 5 | `------------------------------------------' .------------------------------------------. | | | TRSI's 40k intro called 'Domination' | | | `------------------------------------------' Special thanks must go to Jan Andersen of Virus Help DK and Kim B. for the support. Thanks ! Greets Markus Schmall. (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Hi ! Back in the street... Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! The archiv "PHA-XMAS.lha" contains a new trojan. The code looks like the COP trojans, but this time no word from them. Via the access of DosLists it will be tried to access the files and overwrite them with a $1f byte long string, which look like this: "+46-620-13141 - DUNGEON OF DOOM" A swedish number, I suppose. If the sys partition is protected, the following text will be up: 'Phenomena DOS-Extender V1.1 ',$A9,'1993 by Photon' 'Unable to write Swapfile. Remove write-protection and retry' 'Creating new Swapfile. Please hold...' Of course Photon has nothing to do with it. The FileID of this files looks like this: .------------------------------------------. : Phenomena presents ' merry x-mas ! ' : : Pha's very last production on the Amiga! : : : : Code & Graphics : Photon, Color & Twins : : Music : Tip & Mantronix : `------------------------------------------' But it`s only a little lame trojan. The archive already popped up in Germany on 24.12., but the archive was corrupted. 2 days later I found it as intact archive on the D-o-E BBS, where I want to thank Mercury for his freedl, otherwise I wouldn`t have been able to analyse this one. Some people had real luck. E.g. Hitpoint downloaded the corrupted archive and could so not start the shit (hi Dieter !)... Ok, that is all for now, it`s morning time and I want to sleep... Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Hi ! I just recieved a new (old?) trojan, here the analyse of it: Susi_Drive_Stepper Trojan: -------------------------- Filelength: 904 bytes unpacked Programmed in: Assembly language Processors: MC68000-MC68040(?) On MC68060 it did not work Typ: Trojan This is a very easy programmed trojan. Via the use of Disk Resource it will be tried to access a device (0) and some IDs will be changed. The whole new "created" DiskResource struct is not correct and contains a lot of not understandable code. The trojan is not reset- proof, it just tries the above mentioned diskresource manipulation and some little hardwarehacks.The trojan selects unit 0 and steps with the head around. The direction will be changed at every loop and the head moves always one track. The timing is so bad managed, that the controller gets irritated and quits work temporarly. The name of the new created port is "susi". You can see at the end of the file some names, but nothing more. All in all a simple trojan. 0260: 00000000 00000000 00006469 736B2E72 ..........disk.r 0270: 65736F75 72636500 73757369 00616E64 esource.susi.and 0280: 72656100 76616C65 6E74696E 6100696E rea.valentina.in 0290: 67726964 00636872 69730000 0A000120 grid.chris..... (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !) A special hello and thanks goes out to Jan Andersen for his really great help all the time and all his work. He sended me this trojan. Thanks Jan. - Merry X-mas to all of you - Have a nice christmas celebration time - Greets Markus Schmall (Programmer of VirusWorkshop)
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! vmk12.lha (a file which came from an eastern country), which is said to be VMK 1.2 contains a new lame bootblockvirus. The maincode is 3452 bytes long and contains the old vmk + the installer for this little bb virus. Next versions of VT, VZ and VW will surely recognize it. signed Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Hi #? A new little linkvirus appeared yesterday on the gobal stations. It`s called HNY96 (Happy_New_Year_96) and is 540 bytes long and infects normal executable files. The infection is done via LoadSeg(). We recieved this virus from the US, Holland, Switzerland and Germany. It seems to be on the wild, so there will be an update of VT very soon to kick the bastard. VW 5.7 is too new to stress the users with a 600 kb release again. Since the installer isn`t known, I will release a blockersystem in the coming days. Greets Markus Schmall (Programmer of VirusWorkShop) P.S.: Ebola linkvirus is found in dvd!-def.lha. Don`t start it... (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! M-hac.lha and Bloody.exe contain LINKVIRUSES ! BE CAREFULL ! Here a first BETA ANALYSE of it: ConMan 1995 Linkvirus: ---------------------- Other possible names: M-Hac Virus, Bloody Virus Detected in: M-hac.lha and Bloody.EXE Detected when: August 1995/Germany SOS Linking method: 4eb9 (!!!!) Resident: NO Length: 1836 bytes This is a new type of linkvirus. There are 2 installers known yet. It simply creates a new process with the known CONMAN code , but now with different names. Possible names are: C:DIR ramlib Background_Process RAm L:FastFileSystem LIBS: gadtools.library Workbench DF0 addbuffers CON LIB:req.library CLI(0): no command loaded CLI(1): no command loaded Please note that several of this takss can appear in normal systems, too. The speciality of this virus is, that it uses a intern 4eb9 linker to link to files. Quite tricky. Viruskillers like VT, VZ_II and VW should so be able to detect the infected files. The linking routine knows the following hunksymbols: $3f2,$3f3,$3ec and $3eb. The code is a little bit dangerous, but I will implent in VirusWorkshop a complete reverse analyzed routine, so it should be no problem to repair even not working infected files. The virus adds 4 hunks to the file and the linked code is partly packed. It is packed with StoneCracker 4.04� and then afterwards manipulated. The virus is not memory resident. Some words about the installers: m-hack.lha FILE_ID.DIZ .-------------------------------. | MASTER AMIEX ONLINE PW HACKER | | PREVIOUS VERSION HAVE A BUG! | `-------------------------------' The programm hack (4388 bytes long) contains the trojan. bloody.exe FILE_ID.DIZ: NON DOS DISK READER >>>>-BEST! The programm is including this ID 25560 bytes unpacked long. Greets Markus Schmall (Programmer of VirusWorkShop) P.S.: This analyse is copyrighted and strictly forbidden to be used in any SHI production....
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! The archiv 'srn-db33.lha' is a possible installer of a new linkvirus called Strange Atmosphere. We have here the first infected files. The files become 1232 bytes longer and the linkvirus contains a destructive routine, which is able to format harddiscs. We will give you as soon as possible a viruskiller update, which can kill this little bastard ! Thanks to RD10/ORS for the testsamples and to Maestro for his general great work ! Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !) Analysis made by Markus Schmall
THIS IS A BETA ANALYSIS, WHICH BE CHANGE UNTIL THE FINAL RELEASE OF THE NEXT VIRUSWORKSHOP VERSION ! KNOWN INSTALLERS OF THE LINKVIRUS ARE: SRN-DB33.LHA AND TCR-RESC.DMS ! Entry...............: Strange Atmosphere Alias(es)...........: SA Virus (as called in VW) Virus Strain........: - Virus detected when.: 2/1996 where.: Germany Classification......: Link virus, memory-resident Length of Virus.....: 1. Length on storage medium: 1232 Bytes 2. Length in RAM: $2710 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) Caches may cause problems during the decoding process --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Linkvirus Self-identification method in files: - Searches for $1080402 at the end of the first codehunk Self-identification method in memory: - Checks for $3d385e29 at position -6 of the LoadSeg() adress System infection: - RAM resident, infects the LoadSeg() DOS function - DoIO() exec function and Coolcapture will be infected only under special conditions Infection preconditions: - File to be infected is bigger then $a28 bytes - The file is not already infected - HUNK_HEADER and HUNK_CODE are found - HUNK_HEADER structure is valid - There must be 4 free blocks on the disc - File is shorter than 290000 bytes - The lenght of the first hunk must be exactly the same as written in the hunkheader structure Infection Trigger...: Accessing the file Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Files will be trashed (depends on the Rasterbeam) Devices will be overwritten (depends on the Rasterbeam) Transient damage: -System gets locked while reset and a new copperlist will be shown. Damage Trigger......: Permanent damage: - Internal counter Transient damage: - Internal counter Particularities.....: The crypt/decrypt routines are not aware of processor caches. The installer code in several files is working correct with higher processors. The linkcode checks for correct length of the first hunk to remove problems with extra ordinary packers. Similarities........: Link-method in the executable files is the simple "link behind the first hunk" method without any special tricks. Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. There are no stealth routines build in. Armouring...........: The virus is only one armouring technique to protect it`s code. It uses a normal crypt routine to hide the viral structures. Heuristik checkers like the one in VirusWorkshop can find the dangerous parts and VW gives you the rating "Virus!". Name................: In the crypted part there is the following string: '-+* Strange Atmosphere [gOOd] *+-' If the internal counter reaches 50, the word "gOOd" will be replaced by "eVIL" and the destructive code will be activated. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.0� (VT follows soon) Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 04.03.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall Date................: March 1996 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall Special note........: Virus Test Center Hamburg and Virus Help Team DK are strictly allowed to use this analyse in their own productions. All other groups/institutions may please contact me first. ===================== End of Strange Atmosphere Virus ===================
A short beta analyse of the chkmount.lha trojan ! THIS IS COPYRIGHTED MATERIAL ! NOT ALLOWED TO BE USED IN ANY SHI PRODUCTION ! WireFace Trojan Typ G: ---------------------- Found in : chkmount.lha Type : destructive trojan Protection : *Art Filesize : 4672 Bytes (partly packed) This is another trojan from the WireFace series. This trojan looks in parts like Biomechanic trojans, some byterow comparecode are for sure copied. I haven`t test up to the end, but the code looks like a comparable code as in the icond biomechanic stuff. If you start it and a destruction is not possible (devices not found) a text will be printed on screen saying several times: [email protected] It has some visible texts at the end of the virus. The virus itself is protected and then afterwards packed with StoneCracker 4.04. The final filesize is 5868 bytes. The following devices are tried to be accessed and the 39 first sectors are going to be cleared: 'scsi.device' 'icddisk.device' 'oktagon.device' 'SoftSCSI_OktagonC9X.device' Other visible texts are: '(TrojanName: iLSKNA ANDREAS v1.1) WiREFACE / dEMONS oF tHE " " pENTAGRAM strikes again with another stunning release (trojan) " " hahaha. Send postcards, money, bugreports or COMPLAINTS' 'to me at this email adress: [email protected]. CU in another relase!' '[email protected]' (This is the printed text) The programm looks like created with an old compiler. Some special 1.x programming technics are used, which won`t be used nowaday normally anymore. VirusWorkshop and VT will give you the warning, that a $3e8 hunk is in the file. This is the protection from the trojan. Simple, but effective. Something more to wonder about: I have downloaded this file from SOS at 8.8.1995. and I have only used the name MOUNT-972 in one warning in AMiganet and the german Z-net, so the viruscoder must read it, too. The trojan is supplied with a little documentation: Mount-972 Virus Checker ----------------------- by Robert Wolvestein ([email protected]) This small checker finds and eliminates the Mount-972 virus that resently popped up! The virus must have been spread via Aminet or thru BBS's coz it is EVERYWHERE, almost 40% of my 'scene-friends' had it in some way or another. Regards Robert. (ED: A cool fake, better play with your joystick) Greets.. Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! It is said to be trojan in "BIO-WARN.LHA". This is spreaded under the name of Virus Help Team Denmark and contains a file called flake013.txt and flake_killer_bio.exe and advertisements from the ASYLUM bbs. The text flake013 is a analyse/warning from me, which was spreaded under the name of Virus Help Team DK some days ago. The executable file is not known to me. The upload user of the archiv is known (the handle) and we will force the sysop of Asylum to close this account. Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !) Click here to read the reel Flake013.txt
Warning ! VcKey110.lha is a trojan ! DON~T START IT ! YOU HAVE BEEN WARNED ! Here is my BETA analyse of the file. VCKey 1.10 Trojan: ------------------ other possible names: none Kickstart: V37 and higher Filelength: 9088 bytes (partly packed) found in/when: VkKey110.lha/Jul95 This is said to be a cracked keyfile creator for the wellknown Virus- Checker antivirusprogramm. The FILE ID looks like this: " MakeKey v1.10 Keyfilemaker for Virus Checker Cracked. -----------------------( EAGLE's NEST! )---- " In reality this file contains a nasty trojan, which tries to format your SYS: device (DOS1 bootcode) and give it the new name "Snupp!". If I can read my autodocs correct, only a quickformat will be done. Try to use Disksalv to recover the data on your sys: device. In the unpacked code you can read: "WiREFACE / dEMONS oF tHE pENTAGRAM * WHiPPED YOUR HD, SUKKAH !! We Look " "Down Your Nose (Laughter)!" The dangerous code was linked using the 4eb9 linking method on the normal makekey programm from the actual VirusChecker distribution. The dangerous code is packed with powerpacker 4.0 (5848 bytes long). This was probably done to shorten the whole file and to crypt the visible texts. The unpacked viruscode is 7588 bytes long. (Do you really think that such a lame protection can stop a good antivirus- researcher from doing its job ????) VT 2.74 and VW 5.2 atleast recognize a $4eb9 linker in the file. Another viruskiller, which claims to recognize 4eb9 files, does not detect it. There is a little document in this archive called MakeKey.readme: ----------------------------------------------------------------- " MakeKey v1.00 cracked... presenting MakeKey v1.10 :) This is a specially written program to allow users who have registered to make a keyfile from the information they recieve. *** But now you can enter any serial numbers you want ! *** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It can be run from SHELL or WORKBENCH and opens a GUI. It requires WB2.04 or better to run. Enter the data into the gadgets and click on MakeKey and the keyfile will be generated. " Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! The archive "gvp-hs15.lha" contains a new trojan ! Here is my first analyse: Kara�i� Trojan Virus: --------------------- Filelength packed: 1460 Bytes (Rob Northern !!!) 1924 Bytes (unpacked) Other possible names: GVP-HS15 Trojan Works only with Kickstart 3.0 and ahead (V39 funtions will be used). Some other suspicius fact is, that the programm was packed using the Rob Northern cruncher, also called Propack. The file was afterwards modified a little bit, so that no existing depacker can unpack it. This trojan is programmed quite simple. The needed libraries will be opened and it will we checked for the old SnoopDos task. Then the file "s:nothere" will be tested. If it exists, no damage will be caused. Then a TimeDisplayAlert (timer some seconds) will pop up and show you: LMB> Kill system RMB>Reboot The code analyzer behind is programmed like this: 1.If the user gave no input in the 5 seconds and/or presses the right mousebutton, the system will be trashed using some basic format and delete routines. 2.If the user presses the left mousebutton, then a ColdReboot will be performed. SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS, THEN RESET YOUR AMIGA BY HAND ! The routine to show the Alert is a Kickstart V39 function. It will be not tested, if the used system is really V39 or higher. FileID of this archive (GVP-HS15.lha): HardDiskSpeeder v1.5 �GVP Inc. 1995 (a little cache program for HDs!) ... If you start the programm, it will show you the following text: 'HardDiskSpeeder v1.5 installed ...' If you start it using a "?", then the following text will show up: 'HardDiskSpeeder v1.5 by GVP Inc. �1995' The trojan tries to destroy the following directories and devices: dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c: The formatted new devices will have the name: '"Kara�i� Virus strikes back"' Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! The file TRSi-INS.lha is NO TRSi release and contains a fucking trojan ! In the middle of the 10.6.1995. one of our members (NIKE/TRSi) got a call on the BBS from a guy called GRYZOR, who is supposed to be the leader of Circle of Power (COP), and this guy said to NIKE that TRSi is lame and such things. Later he uploaded there a file called TRSi-INS.lha to this board and NIKE wondered a little bit and contacted me and the other TRSi guys. So this virus is now (10.6.1995. 18:30 o`clock) about 6 hours old. Let us stop this bastard and finally get a solution for the COP problem (hi Apollo and Noise Belch). Here is my first analysis of the virus, which is a little bit short, but I ran totally out of time. Sorry dudes.. Biomechanic Trojan ------------------ other possible names: TRSI-INS Trojan Type: Destruction only Destruction caused by: simple bytemodification This is NO TRSi release ! It is just a FAKE ! In the File-ID it is stated that this are some hd installers for actual games. In real this is just a trojan, which will manipulate your files on your HD. The contents of the archive: ViroCop-HD_install.exe 5912 ----rwed 02-Sep-92 12:49:54 SWOS-HD_install.exe 9588 ----rwed 02-Sep-92 12:51:12 SensibleGolf-HD_install.exe 4776 ----rwed 02-Sep-92 12:51:24 Mortal-Kombat2-HD_install.exe 5512 ----rwed 02-Sep-92 12:50:12 MCI-CARDS4-FREE.EXE 5912 ----rwed 02-Sep-92 12:49:30 Embryo-HD_install.exe 6764 ----rwed 02-Sep-92 12:50:24 The virus is looking for a special enviroment and then manipulates the files: Here a original PGP signed message: 0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../I.R o�.uE 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..A...~�Y�9�-, 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 IO..!��y\�1 �U\. 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 O3R._��5N.p�"A�. 0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5 "5�� 7�CyI�@z��� <- Here the manipulated one: 0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../I.R o�.uE 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..A...~�Y�9�-, 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 IO..!��y\�1 �U\. 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 O3R._��5N.p�"A�. 0040: 2235ABB5 BE37E843 79CC0002 B37800A5 "5�� 7�CyI..3x.� <- If you start the virus (it is in all the above listed files), a little text will show up: - b i o m e c h a n i c - and the work begins. If the work is completed, the following text will be printed out, too: ... trashed your hd ... and a directory named "biomechanic trashed your hd !!" will be created, which is empty. The code looks quite good. This is not the work of a real beginner. The guy behind has some programming knowledge. This way of programming is better than from the COP viruses. The programm uses indirect adressing and a lot of stackusage, which cannot be done by a beginner (atleast I think so). Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! A faked VirusZ_II 1.19 is going around. The filename is 'vzii-119.lha' and contains some parts of the actual vzii-118.lha release from Georg Hoermann. The mainprogramm seems to be an older version of VirusZ with a filelength of 64664 bytes. I found no trojan in it. Please just delete the file. I called Georg and he told me, that he not released VirusZ_II 1.19 ! File ID of the fake: _________ _ ____/"""./###/____)\_____________ /"""/ //_______ /"""/""./"___/_HELP! / / //"""/" / // / //____ \_ \ // / ____/ / //""""/X@!/ \_____/\__/___/ ""\______/_________/ --><><><><><></____/-><>- Presents-<><-- VirusZ II v1.19 - (09.06.95) >>>----------------------------------<<< Probably just again somebody, who wants to destroy the good reputation of Virus Help and Georg Hoermann. Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
WARNING ! Fileghost 3 Linkvirus: ---------------------- MC68040 and MC68060: yes Kickstart V35 and above Patched vectors: DOS LoadSeg() Increases filelength by 1288 bytes Detected: Jun`95 in the south of Germany This is another linkvirus out of the Fileghost series. This linkviruses just add their code to the end of the first hunk and then search for the last "rts" and modify it to a "bsr.b" to get activated. So the relochunks will stay unchanged. Differences to the previous versions of the virusfamily: 1. Some more indirect adressing 2. Test, if SnoopDos (FindTask "SnoopDos") is active 3. It will be searched for 2 longwords in the first hunk $53460C46 at offset $2A from the loadseg() memptr $2F49003C at offset $3A " " " If you know, which programm has such longs in the first hunk, please let me know. Thanks. 4. The cryptroutine is a little bit advanced. 5. The word $1994 will be used to check, if the virus already infected the LoadSeg() vector. This routine is comparable to Fileghost2 and to the Polygonifrikator viruses. 6. Depending on a spreading counter, the virus will set new windowtitles (see at the bottom of the description). The fileghost virus contains no destructive routine. As on every type of this type of virus, it is possible that programms, which need a 100% correct hunkstructure (e.g. some packers) will get problems and will not work. The virus is, in my opinion, not from the author of the last Fileghost viruses. This one has display routines and will be recognized by the infected user in this way very fast. The last versions of Fileghost just worked around in the background. New texts for the windowtitles: ------------------------------- 'AUA! schlag nicht so auf die Tasten!' 'FileGhost3 - the nightmare continues!' 'Hallo DEPP!' 'Was machst Du denn als n�chstes ?' 'Wei�t Du eigentlich, da� Du dumm bist ?' 'Und schon wieder eine Datei weniger!' 'Gib mir mal `n Bier!' 'T�tet alle Nazis + RAPER!' 'AMIGA kills PC! (HEHE)' 'INTeL Outside !' Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! The file lzx130.lha with the File ID: LZX Version 1.30 (Evaluation) Jun 5, 1995 and the following files: LZX_68040 65384 ----rwed Gestern 07:55:44 LZX_68020 64896 ----rwed Gestern 07:55:34 LZX_68000EC 67680 ----rwed Gestern 07:55:20 contains a COP trojan ! Don`t start it, it will trash your HD ! It tries to fuck up the following dirs: 'ncomm' 'bbs' 'devs' 's' 'envarc' 'libs' All files will be overwritten with the following text and NO rescue is possible: =CIRCLE OF POcER= [ THE RETURN OF THE POcER PEOPLE! PHEAR US! ] The destruction routine is the same as in the last one and does not seem to be from a prof. coder. Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning to all : ---------------- Packing type: Turbo Squeezer The archiv "hackt.lha" contains a fucking CONMAN trojan ! The archiv contains the file Hackt.exe, which is Turbo Squeezed. packed: 12692 Bytes unpacked: 12312 Bytes It installs a new process with the name CLI(0):console.device and writes a new file called C:Iprefs. This Iprefs is packed several times and uses the 4eb9 linker method to unlink some strange stuff. packed: 10820 Bytes unpacked: 14216 Bytes The file itself contains an very old IPrefs and an, again packed, destructive virus from a guy called CONMAN. It will try to destroy many sectors by filling them with the word "CONMAN 1995". There is no rescue for such sectors. Due to no viruskiller for this bastard it is best for the infected users to do the following: Boot from the orginal WB disks and simply copy a new IPREFS to your HD and it should work again ! The ConMan viruses were mostly BBS hackers, now this guy reached a new dimension. I got yesterday a phonecall from an irritated user (someone of Krypton or so ?) and he told me about his file. He got it from a BBS in Berlin, which is thought to be the homeplace of CONMAN. This guy told me that he had downloaded it around 6.4.1995, so this virus is on the wild. Sorry for this short analysis, I just got the thing packed in a warning from RD10/Osiris (NEVER SPREAD THE VIRUS IN A WARNING MAN ! IF YOU WANT TO DO SOMETHING GOOD, THEN DON`T SPREAD IT IN THIS WAY !) and wanted to give you some information than RD10. It is weekend for me now, too and I want to go to a party, so wait for the first viruskillers to recognize this bastard. Greets Markus Schmall (Programmer of VirusWorkshop) Special hellos to IXXy and Simone.... (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
VirusWarning ! VirusWarning ! VirusWarning ! VirusWarning ! The archiv Gath95-!.lha contains a trojan ! DELETE IT ! Gath95-! Trojan: ---------------- Filelength: 14032 bytes unpacked (crypted with a simple loop) other possible names: Achtung(.exe) trojan This is a very simple trojan. It tries to format your dh0: using quick- format and afterwards it will be tried to fill your dh0: using files with the following names: dh0:lamer.aaaaa. The filesnames can differ in the last chars (possible to really fill up the drive). The trojan writes a new file with the name: "ram:verwirrung" (a german word, which means irritation) The the executecommand for the quickformat will be started. The new name of the dh0: device is then LAMER. This trojan is much more dangerous than the ordinary quickformat stuff, because of the high amount of new written files (lamer.aaaax), the intern structures of the qickformatted directory will be changed and a data loss is in most cases not to prevent. This trojan was spreaded as intro for the Gathering`95 party in Oslo. File_ID.DIZ: +------------------------------------------+ |Virtual Dreams, Melon and Rage's New Intros +------------------------------------------+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] THE GATHERING PARTY INVETATIONS. 3 OF THEM [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%] +------------------------------------------+ |The BEST CODE of 1994/95. Defintly! Get it! +------------------------{ cSo/�(�'g5! }---+ Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !) Special thanks to Mario/TRSi for keeping this virus for me ! Euronymous/TRSi for the warning ! Ixxy/TRSi for calling Mario
Warning ! Caution ! The file "dpl-dc99.lha" contains a trojan, which can format your SYS: device. If you have started this one, then check your loadwb command. If it is 2088 Bytes long, replace it ! It is a new written command from the virus !!! Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! The file cry_206.lha is a trojan ! It contains the DMS 2.06 fake trojan like the DMS206.lha archiv in the last week !!!! It`s a FastCall hacker ! Don`t start it ! Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning !! Caution ! The file "Istrip21.lha" is a trojan and contains a BBS hacker ! Be careful and delete this file ! Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! (This analyse was made in a hurry and is still beta!!!) Pestilence Bootblockvirus 1.15: ------------------------------- Kickstart 1.x : not working Kickstart 3.1 and MC68040 : working Patched vectors: Exec-Disable TD`s BeginIO Exec-Coldcapture Exec-KicksumData (not repairable) Intuition-DisplayAlert (not repairable) First appearance (as far as I know): Heilbronn/Germany This is a new bootblockvirus with some nasty inner workings: The last both patched vectors cannot be repaired, because the virus does not store the original value. Sorry guys ! All other patched vectors can be corrected by VirusWorkshop. It crypts all read blocks (T-DATA) with an eor-loop. If the virus is active in memory, all crypted blocks will be decrypted online. If you remove the virus from memory, several checksum- errors will appear on your screen. VirusWorkshop 4.6 and higher are able to repair the crypted blocks, because there is no magic in this cryptroutine. Such routines (online-(de)crypting) were first seen on the AMIGA in the "Saddam" diskvalidator viruses and then in "The Curse of little Sven" bootblockvirus. The whole virus is crypted with a simple eor-loop and looks like the work from a quite sober`n clean programmer. At the end of the virus you can read (after decrypting it): 'trackdisk.device' 'intuition.library' 'PESTILENCE v1.15 (c) 14/05/94!' Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Warning ! Warning ! The archive "removcmd.lha" contains an installer for the Commander Linkvirus ! This installer appeared around the globe around 24.10.1994. and is descriped as follows: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Have you got probs. with the COMMANDER ! !! virus by Brian Blister? It's a link-vir ! !! that eats your mem like hell.. brand new! !! and not killable with VirZ or VirKiller ! !! or any other killer.. Except this one ! !! brought to you by Coma/FD and Bigmama/FD! !! Download and be happy!!!!!!!!!!!!!!!!!!!! Don`t start this file ! It`s a installer for the fucking Commander Linkvirus, which can be removed 100% from VT 2.68 and VW4.3. The archive contains the file "kill" with the filelength 2252 bytes ! This is the installer ! The virus first appeared in scandinavia and it`s spreading was nearly stopped by some motivated members of SHI (special hi in this case to Jan Andersen and Bo Krohn). Now the Commander virus is spreaden worldwide...... Greets Markus Schmall (Programmer of VirusWorkshop) (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM IN ANY RELEASE OF THEM !)
Date: 17 Apr 96 6:18:37 Hi ! A new link-virus appeared called BBS TRaveller . It`s an EBOLA clone with some codes from the 'Strange Atmosphere' link-virus. It only activates, if the following programms are not in memory: Virus_Checker SnoopDos (all versions) VirusZ II SetfunktionMananger VW-Save! If VT will be started, the virus removes itself. THERE IS NO INSTALLER KNOWN AT THE MOMENT ! So keep the eyes open ! Greets Markus Schmall (Progammer of VirusWorkshop).
Warning ! A new linkvirus is out. The first known infected file is lop_mi2.lha. The FILE_ID.DIZ looks like this: . ____ .:: ______ / |.:::::' | __ \_ \ _|:: ::.::::. �___/ .-- \____:: :::: :: \ --. | `::::':: ::_____/ | | L��P `::::' | | | | MASTER ISO 1.22 100% CRC | | THIS IS THE IMPROVED | | INTENSITY-VERSION ... | `------------------------------' The virus is linked on it normally. It doesn`t seems to be an installer, probably the guys behind it didn`t know about this infection. Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It seems to be spreaded global. Since a Hf guy tried this archiv before release 3 things for Hf Emacs checked for me this 3 releases and all of them were virusfree. ! Special thanks at this time to Lenny Dee/HF for the fast warning ! Ok, here the analyse of the little bastard: Entry...............: BBS Traveller Virus Alias(es)...........: Ebola-II Virus Strain........: - Virus detected when.: 17.04.1996 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1536 Bytes 2. Length in RAM: 12000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. (this longword comes from the EBOLA-I virus) - Searches for $24121996 at the end of the first hunk (selfrecognition) - Searches for $1080402 at the end of the first hunk (this is the recognition of the Strange Atmosphere linkvirus) Self-identification method in memory: Searches for $3D385E29 at offset -6 from the Dos LoadSeg() function. If $1020304 will be found at this position, the destruction counter will be manipulated (somekind of test for the programmer of this virus ?) System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Dos ReadARGS(), Exec Findname(), Exec Findtask, Exec SetFunktion() and Exec Addport() Infection preconditions: - File to be infected is bigger then 2600 bytes and smaller then 290000 bytes - Device must have more than 6000 sectors - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found Infection Trigger...: Accessing files via LoadSeg() Files starting with "v","V","." or "-" will be NOT infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Formatting the drive Transient damage: - none Damage Trigger......: Permanent damage: - Formatting the drive, when an internal counter reaches 5000. Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some simple retro technics to stop viruskillers searching for itself. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Damage routine is taken from the Strange Atmosphere linkvirus. The virus is a typical mixture from the EBOLA and the Strange Atmosphere linkviruses. We think that all 3 ones come from the same programmer, probably in the east or north of Germany. Stealth.............: If the viruskiller VT up to version 2.82 will be started, the virus removes itself completly from memory. If one of the following programms will be found in memory, no link try will be started: SetFunktionManager VirusChecker VirusZ_II SnoopDos SnoopDos 3 VW-Save! Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code based on the position of the rasterbeam. Comments............: The name EBOLA is the name of a virus, which humans can get infected with. CARO rules say, that no names of persons etc. may be used to call a virus, but I spoke to other persons and they already recognized this virus in this way. The virus contains the string "BBS Traveller", but this is just a clone from the EBOLA linkvirus with some enhancements. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.1 beta above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 19.04.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: April,19. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of BBS Traveller Virus ========================= Greets Markus Schmall
Hi #? A new linkvirus appeared on 17.05. in Austria, Finland and Sweden. it`s called Hitch Hiker 1.10 linkvirus. Here the analyse of it: Entry...............: Hitch Hiker 1.10 Alias(es)...........: none Virus Strain........: - Virus detected when.: 18.05.1996 where.: Austria, Finland Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 1700 Bytes (uses a primitiv polymorphic technic) 2. Length in RAM: 3000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for $ABBAFAb4 at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), Dos Write() (librarychecksum will be recalculated) Infection preconditions: - Device must have more than 8000 sectors and is smaller than $20000 bytes or file is bigger than $8000 bytes - HUNK_HEADER and HUNK_CODE are found - device is validated - 10 free blocks on the device - hunk_code must contain the same length as in the header. Infection Trigger...: Accessing files via LoadSeg() or Write() Files containing a "." or a "-" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some special things at the fileinfection (buggy) and at the library opencode. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Stealth.............: no stealth functions found Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code and uses a very simple length polymorphism code. The heuristic scanner of VirusWorkshop detects this one already as virus. Comments............: The first infected file is probably lzx121crk.lha. This is the old SHOOT version of LZX1.21r with the infected file. As I got reports from Austria and Finland, I suppose it has gone through internet channels as this file didn`t appear on scene boards. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.1 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 19.05.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: May,19. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Hitch-Hiker 1.10 ========================= VW 6.1 (release on 19.5. in the evening hours) is able to remove this little bastard. Special note: The heuristic scanner of VW 6.0 already detected this one (see v-nl19.txt on the boards). Greets Markus Schmall
Entry...............: Hitch Hiker 3.00 Alias(es)...........: none Virus Strain........: - Virus detected when.: 13.07.1996 where.: Germany, USA, ISRAEL Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 3020 Bytes (uses a polymorphic technic) 2. Length in RAM: 8000 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for $FAB4FAB4 at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), Dos Write() (librarychecksum will be recalculated and it will be tried to cheat some viruskillers) Infection preconditions: - HUNK_HEADER and HUNK_CODE are found - device is validated - 10 free blocks on the device - hunk_code must contain the same length as in the header. - File must be between $1f40 and $20000 bytes (not working) Infection Trigger...: Accessing files via LoadSeg() or Write() It`s a typical infector. It cannot be rated as fast infector as it only infects at the above mentioned operations. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Due to a adressacess behind the viruscode it`s possible that trashed code results out of an infection. Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are polymorphic and consists of some logical stuff. The virus uses some special things at the fileinfection (buggy) and at the library offsetcode. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus and the first HitchHiker viruses. Stealth.............: no stealth function found. the only things to mention is the library negoffset value. Armouring...........: The virus is heavily armoured with a $100 byte long polymorphic decryptor. Not only the registers are changing, even the operations will be mixed. This polymorphic routine can be seen right now as one of the best available routine for the AMIGA. The routine mixes a lot of codes and uses a normal polymorphic scheme. No slow polymorphism code was found. The decrypt header is static $100 bytes long and initialises a circular decryption. The decryption code uses anti heuristik stuff and only a full implented code emulation would be able to crack this one. The polymorphism is working in the normal scheme (with $dff006 and $dff007 usage) and uses not the modern technics like slow polymorphism. ("White paper" analyse of this engine can be obtained from me or from the Virus Test Center in Hamburg. We need special information about you before we give such information away.) Comments............: Maybe interesting for the reader is that the programmer of the virus wrote some more text in it than in the last ones: 'The Hitch-Hiker Generation: 00000308 - Version 3.00' 'Last in series. "Dedicated to Heiner Markus ZIB and Georg" It would be interesting to know, who this ZIB is. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.86 and VW 6.2� above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 17.07.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: July, 17. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Hitch-Hiker 3.00 ========================= Greets Markus Schmall
Lately the HitchHiker 3.00 linkvirus appeared and everybody was searching for an installer. One day for the release of VirusWorkshop 6.2 the archiv patchhh.lzx with the following File_ID.DIZ arrived at my place: PatchHH 1.0 by ZIB. This anti-virus util will stop the propagation of all known Hitch-Hiker viri. (1.10/2.01/3.00). Not THAT user-friendly but it was made in a fucking hurry.....(So no local support ! :)) ... I was very surprised, because ZIB was the fourth name in the dedicated list of HitchHiker 3.00 and I don`t know that person. The document looks like this: ----------------------------- Here's a little utility that will stop the propagation of the Hitch-Hiker virus series (currently 1.10/2.01/3.00). This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned above will not start their devious work. When a version of HH is already active you'll get a warning. It's better of course to get the latest virus-killer. Like VirusZ or VT, however at the time I wrote this proggy only VT recognised 2.01 and none of them 3.00. Hope I spared you a lot of probs with this proggy :) ZIB. Sounds like a viruskiller. In reality some names of C: programms will be decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and this files will be infected from this nasty linkvirus. Detection tested 20.07.1996. Greets Markus Schmall
*** About: Mutation Nation linkvirus Entry...............: Mutation Nation Alias(es)...........: none Virus Strain........: Ebola series (Ebola, BBS traveller, Strange At.) Virus detected when.: 21.05.1996 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1316 Bytes (uses a primitiv polymorphic technic) 2. Length in RAM: $ba8 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - searching for DEADC0DE at the end of the first hunk Self-identification method in memory: - 213f at the LoadSeg entry (like EBola?) System infection: - infects the following functions: Dos LoadSeg(), Exec FindTask() Infection preconditions: - File is between $7d0 and $43e90 bytes long - HUnk Code is found (virus overruns $3e8 etc. hunks) - File is not infected already - device is validated - device contains free blocks Infection Trigger...: Accessing files via LoadSeg() Files containing a "." or a "-" and then at offset 2 one of this characters "aen" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - Reset Damage Trigger......: Permanent damage: - none Transient damage: - Counter reaches $14 Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff at the use of registers. Similarities........: Link-method is comparable to the method invented with the infiltrator-virus. Like in a lot of trojan it will be searched for a special task ("Dupe"). If this one is found, the virus will be not activated. Probably this is somekind of security backdoor for the programmer. Stealth.............: no stealth functions found The virus does not work with SnoopDos (1,2,3) started Fileflags will be restored, but length will be visible changed. Armouring...........: The virus uses only a single armouring technique to confuse people. It only crypts it`s code and uses a very simple register polymorphism code. The heuristic scanner of VirusWorkshop 6.1 isn`t able to detect this virus. The heuristic in VW6.2 is able to break the cryptcode. Comments............: We recieved this file from a sysop in the south of Germany. As it has a lot of similarities to the Ebola etc. viruses we suppose this programmer of this viruses comes from the south or east from Germany and has normal programming knowledge. The virus contains the string: '-=* Mutation Nation V1.0 by AIZ *=-' Same length and comparable stuff as in BBS-traveller etc. --------------------- Agents ------------------------------------------- Countermeasures.....: VW6.2�, VT2.84� above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 25.05.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall (C) Date................: May,25. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Mutation Nation ========================= Greets Markus Schmall
Hi All.. There is a new trojan out that will change the names on the files in your system, please do not execute this program. Here is some info about this archive: Archive Name.......: dph-vos.lha Archive Size.......: 225750 Bytes (lha.Packed) Trojan File Name...: Voxel_Svind.exe Trojan File Size...: 179860 Bytes Here is the File-Id.DIZ from the archive: /\___ /\___/\_/\____/\ \___ \/ ___/ _ \_ _/ /_ / // / __// ___// // _ \ presents /____/\___/\_\ \_\_//_/ .our.new.demo. VOXEL SVIND! This archive is on it's way to every wellknown antivirus programmer. Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Hi All.. Well.. Martin Wulffeld has just released a new version of his great text reader. And whitin a few hours a Cracked version was out. But the trojan 'Alfons Eberg 2.0' (Another WireFace trojan) is in the archive. It is said to be an 'HF-INTRO', if you start this intro, it will fuck up your system. Delete this intro and you have no problems. File_Id.Diz: .----/ / /___\-------------------------. |:::/ __ /___\/ AdVoCaTe Of | |::/ / / \_/ HELLFiRE TOOL DiViSiON | |:/___/___/\___\ CRACKED | +-\___\___\/___/---------------------------+ + Vinci 2.4 + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ + A cool textviewer with lots of features + + Check it out! REGISTER + And some info about the archive: Archive Name.......: hf-vc24.lha Archive Size.......: 210068 Bytes (lha.Packed) Trojan File Name...: HF-INTRO.EXE Trojan File Size...: 2876 Bytes Hmm.... just thinking, I guess that 'AdVoCaTe Of HELLFiRE' should check there intro for virus, before releasing archives...... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Lately the HitchHiker 3.00 linkvirus appeared and everybody was searching for an installer. One day for the release of VirusWorkshop 6.2 the archiv patchhh.lzx with the following File_ID.DIZ arrived at my place: PatchHH 1.0 by ZIB. This anti-virus util will stop the propagation of all known Hitch-Hiker viri. (1.10/2.01/3.00). Not THAT user-friendly but it was made in a fucking hurry.....(So no local support ! :)) ... I was very surprised, because ZIB was the fourth name in the dedicated list of HitchHiker 3.00 and I don`t know that person. The document looks like this: ----------------------------- Here's a little utility that will stop the propagation of the Hitch-Hiker virus series (currently 1.10/2.01/3.00). This proggy will write $ABBAFAB4 into Exec's LastAlert so the viri mentioned above will not start their devious work. When a version of HH is already active you'll get a warning. It's better of course to get the latest virus-killer. Like VirusZ or VT, however at the time I wrote this proggy only VT recognised 2.01 and none of them 3.00. Hope I spared you a lot of probs with this proggy :) ZIB. Sounds like a viruskiller. In reality some names of C: programms will be decrypted (including the string United ForceS...WHY ALWAYS UFO ????) and this files will be infected from this nasty linkvirus. -Markus
Hi All..... This time I have got some bad news for you. The guy's from 'CoP' are back, with the same shit as always. A program that rewrites everything in your systems DEVS:, LIBS:, and S: dir's with a file 41 bytes long. In this file you can read: FausT / cIRCLE oF pOWER'95 - TRUE POWER! The archive names is these new CoP trojan's are: Archive name.....: HF-TETA1.LHA Archive size.....: 646347 bytes Trojan name......: TETRIS.EXE Trojan size......: 21244 bytes File_Id.Diz......: _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS TETRIS ATTACK *FULL RELEASE* [1/2] Archive name.....: HF-TETA2.LHA Archive size.....: 550826 bytes Trojan name......: TETRIS.EXE Trojan size......: 21244 bytes File_Id.Diz......: _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS TETRIS ATTACK *FULL RELEASE* [2/2] Don't start these programs..... We hoped that the shitheads behind 'CoP' had grown up, and left the kindergarden, but we must be wrong..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Hi All..... Well, there is a new littel trojan out, that will format your system if you run the 'sucker'. In the file-Id.diz you can read "Small...(~3k)", well it is packed with PowerPacker v4.0 after unpacking it the file size is 20200 bytes. If you take a closer look in the file you can read: run >NIL: hdprotect.data run >NIL: format drive dh0: name LURAD run >NIL: format drive dh1: name LURAD QUICK run >NIL: format drive dh2: name HOR_UNGE QUICK Here is a littel info about this archive: Archive name.....: HDPRO624.lha Archive size.....: 40590 bytes Trojan name......: HDprotect Trojan size......: 20200 bytes unpacked Trojan size......: 3984 bytes packed File-Id.Diz......: HD PROTECT V6.24 Track protect any HD Boot protect any HD Have three different Passwords Nice bootup picture Creat logfile to (ANY PATH:) Small...(~3k) Don't start this programs..... Thanx to Dennis Bay for the first warning about this 'sucker'..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Hi All..... Well, there is a new littel trojan out, that will do some strange things to your system. The way it is done, looks like the 'CoP' guy's again. The archive "HF-CED40.LHA" is said to be "CygnusEd v4.0", and I guess that if anyone thinks that a new update of CED only has the size of 53380 bytes when v3.5 has a size of 156108 bytes, that is to much... Also if you take a look inside the archive you can read 'AMOS' many times, and the guys behind 'CED' do not program in AMOS.... Here is a littel info about this archive: Archive name.....: HF-CED40.LHA Archive size.....: 40316 bytes Trojan name......: CygnusEd Trojan size......: 53380 bytes File-Id.Diz......: _ ____________________________________ / I \_ ___\ / / ___\__/____ \_ __/ / _ / __)/ /\ /\ _// \| / // __) / ! / ! / / / / \ |/ | \ \ ! \ \___! \____\____\____/ |\____| |\__\____/ ----| \--------| |-----| |PreSENtS [----------------------------------------] Cygnus Editor Pro v4.0 HOT UPDATE! [----------------------------------------] Don't start this programs..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Hi All..... Well, there is a new littel trojan out. I have for the last 3 hours been trying to infect my system with this 'sucker' but it will not. Maybe the reason is something with AMOS, if you read inside the program, you can find the text AMOS many times. The trojan type is just like the HF-CED40.LHA (CygnusEd 4.0) trojan, it is the same crap you can read in the archive. Here is a littel info about this archive: Archive name.....: tbl-abdu.lha Archive size.....: 369928 bytes Trojan name......: Abducted Trojan size......: 53408 bytes File-Id.Diz......: the black lotus " abduction " small demo dedicated to x-files Another thing about this 'sucker', there are 5 .bin files in the archive but here is what these .bin files really are: Abducted1.bin : HotHelpLibrary 3.00 Abducted2.bin : muimaster.library 16.160 (1996/07/21) Abducted3.bin : RUSH 37.4908 (1993/07/18) Abducted4.bin : wizard.library 37.137 (1996/07/ 3) Abducted5.bin : gtlayout.library 32.3 (1996/01/14) Don't start this programs..... Regards.... __ __ /// Jan Andersen FidoNet: 2:236/120.0 \\/// -------------- AmyNet : 39:141/142.0 \XX/ VIRUS HELP DENMARK VH BBS : +45 4659 6867
Hi All..... Well, there is a new linkvirus out. It is a new "Happy New Year 97" link virus. At this time there is no known installer of this new virus, only an infected archive. Here is some info about the infected archive: Archive name.....: darkfuck.lha Archive size.....: 9820 bytes (ripped for BBS adds) Infected name....: NOTRICK.EXE Infected size....: 9256 bytes (packed with Stonecracker) File-Id.Diz......: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! LESEN UND VERBREITEN!!!!! DARKLORD HAT EIN NEUES HANDLE! BZW. GLAUBT MAN JEDENFALLS!!! MEIN FREUND WURDE AUCH GEBUSTET !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! VT will be released on Sunday the 22 of December 1996, and it will be abel to clear infected files. In an ohther warning about this achive it is said to contain an new "AFFE" virus, but that is not true. Click Here to read Markus Schmall test of HNY Virus. Thanx to Markus Schmall for info about 'HNY 97' Don't start this programs..... Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All..... Well another archive has been spread with the new 'Happy New Year 97' link virus. Just use VirusWorkshop v6.4 or VT v2.94, to remove the virus. 4 programs in the archive is infected with the virus: Here is some info about the infected archive: Archive name.....: TBF-F175.LHA Archive size.....: 305454 bytes (ripped for BBS adds) Infected name....: AmFTP/AmFTP (Infected size: 116124) AmFTP/AmFTP020 (Infected size: 115700) AmFTP/AmFTPPrefs (Infected size: 33308) AmFTP/RegisterAmFTP (Infected size: 37036) File-Id.Diz......: ___________. ________________ ____________� _) l__\______ /_) _) \. ./ |/ __/| ./ | | _l\ \ | |__________|______\__________//______+sD+ . . | AMFTP V1.75 [68000 & 020+] *CRACKED* | | Cracker : rEdCROW^tBF | | ReleaseDate : 19.02.97 | | | `---------------------------------------' Don't start this program..... Click Here to read Markus Schmall test of HNY Virus. Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All..... Well, another linkvirus has seen the daylight. It is a new version of the known "HitchHicker", the new virus has been named "HitchHicker 4". If you look inside the infected file, within the first 100 bytes you can find a text saying "CopyCat Decruncher V1.01", this file is infected with this new string of "HitchHicker 4" link-virus. At this time the only killer to remove this sucker is Heiner Schneegold's 'VT v2.95' viruskiller. But I'm sure that the other major viruskillers, will find it in the next update. The first known archive with this virus in it is: MAPUS200.LZX Here is some info about the infected archive: Archive name.....: MAPUS200.LZX Archive size.....: 37529 bytes (ripped for BBS adds) Infected name....: Mapus/Bin/MaPuS.200 Infected size....: 21156 bytes File-Id.Diz......: mapus 2.0 the dms checker Virus Removal....: VT v2.95, by Heiner Schneegold. (VT295K.LHA) Read Markus Schmall's test of Hitch Hiker v4.11 link-virus. Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Entry...............: HitchHiker 4.11 Alias(es)...........: CopyCat Decruncher 1.01 Virus Strain........: - Virus detected when.: Febuary 1997 where.: Germany and Italy Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 3052 Bytes 2. Length in RAM: 3500 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40) Computer model(s)...: all models/processors (MC68000-MC68060) The virus heavy problems with the 060 cache --------------------- Attributes --------------------------------------- Easy Identification.: - Type of infection...: Self-identification method in files: - length of hunk 1 Self-identification method in memory: - test for the changed jump command from Exec PutMsg() and a longword in the trapcode. System infection: - The entryjump of Exec PutMsg() will be patched to a trap code. - A new trapcode will be installed. - a process with a library name will be started, which installs the patches again Infection preconditions: - HUNK_HEADER is found - device is validated - to be infected file is bigger than $be8 - 10 free diskblocks Infection Trigger...: The infection is based on the packet handling system of AMIGA OS. Every started file will be infected. All synchron dos commands are affected. Storage media affected: all DOS-devices Interrupts hooked...: A trapvector in the vectorbase will be changed Damage..............: Permanent damage: - none Transient damage: - The stealth/fileinfect engine performs a wrap around copy of the originalfile as we saw it already in the BEOL3 virus, which source was made public by the programmer. Damage Trigger......: Permanent damage: - none Transient damage: - infecting a file Particularities.....: The crypt/decrypt routines are not 100% aware of processor caches. The packet handling works in even on the new developer OS versions, but some codes have problems with task functions. The virus is incompatible to the new versions of EXEC, as it uses some commands only legal in V37-V41 versions of the task handling. The virus tunnels doscall watcher like SnoopDos etc. by using only lowlevel packet routines. Similarities........: The link method has been seen in the BEOL3 linkvirus already. A new hunkheader will be added and the origfile will be seen as datahunk. In this way the virus doesnt need to perform a errorfull hinkcorrection. The first codehunk contains the virus itself. Stealth.............: Second working directory and file stealth code in a virus. Armouring...........: The virus is not armoured with a special tricky crypting code. By adding the strings "CopyCat Decruncher 1.01" and "FLK!" and "-TRSi-" the virusprogrammer wanted probably hide his actions as the first 20 bytes of the hunk could really look like an unpacker. Some parts of the code will be manipulated online (data reuse) and some functions refuses to work properly in a testsuite. Specialities........: As always the virus contains a crypted part: 'The Bastard is Back!',$0A 'The Hitch-Hiker',$0A '- Version 4.11 ',$0A 'Greetings going like a scrolltext in the sky to:' 'Georg, Heiner, Markus, Johann, Pius, Zib, Ariel,' 'InFekt, UFO and all the guys on #amielit' 'Not yet deactivated by Flake!' The last string depends probably on my removal code for the hitchhiker 3 linkvirus, which overwrote parts of the virus with a special other string. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.95, VW 6.5 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 01.03.1997. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Mar, 01. 1997 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of HitchHiker 4.11 Virus =========================
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Well, we do not know much about this trojan. We have been looking all over the world for this archive, but we can not find it. If you have it, please send it to us. Here is some info about the infected archive that we know of: Archive Name.... : dcn-ib2.lha Archive size.....: ? Infected name....: ? Infected size....: ? File-Id.Diz......: Ibrowse v2.0 If you have this archive, Send it to us !!!!!! Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All..... Well, another linkvirus has seen the daylight. It is a new version of the known "HitchHicker", the new virus has been named "HitchHicker 4". If you look inside the infected file, within the first 100 bytes you can find a text saying "CopyCat Decruncher V1.01", this file is infected with this new string of "HitchHicker 4" link-virus. At this time the only killer to remove this sucker is Heiner Schneegold's 'VT v2.95' viruskiller. But I'm sure that the other major viruskillers, will find it in the next update. The first known archive with this virus in it is: MAPUS200.LZX Here is some info about the infected archive: Archive name.....: MAPUS200.LZX Archive size.....: 37529 bytes (ripped for BBS adds) Infected name....: Mapus/Bin/MaPuS.200 Infected size....: 21156 bytes File-Id.Diz......: mapus 2.0 the dms checker Virus Removal....: VT v2.95, by Heiner Schneegold. (VT295K.LHA) Regards.... __ __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All.... There is a new trojan out. It will replace your startup-sequence with a old VirusScanlist by Jan Hendrik Lots (size 4924), and it will replace your user-startup, with an Devil-Check2.0 Bugreport (Size 4660 bytes). The trojan is pretty lame. Here is some info about this trojan & archive: Archive name.....: IO4-INVI.LHA Archive size.....: 69396 bytes (ripped for BBS adds) Trojan name......: io4-invi/IO4-INVI.EXE Trojan size......: 63484 bytes (PowerPacked) - Unpacked 100348 bytes. File-Id.Diz......: ___ ____ ___ ___ __ .-//-/ /- / \------/ /--/ /-/ /-//--. | / / / / / / / / / // / / | | /__/ \____/ /__/ /_____/ | | | | Intel Outside 4 Invitation Demo! | | 12-13 JULI 1997 WLOCLAWEK | | | `------------------------------------------' Don't start this program..... Thanx to Mr. Heiner Schneegold, for checking this archive. I'm sure that the next version of VT will find this sucker.... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! WARNING !!! Hi All.... There is a new trojan out. The trojan in inside Xtruder v3.5. If you use a fakekey or the keyfile "Alex Holst #5", Xtruder v3.5 will delete your SYS: partition. Virus Help Team Denmark can not support this kind of programming by an antivirus programmer, and will not support Xtruder with new viruses. Here is a copy of a letter that Martin Wulffeld mailed in Virus_Amy: >------------------------------ START LETTER ------------------------------ *** Area : VIRUS_AMY Date: 30 Jun 97 20:40:01 *** From : Martin Wulffeld (39:141/124.53) *** To : All *** About: Xtruder 3.5 Hi As some of you may know Xtruder 3.5 has done a bit of damage to peoples files. However, it has only affected those people who used a fake keyfile and hopefully also the criminal Bxxxx Pxxxxxxx (2:xxx/xx) who still owes my friend Alex Holst somewhere around 7000 Dkr. I hope all you fucknuts learned a lesson. From v3.6 and forward I will remove this behaviour. Peace out! . martin . kozmiq . [email protected] . . see ya at roskilde'98 . --- Spot 1.3a Unregistered * Origin: Roskilde'97 - FANTASTIC! (39:141/124.53) >------------------------------- END LETTER ------------------------------- Here is some info about this trojan & archive: Archive name.....: xtruder35.lha or xtrude35,lha Archive size.....: 447128 bytes (ripped for BBS adds) Trojan name......: Xtruder Trojan size......: 183700 bytes Unpacked. File-Id.Diz......: Xtruder 3.5 by Martin Wulffeld. This virus killer can detect more than 248 filevira. Has a screen mode- and font sensitive GUI along with a comprehensive ARexx interface and locale support. Don't start this program..... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... There is a new trojan out. The trojan in inside a Fake Ibrowse v2.0 If you run Ibrowse a picture will be shown with a face, and a text that is telling you that ScareCrow has done damage to your system. When I tested the archive on my test system (68000), everything it did was to replace my userstart-up and startup-sequence, with a text file. If it does damage to other systems I don't know at the moment, but it will be testet very soon. Here is text: >------------------------------ START LETTER ------------------------------- ScareCrow Since i now have your undevided attention while you are trying to save what is left of your hard-disk i might as well begin. Your first question will be why? The why is becose i am playing a fair game with someone for some time now, his name is Jan Hendrik Lots of Virus Help team NL. He and his little buddies of AGA tryed to catch me last year with no succes, but what would you expect if you relay on their help lead by a clowns character calling himself KleinDuimpje. Yes, KleinDuimpje, you better start up that board again becose we havnt finished yet. Hunting season is open again fans, and these trojans i have been spreading are just mearly the beginning of it. i would also like to invite some of the people i admire: Nr. 1 is L.I.S.A. (lamers in serious agony) They did a great job, and they inspired me. Nr. 2 is C.O.P. (faust, circle of power) Damn, i loved that Tetris attack! Nr. 3 is smooth criminal aldo the boy has no taste, im inviting him to this party. What have i cooked up? i am planning to make a competition out of this, who ever wants to compete is invited. Who can make the most trojans and virusses, who can put down the most boards. Who can make the most hits and i am listing them all. The list will be released in a trojan by the end of each month. time to play. >------------------------------- END LETTER ------------------------------- I guess that Jan Hendrik Lots must know something about this guy, I'll get in contact with Jan Hendrik Lots and have a talk with him. Anyway, we know ScareCrow's real name, adress, phone number (the new one), and a lot of other things about this guy. Actions might be taken later on. Well...... But everybody should think before installing programs like this one. A new update of Ibrowse ?????. version 2.0 ?????. Don't install these programs that you are not 100% sure that is okay. If you want to, try and install the programs like this on on floppy disks, it takes a bit longer, but it might save your system........ Here is some info about this trojan & archive: Archive name.....: DCN-IB2.LHA or DCN-IB2.LZX Archive size.....: 595211 bytes (ripped for BBS adds) Trojan name......: Ibrowse Trojan size......: 327848 bytes Unpacked. File-Id.Diz......: /\ _ _ ___/ \___________(_)_______(_)__________ / ________ / ___/ \ _____/ ____ ____ \ / / / ___/ / / /\__ \/ / / / / / \____/\___________ __________ /\____/\_/\_/| .--aMiGA iLLEGAl--\/--------\/Rr!----------. | IBrowse 2.00 FINAL 68030+ | `----[1/1]------------------[28-04-97]-----' Don't start this program..... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... There is an infected archive out. The archive is infected with a new string of the linkvirus "Happy New Year". It is said to be a patch for MUI written by Dave Jones. But Dave Jones didi not program this patch, some stupid guy must be trying to damage Dave's name. Pretty lame....... VT v2.99 by Heiner Schneegold (28.08.97), will find and remove this sucker. Here is some info about this trojan & archive: > ----------------------------- INFO START -------------------------------- Archive name.....: MUI020.LHA Archive size.....: 2709 bytes (ripped for BBS adds) Trojan name......: MUI_Patch Trojan size......: 2696 bytes (Unpacked). Archive text.....: ======================================================== Patch MUI 020+ version 1.1 by DJ (you know who!) ======================================================== ****** Usage: ****** Simply unpack the archive into a directory and run the MUI_Patch program which will then try to locate MUI:muimaster.library and make the necessary modifications/optimizations to the libraries internals for an increase in performance of some routines upto 35% ...Now when is Stefan going to release a truely written 020+ MUI??? > ------------------------------ INFO END --------------------------------- Pretty lame text. Don't start this program..... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... There is a BBS trojan out. But the SysOp of the board has to run the program to start the trojan. After the trojan has been executet, it will delete the caller.log, that way you can't see what the trojan did. Then it will copy the user.dat to Libs: as TTA.library. In that way the sysop will have to be fool'ed to give the 'hacker' the TTA.library (renamed user.data). VT v2.99, VirusZ II v1.39, VirusWorkshop v6.6 and FastViruskiller v1.8, will find this trojan.... Here is some info about this trojan & archive: > ------------------------------- INFO START -------------------------------- Archive name.....: DEC-SCP.LHA Archive size.....: 41892 bytes (ripped for BBS adds) Trojan name......: AmixHack0.Exe AmixHack1.Exe AmixHack2.Exe AmixHack3.Exe AmixHack4.Exe� Trojan size......: 8348 bytes (11644 bytes Unpacked). File id.Diz......: .................................. . ______ _____ _____ _____ _____ . .| | | | | |. .| ___| __| O | O | O |. .|___ | | | | ___|. .|______|_____|_____|_____|_|..... .................................. .....sCOOP V1.0 - /X hACKER....... .................................. ........mADE bY dECODER........... .................................. .................................. ......DO NOT RUN ON YOUR HD!...... > -------------------------------- INFO END --------------------------------- Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... There is a link-virus out. It is a new version of "HitchHicker", this time it is up to v4.23. At this time none of the big antivirus programs can find and remove it, but the programmers has recived an infected file, so in the new updates the removal code should be included. I have now recived four archives with this new link-virus, so there is a pretty good chance that the "HitchHicker v4.23" is on the run. So take care of what you execute. Gideon Zenz the programmer of AntiBeol, has made a small update of his anti virus program AntiBeol v1.33a. In the archive of v1.33a, is there a tiny tool which desinfects files, the virus only gets disabled, not removed. But this in the only program that will find the HitchHicker v4.23 linkvirus right now. This program is availble from VHT-DK BBS or our Homepage: http://home4.inet.tele.dk/vht-dk After this warning was send out the first time, also VT v3.00 and FastVirus- Killer v1.10, VirusWorkshop v6.7 is now abel to find and remove this virus. Read also Markus Schmall's test about HitchHiker v4.23 Here is some info about the four infected archives: > ------------------------------- INFO START -------------------------------- Archive name.....: DC-AmFTP.lha (or lzx) Archive size.....: 117186 bytes (ripped for BBS adds) Infected File....: AmFTP Infected Size....: 119148 bytes (Unpacked). File id.Diz......: AmFTP 1.90 (1997/09/10) Archive name.....: IDEFix191.lha (or lzx) Archive size.....: 117186 bytes (ripped for BBS adds) Infected File....: IDE-fix/c/IDEfix 26620 Bytes (Unpacked). Infected File....: IDE-Fix/l/CacheCDFS 38312 Bytes (Unpacked). File id.Diz......: .________________ ____�____ ( _____/__ - ------------- _/ ___/ _/\_ T �\_ � diGiTAL � .-\ �/ 7--7 l / � cORRUPTiON � | \____.-----� �----.____/------- - - - | ����� ����� | IDEfix97 v1.91 - CDROM driver software | Cracked 100% | | IMPORTANT! READ THE .NFO FILE! | `-[10/09/97]-------------------------[ 7eN ] Archive name.....: MSR-A71P.lha (or lzx) Archive size.....: 224271 bytes (ripped for BBS adds) Infected File....: AmIRC1_71/AmIRC 209540 bytes (not packed) Infected File....: AmIRC1_71/AmIRC020 208564 bytes (not packed) File id.Diz......: -mSR'97- ________ () _____________ ______| _|___()___| ____ / | __ | / / ______/| | ____/_ .- |_____\__/___/_________ |____|_______/ | - --mYSTERiOUS- - /__________|-wARPsTAH!. | | AmIRC 1.71 Keyless 100 %!!! | Exe's only !!! | `-[10-09-97]---------[1-1]---------[lIZARD] Archive name.....: slt-m21g.lha (or lzx) Archive size.....: 852280 bytes (ripped for BBS adds) Infected File....: Miami/Miami.000 415384 bytes (not packed) Infected File....: Miami/Miami.020 410516 bytes (not packed) File id.Diz......: _ _____ ____ _____ _ _______________. // /___/ /___/ \_ | .\___ \ / \_ _/ ShEltER 1997 || | / ___/________/_____| �| |____/----sTZ!/sE--------------------------' : | Miami 2.1g - 000/020/MAIN/EVA + KEYS | `-(o9/o9/97)--------------------(FUCK^YOU)-> > -------------------------------- INFO END --------------------------------- Thanx to Gideon Zenz, for the fast test of HitchHicker v4.23. Thanx to Ramon, for sending the archives to me... Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Entry...............: HitchHiker 4.23 Alias(es)...........: HitchHiker 4 Virus Strain........: - Virus detected when.: September 1997 where.: Germany, Denmark and England Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 2912 Bytes 2. Length in RAM: 3200 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40) Computer model(s)...: all models/processors (MC68000-MC68060) The virus has problems with higher processors and OS versions --------------------- Attributes --------------------------------------- Easy Identification.: - Type of infection...: - linkvirus. It changes the whole files to 2 hunked file and copies 2908 bytes from the filestart to the end Self-identification method in files: - checks for $DEAD at a special fileposition. In this way the stealth mechanism is locating the infected files, too. Self-identification method in memory: - test for the changed jump command from Exec PutMsg() System infection: - The entryjump of Exec PutMsg() will be patched to a trap code. - A new trapcode will be installed. - tries to modifies entry points of the bsdsocket.library, which is used by connectiontools like AmiTCP and Miami. Infection preconditions: - HUNK_HEADER is found - device is validated - to be infected file is bigger than 2908 (exact viruslength) - 10 free diskblocks Infection Trigger...: The infection is based on the packet handling system of AMIGA OS. Every started file will be infected. All synchron dos commands are affected. Storage media affected: all DOS-devices Interrupts hooked...: A trapvector in the vectorbase will be changed Damage..............: Permanent damage: - none Transient damage: - The stealth/fileinfect engine performs a wrap around copy of the originalfile as we saw it already in the BEOL3 virus, which source was made public by the programmer. Damage Trigger......: Permanent damage: - none Transient damage: - infecting a file Particularities.....: The crypt/decrypt routines are not 100% aware of processor caches. The packet handling works in even on the new developer OS versions, but some codes have problems with task functions. The virus tunnels doscall watcher like SnoopDos etc. by using only lowlevel packet routines. Similarities........: The link method has been seen in the BEOL3 linkvirus already. A new hunkheader will be added and the origfile will be seen as datahunk. In this way the virus doesnt need to perform a errorfull hinkcorrection. The first codehunk contains the virus itself. Stealth.............: Second working directory and file stealth code in a virus. Armouring...........: The virus is not armoured with a special tricky crypting code. Specialities........: As always the virus contains a crypted part: "LHALZXZOOZIP" "bsdsocket.library" "POST" "DATA" "QUIT" "The Hitch-Hiker 4.23 - Generation #00001036" The first string is for the special ability to keep the files infected, even if they get crunched. This trick, which was used to remove common pc stealth linkviruses is not working here. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 3.00, AntiBeol 1.33, FastKill and VW 6.7 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 26.09.1997. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Sep, 29. 1997 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of HitchHiker 4.23 Virus =========================
Hi All.... There is a new trojan out. It is said to be a killer for "Ebola 97'" virus, but this is just a fake. The trojan will replase every file in SYS: with a file 10 bytes long, where you can read "LiSA FUCKUP v3.0". In the archive there is a read.me text, with a description of how to get this trojan to work, but you better not do it. This trojan have been send to all the major anti-virus programmers in the world, and will be included in the next update. So until, then take care... Here is some info about the trojan archive: > ------------------------------- INFO START -------------------------------- Archive name.....: SEBOLA97.LHA (or lzx) Archive size.....: 5856 bytes (ripped for BBS adds) Infected File....: ScanEbola97 Infected Size....: 7004 bytes (Unpacked). File id.Diz......: ScanEbola97: Scans your hard-drive for the Ebola97-virus. > ------------------------------- INFO END ---------------------------------- Thanx to Heiner Schneegold, for the fast test of this trojan. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:236/120.0 \\/// -------------- AmyNet..: 39:141/142.0 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... Another archive has been found around the world, that is infected with the link-virus "Hitch Hiker v4.11" link-virus. In the archive seven files is infected with "Hitch Hiker" virus. All you got to do is to run one of the major antivirus programs, and let the killer remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: NUP-SLOS.LHA (or lzx) Archive size.....: 223697 bytes (ripped for BBS adds) Infected File....: Scalos (109500 bytes) Scalos/prefs/Scalos (39916 bytes) Scalos Menu (26916 bytes) Scalos Palette (16968 bytes) Scalos Pattern (21452 bytes) Scalos/tools/OpenLocation_CA (11776 bytes) OpenLocation_MUI (6580 bytes) File id.Diz......: _____ _________ / /___ _________ / \_/ / \_/ \_ .:.:/ ___ / / / / /.:. :::/ / / / / /____/:::: ::/______/ /___________/______/:::::::::: .-------/____/-[pRESENTS]------------------. | | | S � C � A � L � O � S | | | | vERSION 39.154 - nICE wORKbENCH rEPLACE! | | | `-[ #37 ]---------------------[ 10/27/97�]-' > ------------------------------- INFO END -------------------------------- Thanx to Darryl Peters, for the info about this archive. Read Markus Schmall's test of Hitch Hiker v4.11 link-virus. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... Another archive has been found around the world, that is infected with the link-virus "Ebola" link-virus. In the archive, two files is infected with this "Ebola" linkvirus. All you got to do is to run one of the major anti- virus programs (VirusZ, VT and VirusWorkshop), and let the killer remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: PSY-HAL.LHA (or lzx) Archive size.....: 294041 bytes (ripped for BBS adds) Infected File....: halloween/Copy (6612 bytes) /play (20048 bytes) File id.Diz......: PROPHESY PRESENT HALLOWEEN DEMO 97 entitled "Trick or Treat" > ------------------------------- INFO END -------------------------------- Thanx to Jon Adams, for the info about this archive. Read Markus Schmall's test of the Ebola Virus Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... A new link-virus has been spread the last days. At this time no viruskiller is abel to find and kill this sucker. The virus has been send to all the major AntiVirus programmers, so it is only a matter of time, before the viruskillers can find and remove this 'sucker'. There is no known program or archive that spreads this new virus. All that we know of this new virus, is that it will add 1260 bytes to all programs that is executed. And with in these 1260 bytes that is added you can read "TRSi". Well, I don't think that TRSi has anything to do with this. As soon as a killer is released that will kill this virus, we will let you know so check your contacts or our homepage. Heiner Schneegold, programmer of VT has made a quick test of this sucker, and here is what he found out: ZIB-Virus verbogener Vektor: Loadseg LastAlert: "TRSi" Eigener Process: ZIB Fileverlaengerung: #1260 Bytes Link hinter 1.Hunk RTS wird in bra.s umgewandelt falls bsdsocket.lib vorhanden, Veraenderungen Well, this is all we know for now. After we wrote the warning, a few killers has been updated so the they will be abel to find and kill this "ZIB" virus. VT v3.01 (30.11.97) - Heiner Schneegold FastVirusKiller v1.12 (29.11.97) - By Dave Jones AntiBeol v1.34a (29.11.97) - By Gideon Zenz KillAnother v1.00 (29.11.97) - By Harry Sintonen You can download these killers from our homepage or support BBS. Thanx to Dave Jones, Harry Sintonen and Jakob Anderson for sending this new virus to us. It is on it's way to all major antivirus programmers. Click here to read Markus Schmall's test of the ZIB virus. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All !!! After many month, and we have been looking for this archive all over the world, we finally got it. Thanx to John. Well if you belive this archive, it is said to remove the Hitch Hiker virus but what it does is, that it will install the Hitch Hiker v2.11 link-virus in your system. Okay here is a little test of it: > ------------------------------- INFO START ------------------------------ Archive name.....: kilhitch.lha (or lzx) Archive size.....: 7765 bytes (ripped for BBS adds) Infected File....: removehitcher/KillHitcher Infected size....: 3000 bytes. File id.Diz......: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Have you got probs. with the HitchHiker! !! virus? It's a link-vir that can corrupt ! !! your archives....brand new and not kill-! !! able with VirusZ or VWS or VT or any ! !! other killer.. Except this one..Brought ! !! to you by Blister/PP and MAX/PP ! !! Download and be happy!!!!!!!!!!!!!!!!!!!! > ------------------------------- INFO END -------------------------------- Thanx to John for mailing us this archive. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... Well, now we finaly found the archive that installs the "ZIB" link-virus. It s the command 'spatch' that will install this link-virus. I don't think that this version of 'spatch' came from GP Soft, some one have replaced the orginal 'spatch' with the installer version. So there for, take care when ever you meet the 'spatch' in an archive, and if the size is 16716 bytes, don't use it. Here is some info about this archive: Archive name...: opus566p.lzx Archive size...: 138502 bytes (LZX packed) Infector name..: spatch Infector size..: 16716 bytes (not packed) Archive info...: Directory Opus 5 Magellan version 5.66 to 5.661 Upgrade Patch. (fake archive) At ths time, no viruskiller will find this infector. But some of the anti- virus programs, will find and remove this 'ZIP' virus: VT v3.01 - By Heiner Schneegold FastVirusKiller v1.12 - By Dave Jines AntiBeol v1.34a - By Gideon Zenz Killanother1 v1.0 - By Harry Sintonen. Thanx to Jakob Anderson for sending us this archive. Click here to read Markus Schmall's test of the ZIB virus. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Entry...............: ZIB Alias(es)...........: none Virus Strain........: - Virus detected when.: December 97 where.: Germany Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca. 1260/1264 Bytes (uses a polymorphic technic) 2. Length in RAM: xxxx Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none Self-identification method in memory: - searches for "TRSi" at LastAlert(Exec) System infection: - infects the following functions: Dos LoadSeg(), bsdsocket.library baseptrs Infection preconditions: - HUNK_HEADER and HUNK_CODE are found - device is validated - File must be smaller than $1e848 bytes Infection Trigger...: Accessing files via LoadSeg() It`s a typical infector. It cannot be rated as fast infector as it only infects at the above mentioned operations. Slow polymorphism technology or stealth techniques wasn`t found in this one. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - None Particularities.....: The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non-polymorphic and consists of some logical stuff. The cryptword is $BABE. Similarities........: The linkmethod is camparable to all the HNY viruses. It will be tried to step $3e words back and check for an "rts" or a "nop" at the hunkend. The use of the bsdsocket library etc. shows some equalities to the latest hitchhiker viruses. NOTE: The installer itself links a 4 byte longer part to the original "c:\loadwb" and uses 2 patchcodes. Most viruskillers does not recognize this correct. VT 3.03 is doing it 100% right and VW should so, too. Stealth.............: no stealth function found. Armouring...........: readable text is crypted with a normal eor loop. Specialities........: The virus sends mails to the virusworkshop mailinglist. The list can be accessed using the [email protected] account and was accessible even from external persons at that time. Now Vampire fixed this problem. The subject was: "Another 1 bites the dust" In the body the text: "Greetz to BEOL und BOKOR" can be found. The mail be remote send via the mailserver from the teuto.de domain via a special account. Comments............: The name ZIB appeared in the latest HitchHiker viruses, too. I suppose that this is somekind of virusclique pushing their actions. --------------------- Agents ------------------------------------------- Countermeasures.....: VT, VZ, FVK, VW above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hildesheim, Germany 17.01.1998. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Jan, 01. 1998 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of ZIB virus =========================
Hi All.... Another archive has been found around the world, that is infected with the link-virus "Ebola" link-virus. In the archive seven files is infected with "Ebola" virus. All you got to do is to run one of the major antivirus programs eg. VirusZ, VT or VirusWorkshop, and let the viruskiller remove this virus. Here is some info about the trojan archive: > ------------------------------- INFO START ------------------------------ Archive name.....: CPU-MV31.LHA (or lzx) Archive size.....: 108665 bytes (ripped for BBS adds) Infected File....: CPU-MULTIVIEW.LHA/MultiView (8772 Bytes) File id.Diz......: ________ ________ ____ t! _\ ._/_\_ / /---/_ _____________ _ / |_ /____/ / /// c . p . u \______/______| \________\ . . . MultiView (version 3.1) . 100% denerved! . . .10.12.97. .yELLOW wATER. > ------------------------------- INFO END -------------------------------- Thanx to Johnny Sandstroem, for the info about this archive. Click here to read Markus Schmall's test of Ebola link-virus. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... A few archives has been found that contains "Happy New Year 96" and "Ebola" link-virus. All you got to do is to run one of the major antivirus programs eg. VirusZ, VT or VirusWorkshop, and let the viruskiller remove this virus. I found a warning written by 'CHILL' about these infected archives. And he wrote about a virus called 'Vera 2.3', I had never heard about this virus, I found the archive, and made a test of the file. Is NOT a virus/trojan it is a fail recog. by VirusZ II. I'll post a letter to the programmer, and I guess that it will removed in the next update. So there is NO virus in the archive 'DS-POC.LHA'. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: D-S_MK2.LHA (or lzx) Archive size.....: 2832772 bytes. Infected File....: MK2 Infected with....: Ebola Link-virus File id.Diz......: .---- \�����/ ___|__ / __/__ !!MERRY X-MAS!! .--./ / \____ \.--------------. |;)|_ /| ___/ |mORtAL kOMbAT2| | /_________\^/ ! ORG. PAL VER | | <- - -- --- -----! hD Fixed | | hAvE PhUN!!!!! | `--------------------------[17.12.97]-' Click here to read the Ebola Test by Markus Schmall. Archive name.....: D-S_ZW2.LHA (or lzx) Archive size.....: 488796 Bytes Infected Files...: Zeewolf2_HD Z2Boot Infected with....: Ebola Link-virus File id.Diz......: .---- \�����/ ___|__ / __/__ !!MERRY X-MAS!! .--./ / \____ \.--------------. |;)|_ /| ___/ | Zeewolf iI | | /_________\^/ ! | | <- - -- --- -----! hD Fixed | | hAvE PhUN!!!!! | `--------------------------[17.12.97]-' Click here to read the Ebola Test by Markus Schmall. Archive name.....: ORG3_3.LHA (or lzx) Archive size.....: 569935 bytes. Infected File....: aSCi.exe Infected with....: Happy New Year 96 Link-virus File id.Diz......: _ _ _ ___ _____ ______ __ __ _( _(____( ___(____) /___) \/ (_. \______ (/�_ / � _ \/ �| / �\) ______\ _. /) /__/ | /_______( \_( |______/ /_____| sCUm pRESENTs - oRGAZm iSSUe #3 3/3 _ ________________________________ _ Click here to read the HNY 96' Test by Markus Schmall. > ------------------------------- INFO END -------------------------------- Thanx to Chill, for the info about this archives. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected]
Hi All.... Happy New Year 98 to you all. There is a little more behind these words, a new linkvirus has been found, and it is " Happy New Year 98 ". It will add 920 bytes to every executed file. You can within the last 30 bytes of the infected file read "Happy New Year 98". We do not know of any installers or infected archives with this new virus, so if you find the installer, please mail it to me. The famos virus-killer VT by Mr. Heiner Schneegold has now been updated to version 3.03, and it will find and remove the Happy New Year 98' virus. You can get the VT v3.03 archive from our homepage, or a BBS near you. Thanx to Gerald Schnabel for sending us the infected file. Read about the first found archive infected with "Happy New Year 98" virus. Regards.... __ VirNet..: 9:451/247.0 __ /// Jan Andersen FidoNet.: 2:237/38.100 \\/// -------------- AmyNet..: 39:140/127.100 \XX/ VIRUS HELP DENMARK E-Mail..: [email protected] http://home4.inet.tele.dk/vht-dk
Hi All.... The first infected archive with the new "Happy New Year 98" linkvirus has now been found. We don't think that this archive is the installer of this new virus, so I guess that we are still looking for the it. If you find it, plaese mail it to us, or supload it to one of our support BBS'es. If your system has been infected, plaese use VT v3.03 to remove it. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: w9-sex.lzx Archive size.....: 187786 bytes (Ripped for BBS adds). Infected File....: SeXtrO Infected Size....: 212396 bytes (Packed with CrunchyDat 1.0) 892996 bytes (unpacked) Infected with....: Happy New Year 98 Link-virus. File id.Diz......: ______ _____ ______ ______ _\ /__\ _\ __ \_\ __ \ /_ / ( / / / /n _ / _ i \___ ___/ \ \ n ry! \__ /____\/____\ ___\ e ______ _ W A R P 9 _ _____ | p.r.e.s.e.n.t.s | | - - ------------- - - | | S E X T R O | | | | TiTTEN-TuSSiS-GuTe LAUNe | | | `-[W9]--- - - --------' > ------------------------------- INFO END -------------------------------- Thanx to Ramon, for sending this archive to us. Read our first warning about the "Happy New Year 98" virus. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Another infected archive with the new "Happy New Year 98" linkvirus has now been found. We don't think that this archive is the installer of this new virus, so I guess that we are still looking for the it. If you find it, plaese mail it to us, or supload it to one of our support BBS'es. If your system has been infected, plaese use VT v3.03, VirusWorkshop v6.8 Virus_Checker II v1.1 (brain v2.2), VirusZ II v1.42 (bug-Fixed) and also FastVirusKiller v1.17 to remove it. Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: CNS-BGE.LHA Archive size.....: 35564 bytes (Ripped for BBS adds). Infected File....: BGEDIT/BGEDIT Infected Size....: 27068 bytes (Packed with CrunchMania Normal) Infected File....: BGEDIT/LIBS/iff.library 4080 bytes (not packed) Infected with....: Happy New Year 98 Link-virus File id.Diz......: ___ ______ __ __________ _____ / | .\ \| | _/ .\ | __/ / ._|_ | \ \ |__ \ | \ -|-._)_ \ ` / ` \ \ | \` \ | / \___/_____/_|__|____/___/___|_/ ((((( H E L L A M I G A )))))) | | | AMiGA-Tool to convert | | SNES, NES, SATURN, PSX, PCE! | |Graphics to IFF-AMIGA Format!! | | | `-------------------------------' > ------------------------------- INFO END -------------------------------- Thanx to Arne Jensen, for sending this archive to us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... I'm sorry to say this, but I was to fast when I wrote about the archive 'CBS-ETIT.LZX' and the 'happy New Year 96' linkvirus. At this time only VT 3.04 and VirusZ II v1.42a can find this HNY-96 'hunk 11' virus. Thanx to Mr. Schneegold for correcting me in this matter.... Here is some info about the infected archives: > ------------------------------- INFO START ------------------------------ Archive name.....: CBS-ETIT.LZX Archive size.....: 27678 bytes (Ripped for BBS adds). Infected File....: CBS-Intro/Eternity.exe Infected Size....: 26736 bytes (Packed with StoneCracker 4.04) 58068 bytes unpacked. Infected with....: Happy New Year 96 link-virus (hunk 11) File id.Diz......: .__ .____.____.____.____.___ �._ �� | |_ /| /| /|_ /| /_|`---. �� .---�\__\` / ` / ` / ` / ` __/`/___|---. | - take us to your dealer! - | |presents: | | BBSIntro for ETERNiTY | | | `------------------------------------------' > ------------------------------- INFO END -------------------------------- Thanx to Johnny Hansen, for sending this archive to us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "Cactus^Jack". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "JC_SpiceGirls.LHA". If you run this shit, a picture will be shown on your screen, with the text: Juraccis Cactus Presents Spice Girls Megamix Byt here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: JC_SpiceGirls.LHA Archive size.....: 60482 bytes (Ripped for BBS adds). Trojan File......: Jc-Spice.exe Trojan Size......: 111524 bytes (Packed with AMOS Pro Compiler v2.00) File id.Diz......: Jurasic Cactus Present Spice Girl Megamix Demo ! Coded By : c-jack Musax By : Bigo H release at The Gathering 97 demo comp > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "Cactus^Jack". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "nce-tri9.lha". Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: nce-tri9.lha Archive size.....: 47587 bytes (Ripped for BBS adds). Trojan File......: Trilobyte!_9.exe Trojan Size......: 46264 bytes (Packed with Powerpacker 4) 71468 bytes unpacked. File id.Diz......: ______ __ _ _____ ___ _ ___/.__.\_________/.__.\_/ \____ / .__: �:_._ ______: �:___/\_____\ ? :� \ :| | \/ ._\ \ :| _ // ___// | |: \ || : \ _/ \ \ || \/\ _)__\_ | || |\_|____/_| \|\_|____/__ / ? |-|__|---------|____\----------\/---| | ...brings ya... | | ...Trilobyte! #9! | | | | tHIS iS tHE bEST yET dOODZ!!!!!! | `-----------------------------------' > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "Cactus^Jack". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "SPICE_POWER.lha" Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: SPICE_POWER.lha Archive size.....: 36539 bytes (Ripped for BBS adds). Trojan File......: SpicePower97 Trojan Size......: 57820 bytes (AMOS Pro Compiler v2.00 Cruncher) File id.Diz......: ZENGO SPICE POWER MEGAMIX 1997! If ya like the Spice Girls, GET THIS! > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, I't looks like some little stupid guy someware in England, has been starting writing trojan's in AMOS. These trojan's are made to destroy the BBS system 'MAX'. It will delete almost every BBS file on the system, and also files like Startup-Sequence, c:dir and more. The guy behind these new trojans are a guy that calls himself "Cactus^Jack". And he must be trying to remove anything about him self, as this trojan is looking for a file with the name "bbs:userfiles/cactus", if this is found it will be deleted. This warning is for the archive "Mpeopledemo.lha" This archive was corupt when I recived it, and I could only unpack a part of it, but the trojan code in in there. I could not run the trojan on my system, so I don't know if it works. Here is some info about the trojan: > ------------------------------- INFO START ------------------------------ Archive name.....: Mpeopledemo.lha Archive size.....: 49137 bytes (Ripped for BBS adds). Trojan File......: Mpeople.exe Trojan Size......: 122408 bytes (Packed ????? don't know) File id.Diz......: .------------------------------------------. | M-PEOPLE SLIDESHOW | | | | CODED BY THE TRS CREW | | MUSAK BY : UNKNOWN | | DIGI PICS BY : IVAN GORGU | `------------------------------------------' > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, I't looks like these 'AMOS' programmed trojans are comming. I have recived the archive via InterNet. It has been online on Aminet, so if you have downloaded it there, take care..... The trojan will delete (SnoopDOS.log): Count Process Name Action Target Name Res. ----- ------------ ------ ----------- ---- 1 ReOrgIt.exe Delete DH0:S/startup-sequence OK 2 ReOrgIt.exe Delete DH0:S/User-startup OK 3 ReOrgIt.exe Delete DH0:S/*.* Fail Here is some of the text strings you can read in the file: HAHAHA, your HD is stuffed Prepare to DIE Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: ReOrgIt.lha Archive size.....: 52279 bytes (Ripped for BBS adds). Trojan File......: ReOrgIt.exe Trojan Size......: 60732 bytes (Packed ????? don't know) File info........: EXCELLENT HD Reoganizer program 65% speed. > ------------------------------- INFO END ----------------------------- Thanx to Raymond Lagerwey, for sending this archive to us. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, a new trojan has been found. The programs say's that it will check if your fake miami keyfiles is okay to you. Don't belive this at all. It will infect your system. But there is a rescue. Heiner Schneegold has released a new update of his great viruskiller "VT" today. VT v3.08 can be found on our homepage.... Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: PHK-MKEY.lzx Archive size.....: 2185 bytes (Ripped for BBS adds). Trojan File......: mkey.exe Trojan Size......: 1880 bytes File info........: .--------------------------------------. |So rumour has it Holger has released a| |virus to harm users with fake miami | |keyfiles. This will check your keys to| |ensure its safe to use, dEN saves ya | |and fists Holgers ass! | `--------------------------------------' }-- dEN 3/3/98 pHuKeRs --{ > ------------------------------- INFO END ----------------------------- Thanx to Heiner Schneegold for the info about this archive. This archive is on it's way to every antivirus programmer, that accepts new viruses/trojans from us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, a new archive has been found that is infected with the 'Happy New Year 96' linkvirus. And there should be no problems, since all the major antivirus programs can find and remove this virus. Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: PHT-Suns.lzx Archive size.....: 4755 bytes (Ripped for BBS adds). Infected File....: Sunscream.exe Infected Size....: 4368 bytes (Packed with StoneCracker 4.04) File info........: Phase Truce - 4kb intro for Rush Hours'98 > ------------------------------- INFO END ----------------------------- Click Here to read the VTC test of Happy New Year virus. Thanx to Peter Hansen, for the info about this archive. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Well, a new archive has been found that is infected with the 'Happy New Year 96' linkvirus. And there should be no problems, since all the major antivirus programs can find and remove this virus. Just remember to remove the virus, before starting the program..... Here is some info about the trojan: > ------------------------------- INFO START --------------------------- Archive name.....: FFFF.LHA Archive size.....: 454.455 bytes (Ripped for BBS adds). Infected File....: NlsForFun.exe Infected Size....: 34792 bytes (Packed with PowerPacker 4) 160108 bytes (Unpacked) Infected with....: Happy New Year 1996 - Linkvirus. File info........: ___ __ __ __ ___ __ ____ __ __ ___ � `--� Y � ' _/� �-� __)� Y � --'-. | � | ! | � \| ' | -'�| ! |---- | `---'--^-----^--!___)----^-----^-----^-----' NUKLEUS gives you a GAME with suprises...!! ____ ____ ____ ____ /\ ! |::::| |::::| |::::| |::::| //\FREE! |::__ |::__ |::__ |::__ ///\COOL! |::::| |::::| |::::| |::::| \\/NICE! |::| |::| |::| |::| \// ! |::| ist |::| ight |::| or |::| reedom !! ---------------------------------------bZ-' > ------------------------------- INFO END ----------------------------- Click Here to read the VTC test of Happy New Year virus. Thanx to Torben Danoe, for the info about this archive. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Another infected archive with the new "Happy New Year 96'" linkvirus has now been found. The archive have been spread via AmiNet, but we have told the people behind AmiNet about this archive, and we hope that they will remove it. If your system has been infected, plaese use VT v3.08, VirusWorkshop v6.9 Virus_Checker II v1.5 and VirusZ II v1.43. Here is some info about the infected archives: > ------------------------------- INFO START ----------------------------- Archive name.....: WinTool.lha Archive size.....: 13461 bytes (Ripped for BBS adds). Infected File....: WinTool (version 1.1) Infected Size....: 15296 bytes Infected with....: Happy New Year 96 Link-virus Archive info.....: This program will get information from another window, and give the option to manipulate it. Close it, change it, move it... Full source included. It is compiled in debug mode, so it will be easy to find bugs. It should be really easy to recompile it with no debug. > ------------------------------- INFO END -------------------------------- Click Here to read the VTC test of Happy New Year virus. Thanx to George Barkouris, for sending this archive to us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... A new trojan has been found. Again it is aimed for 'Max BBS' systems. The trojan will (if you run it), make 4 files in RAM: runit, runit.info, yes, yes.info., and within the next seconds the system will reboot and execute "RAM:runit < ram.yes d scsi.device", and will write 0 RIGID. It is 'only' SCSI device and 'only' unit '0' that is going to be damaged. The archive has been send to all the major antivirus programmers.... Here is some info trojan archive: > ------------------------------- INFO START ----------------------------- Archive name.....: maxsafe.lha Archive size.....: 12136 bytes (Ripped for BBS adds). Infected File....: maxsafe Infected Size....: 5008 bytes File_id.diz......: Help stop your BBS from crashing by finding those faulty doors > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley and Colin Wilson, for sending this archive to us. Thanx to Mr.Heiner Schneegold for the test of this archive Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... A new trojan has been found. Again it is aimed for 'Max BBS' systems. The trojan will (if you run it), delete almost everything from your system. I will also delete it self at the end. At this time we do not have the hole archive, we only have the trojan it self. The file has been send to all the major antivirus programmers.... Here is some info trojan archive: > ------------------------------- INFO START ----------------------------- Archive name.....: ? Archive size.....: ? bytes (Ripped for BBS adds). Infected File....: UnpackJPEG Infected Size....: 27856 bytes File_id.diz......: > ------------------------------- INFO END -------------------------------- Thanx to Dave Buckley, for sending this file to us. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Another new linkvirus has been found. The archives name is still unknown all we have is the main file. It is a fake version of AMFTP v1.91. If you run this program, 5000 bytes will be added to every file that is run. If you decode the virus, you can read "POLISHPOWER-Virus" in the text. Here is some info about the infected file: > ------------------------------- INFO START ----------------------------- Archive name.....: ? Archive size.....: ? bytes (Ripped for BBS adds). Infected File....: AMFTP (version 1.91) Infected Size....: 126316 bytes Archive info.....: > ------------------------------- INFO END -------------------------------- If you find an archive that contains AMFTP with the size "126316" bytes, please send it to me, or upload it to one of our support BBS'es. Thanx to Mr. Heiner Schneegold for the fast test of this file. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... Another new virus has been found. The installer and infected archives is still unknown. All we have is some infected files. If you have this new virus on your system, every infected file will be added 760 bytes. If you decode the virus part, you can read "fungus/lsd" in a text-string. The major anti-virus programs "VT", "VirusChecker II" and "VirusZ", will be released in the near future, and they will be abel to find and remove this new virus. BUT: "Digital Corruption" has released a littel "fungus killer/disable", that will disable the virus. So if your system is infected with this new virus use the program from "Digital Corruption". The archive name of the littel disabler is "DC-FNG11.LHA". You should be abel to find the archive on a BBS near you, or get it from Virus Help Denmarks homepage. (Adress in the sign.) Thanx to "RAM", for this little killer/disabler... Thanx to Mr. Heiner Schneegold for the fast test of this file. Thanx to Kisa and Jeff German for sending me the infected files. PS. Click here to read about the installer of 'Fungus/lsd' virus. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... The archive that installs the new "fungus" virus is found. I have now recived 4 archives from all over the world (Australia, USA, Germany and Denmark). Everyone of the contains the same files, and the same file contains the 'fungus' virus in every archive. Here is some info about the 'fungus' archive: > ------------------------------- INFO START ----------------------------- Archive name.....: M31H_CRK.LHA Archive size.....: 436085 bytes (Ripped for BBS adds). Infected File....: Miami_BETA/MUI.MiamiGui Infected Size....: 127360 bytes File_id.diz......: .------------------------------------------. | | | Miami 3.1h BETA | | | | TOTALLY CRACKED AND ALL HOLGER BACKDOOR | | SHIT REMOVED FOR YOUR PLEASURE! | | CANT THE BIG GROUPS CRACK THIS??? | | | | CRACKED FOR YOU BY HOLGWHORE KRUDE | | | `------------------------------------------' > ------------------------------- INFO END -------------------------------- Thanx to Ian, Michael, Peter and Thomas, for sending this file to us. PS. Click here to read the first warning about the 'Fungus/lsd' virus. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// -------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ http://home4.inet.tele.dk/vht-dk VirNet..: 9:451/247.0
Hi All.... A new trojan has been found. This trojan was on AmiNet, but it has been removed now. It is a fake 'datatypes.library v45.5'. And it will if you are on InterNet and using 'Miami', send a e-mail to a Hotmail adress with your name and password. So if you have installed this version, get rid of it and install the v4.54 update (You can find this on AmiNet). Here is some info about the fake 'datatypes.library': > ------------------------------- INFO START ----------------------------- Archive name.....: dtypes455upd.lha Archive size.....: 27.990 bytes Trojan File......: datatypes.library Trojan Size......: 32748 bytes > ------------------------------- INFO END ------------------------------- Note: In May 1988, the same datatypes.library trojan was found, but with another file lenght (32832 Bytes). VT v3.10 will find this version, but not the new (yet!). In a few other text files, DC has been blamed for this and other trojans, I think that it is not true. Why should DC do this?. Thanks to Matthew for sending archives, and to Mr. Heiner Schneegold and Fridrik for the test and info. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// ------------- FidoNet.: 2:237/38.100 \\/// Virus Help Team Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0
Hi All.... A new trojan has been found. This trojan was found on AmiNet, but we hope that it has been removed there. It is said to be a AGA Demo, made by some guy called SubZero. It will send a e-mail to a Hotmail adress (just like the datatypes.library trojan), but this time it will also install a new linkvirus. This virus will add about 15k, to some files on your system. At this time there is no cure for this trojan/virus. As soon as there is a program to remove this 'sucker', we will have it on our homepage, you can find it there. If your system has been infected with this trojan/virus, you can check the date for infected files, if you installed it on the 15'th, the date will be the 15'th on your system. Just replace every file with this date woth clean one's, for fresh archives of floppy disk's. This is all that you can do for now (sorry). Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: birthday.lha Archive size.....: 497.365 bytes Trojan File......: birthday Trojan Size......: 703.664 bytes Virus Size.......: About 15.000 bytes > ------------------------------- INFO END ------------------------------- We hope to have a killer ready for this very soon. Note (27 Dec. 1998): -------------------- xvs.library v33.15 has been released, and will find and repair infected files. You can use xvs.library with these antivirus programs VirusZ II, VirusChecker II and VirusExecutor. Thanks to Ramon, Buzz, Paul Pacheco and many more, for sending archives and infected files. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// ------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0
Hi All.... A new virus trojan has been found. It is said to be a new update of the wellknown program 'CygnusEd v4.17". But if you start CED it will change the size of your 'c:mount' command and add 800 bytes, and make the new size 7388 bytes. Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: HF-CD417.LHA Archive size.....: 306.382 bytes Trojan File......: CygnusED/CED Trojan Size......: 169.872 bytes Virus infect.....: c/mount (new size 7388 bytes) Virus size.......: 800 bytes > ------------------------------- INFO END ------------------------------- We hope to have a killer ready for this very soon. Thanks to iknow@, for sending archives and infected files. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// ------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0
Hi All.... The installer of the new link-virus "STD-Crabs_1" have been found. It is a fake version of "Miami DELUXE 0.9c". If you run the file "MiamiDx.beta" from the archive, it will infect every executed file with the "STD-Craps" virus. At this time only the viruskiller 'VT v3.14' is abel to find and remove this virus. VirusZ, VirusChecker and xvs.library will be updated as soon as possible. Here is some info about the trojan/virus: > ------------------------------- INFO START ----------------------------- Archive name.....: mdlx09c.lha Archive size.....: 882.398 bytes Dropper File.....: MiamiDx_Install/MiamiDx.beta Dropper Size.....: 439.724 bytes Virus installed..: STD-Crap linkvirus File_Id.Diz......: ___ �fASt iNT3RNEt sERV�Ce� _(___) _______ _____ _____ \ \ __.\ ._ \__\__ \__\ \__ / /[__� |/ / /___/_ __/ [sTZ!] /___/ |___| /.________/_____| -----------/_____|------------------------. | | | Miami DELUXE 0.9c | | keyfiles with this pack | | | `------------------------------------------' > ------------------------------- INFO END ------------------------------- Thanks to David Knell, for sending archives and infected files. Regards.... __ Jan Andersen E-Mail..: [email protected] __ /// ------------- FidoNet.: 2:237/38.100 \\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0
Converted on 20 Jun 1999 with RexxDoesAmigaGuide2HTML by Michael Ranner.