home *** CD-ROM | disk | FTP | other *** search
- A new nasty trojan appeared yesterday on the fast systems in europe.
- It is said to be a little viruskiller for the mount-972 virus, but
- in reality it is not....
-
- Special hellos to my college MADISON, who wrote the first warning
- about this nasty one.
-
- Greets
-
- Flake/TRSi
-
-
-
-
- This analyse is not allowed to be used on any SHI production !!!!
-
-
-
- WireFace Trojan Typ G:
- ----------------------
-
- Found in : chkmount.lha
- Type : destructive trojan
- Protection : *Art
- Filesize : 4672 Bytes (partly packed)
-
-
- This is another trojan from the WireFace series. This trojan looks
- in parts like Biomechanic trojans, some byterow comparecode are
- for sure copied. I haven`t test up to the end, but the code looks
- like a comparable code as in the icond biomechanic stuff.
-
- If you start it and a destruction is not possible (devices not
- found) a text will be printed on screen saying several times:
-
- nugget@dataphone.se
-
- It has some visible texts at the end of the virus. The virus itself
- is protected and then afterwards packed with StoneCracker 4.04. The
- final filesize is 5868 bytes.
-
- The following devices are tried to be accessed and the first 39
- sectors are going to be cleared:
-
- 'scsi.device'
- 'icddisk.device'
- 'oktagon.device'
- 'SoftSCSI_OktagonC9X.device'
-
- Other visible texts are:
-
- '(TrojanName: iLSKNA ANDREAS v1.1) WiREFACE / dEMONS oF tHE "
- " pENTAGRAM strikes again with another stunning release (trojan) "
- " hahaha. Send postcards, money, bugreports or COMPLAINTS'
- 'to me at this email adress: nugget@dataphone.se. CU in another relase!'
- 'nugget@dataphone.se' (This is the printed text)
-
- The programm looks like created with an old compiler. Some special
- 1.x programming technics are used, which won`t be used nowaday normally
- anymore.
-
- VirusWorkshop and VT will give you the warning, that a $3e8 hunk is
- in the file. This is the protection from the trojan. Simple, but
- effective.
-
- Something more to wonder about: I have downloaded this file from SOS
- at 8.8.1995. and I have only used the name MOUNT-972 in one warning
- in AMiganet and the german Z-net, so the viruscoder must read it, too.
-
- The trojan is supplied with a little documentation:
-
-
- Mount-972 Virus Checker
- -----------------------
-
- by Robert Wolvestein (ao@dataphone.se)
-
-
-
- This small checker finds and eliminates the Mount-972 virus
- that resently popped up! The virus must have been spread
- via Aminet or thru BBS's coz it is EVERYWHERE, almost 40% of
- my 'scene-friends' had it in some way or another.
-
- Regards Robert.
-
- (ED: A cool fake, better play with your joystick)
-
-
-
-
- ---------------------------------------------------------------------------
- @BEGIN_FILE_ID.DIZ
- _________________ ____________
- \ . ___.___._¬\/ ____/_____) TRiSTAR &
- \/| .| | ¬| _/_____¬\| ¬|
- | || | : ¬\ ¬V \\ || RSi
- |___| |___|___\______/_____|
- ·+*#*+·^·TRN!·|____\·+*#*V·^·+*#*+·PRESENT!·
- Warning ! chkmount.lha is a WireFace trojan.
- Nothing tricky, but read this analyse by
- Flake/TRSi. Special hi to Madison...
- @END_FILE_ID.DIZ
-
