- Devil_11_B.Door

  I know of three file that got this thing:
   - DLog V1.8  size of infected file: 23452
   - ULog V 1.8 size of infected file: 23452
   - MsgTop V 1.0 size of infected file, packed once  : 17884
                                         packed twice : 13548

   All three programms infected on an A4000 = GURU 4
   BackDoor-part removed, but without BBS = Fehler -1
   When you unpack the BackDoor part, you find at the very beginning:

           000003e9 0000093d 4efa09ac 42425300 .......=N...BBS.
           44483000 44483100 4844303a 00484431 DH0.DH1.HD0:.HD1
           3a004448 30004448 31004844 303a0048 :.DH0.DH1.HD0:.H
           44313a00 4242533a 00444830 3a424253 D1:.BBS:.DH0:BBS
           2f004448 313a4242 532f0048 44303a42 /.DH1:BBS/.HD0:B
           42532f00 4844313a 4242532f 00444830 BS/.HD1:BBS/.DH0
           3a004448 313a0048 44303a00 4844313a :.DH1:.HD0:.HD1:

     You can follow this up with SnoopDos.
     Damage: (I took over the following words)
     Searches for files with a size of 1972 bytes and changes them
     in a way, that beginning with level 10 account edit and sysop
     download are possible. Since it doesn`t replicate itselves it
     is not a virus by definition. Explanation for nameing it: A
     group (or a single person) is accused to be responsible for
     those BBS-burglarys. I don`t know if this is true.
 
     VT offers the removal.

    addition 25.03.95: see also ZINE-Disk-Validator
    addition 15.04.95: see also VScan-BBS-Trojan

--------------------------------------------------------
Translated to English by Frank Cieslevwicz  2001 VHT-DK.
Org. text by Heiner Schneegold (VT-Kennt)
--------------------------------------------------------

[Go back]