/X Fucker Linkvirus:

    Kickstart 2.x only based on the DOS patchroutines.
    MC68040: yes (without caches)
    Increases filelength by 928 bytes

    This is an ordinary linkvirus, which adds its code to the first
    hunk and does only work on the following conditions:

    - file contains only 1 hunk
    - no reloc hunk at the beginning

    It puts an additional $3f1 hunk in the beginning containing the
    string /X Fucker. The virus patches the DosOPEN() and DOS LoadSeg()
    vectors and is not resetproof.

    Based on the $3f1 file at the beginning, better viruskillers could
    atleast say that a $3f1 hunk is at the beginning. The virus itself
    is coded quite bad and seems to be spreaded bad.

    The first infected archive was the "axripii.lha".

    The LoadSeg() routine is only thought for the infection of loaded
    files. The DosOPEN() routine contains a destruction routine, which
    is timebased. Starting with 24 Feb `95 all opened files will be
    opened using the NEWMode (they will be cleared), if the access is
    to the BBS: directory.

    Hexdump of parts of this virus:

    0000: 000003F3 00000000 00000001 00000000    ...............
    0010: 00000000 000000E5 000003F1 00000003    ..............
    0020: 2F582046 75636B65 72000000 000003E9    /X Fucker......
    0030: 000000E5 48E7FFFE 2C780004 43FA02F8    ...H.,x..C.
    0040: 4EAEFE68 41FA02EC 20800C39 005A0000    NhA. ..9.Z..
    0050: 00006700 03046104 4AFC02FE 13FC005A    ..g...a.J...Z
    0060: 00000000 2C780004 2A7A02C8 203C0000    ....,x..*z. <..
    0330: 351D0001 12F0646F 732E6C69 62726172    5....dos.librar
    0340: 79000000 03F10000 00032F58 20467563    y......../X Fuc
    0350: 6B657200 00000003 4CDF7FFF 41FA0004    ker.....L..A..

                                   Detection tested 12.3.1995.
    Test by Markus Schmall

[Go back]