home *** CD-ROM | disk | FTP | other *** search
- @BEGIN_FILE_ID.DIZ
- .------------------------------------.
- | ____ _ ____ ___ |
- | /\ \_// /\ \__| | TeaM |
- | \/\ \/ \/\ \ | | -NL- |
- | \/\ / \/\ / | | |
- | \/\/ IRUS \/\/ |_| ELP |
- | \/ \/ ' ` |
- | -VIRUS-WARNING! -- VIRUS-WARNING!- |
- |------------------------------------|
- | NEW LINKVIRUS OUT! READ IT NOW!!!! |
- `------------------------------------'
- @END_FILE_ID.DIZ
-
- .------------------------------------------------------------------------.
- | [==> VIRUSHELP team NL WARNING! <==> VIRUSHELP team NL WARNING! <==] |
- `--------------------------------------------------------------------Jhl-'
-
- Virushelp team NL warns you for the following:
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- This is just a short and quick look on the virus.
-
- A new linkvirus is on the run.. it's a linkvirus which patches LoadSeg()
- and infects executables afterwards. The infected file will increase with
- 1712 or 1704 bytes. Certain files produce a GURU message and crash after
- infection, when started afterwards (1704 bytes infections).
-
- The changed vectors in dos.library are:
-
- -48 (-$030) : 0001519E
- -150 (-$096) : 00015190
-
- When snoopdos is started, the virus won't infect, as snoopdos re-patches
- "-150" again.
-
- The linkvirus isn't memory-resistant after a reset.
-
- Here's the result of the heuristik scanner in Virusworkshop 6.0:
-
- Results of heuristik scanning:
- ------------------------------
- Possible Dos Write() command
- Possible Dos Open() command
- Seems to look for HUNK_CODE
- Seems to look for HUNK_START
- Possible modification of Dos Write()
- Possible modification of Dos LoadSeg()
- Rating: Possible viral structures found
-
- Number of heuristik hits: 06
-
- NO viruskiller is able to recognise or remove this bastard, so it's on
- it's way to the AV-programmers.
-
- A possible installer for this new linkvirus isn't known yet, so keep your
- eyes open!
-
- .------------------------------------------------------------------------.
- | [==> VIRUSHELP team NL WARNING! <==> VIRUSHELP team NL WARNING! <==] |
- `--------------------------------------------------------------------Jhl-'
-
- *THANKS* must go to Petri Nordlund for sending this file so fast!
-
-
- Greetz,
-
- +--------------------------------+-------------------------------+
- | Jan Hendrik Lots Internet : jhl@grafix.xs4all.nl |
- | EDITOR OF VIRUSSCANLIST WORK : jlots@egt.nl |
- | Virus Help Team The Netherlands PGP Public Key available |
- +--------------------------------+-------------------------------+
-