- Express2.20-Virus  no file infection
  (so it may not be called a virus)

      no bent vectors, destructionprograms
      1.File:  Express2.20    Length:  194064
      2.File:  aibon          Length:  776
      aibon hangs at the end of Express2.20 and will be called with "jmp"
      At the end of the files, you can read : "bbs: sys: ram: dos.library"
      Now you will think, oh again itīs against Ami-Express, doesnīt
      bother me, I donīt have a mailbox. STOP !!! Attention ! The start
      of Express2.20 is enough to make you VERY angry !!!

      Destruction Progress :

      - You will start Expres2.20 from sys (cause you want to see, what
        function the program has)
      - "aibon" will be copied to :s
      - :s/startup-sequence will be cut off to ONE line ":s/aibon"
      - requester pops up : "Please insert volume BBS:"
      - you donīt have a mailbox and click "cancel"
      - Keyboard will be locked
      - every file in sys: will be read an written back with the length
        of 42 Bytes (itīs fun, isnīt it ???)
      - so you will try to make a keyboard reset (doesnīt work, look
        above)
      - so you accept a Not-Validated disc and turn off the computer
        for a minute
      - turn the computer back on and YES ... the destruction continues
        (cause the startup-sequence is still one line : ":s/aibon")
        But you will discover that at the earliest after 40 seconds,
        cause youīre HD needs that long to boot
      - to rescue at least SOME files, you will need a bootable WB-Disc
        and copy a new startup-sequence to the HD
      - by the way : if there IS a volume called BBS: the desruction
                     begins in there
      origin : d-aex220.lha   Length: 135400 (claims to be new Ami-Express)
      recognition of both files tested with VT : 09.09.1992
      killing of both files tested with VT     : 09.09.1992
         aibon:
            00000000 00000000 00006262 733a0073 ..........bbs:.s
            79733a00 72616d3a 00646f73 2e6c6962 ys:.ram:.dos.lib
      another existing/known file : acp.ctrl Length:  56016 Bytes
      also includes "aibon" at its end

      supplement 01.05.1993 :
      There is now an "aibon 2". Behavior : look above
            Install file-length uncrunched : 1872 Bytes
            Length of "aibon 2"            :  784 Bytes
      special feature :
       Install file searches for Portname "ser.read" first

      aibon 2 new: df0, df1   :
            00007379 733a0062 62733a00 6466303a ..sys:.bbs:.df0:
            00646631 3a00646f 732e6c69 62726172 .df1:.dos.librar

      supplement 02.05.1993 :
      A file called "DwEditV1.62" infected with aibon2 emerged.
         file-length infected : 43700 Bytes
         aibon2 removed       : 41468 Bytes
      aibon2 was linked with hunklab
      choose "take out", functionality of cleaned file was tested,
      harm ? look above !

      - Aibon2-Moun2-Clone :
         A Toolsdaemon V2.2 emerged, infected with this Clone-
         segment :
                     Filelength infected : 7128 Bytes
                     Trojan removed      : 4896 Bytes
         This segment was linked with hunklab. VT offers "Take Out"
         Differences from aibon :
         - mount is copied to s (Length 784 Bytes)
         - s:startup-sequence cut to ONE line : s:mount,$0a,$0a
         - files are cut to 42 Bytes and are filled with $0 (Zero
           Page)
         - Example file with KS1.3 :
         0000: 00000000 00000676 00fc0818 00fc081a .......v........
         0010: 00fc081c 00fc081e 00fc0820 00fc0822 ........... ..."
         0020: 00fc090e 00fc0826 00fc              .......&..
      or there will be files with Zero :
         0000: 00000000 00000000 00000000 00000000 ................
         0010: 00000000 00000000 00000000 00000000 ................
         0020: 00000000 00000000 0000              ..........
      Inside the Trojan file :
         00000000 00000000 00000000 7379733a ............sys:
         00686430 3a006466 303a0064 66323a00 .hd0:.df0:.df2:.
         646f732e 6c696272 61727900 00000000 dos.library.....

         03eb0000 00000000 03f2733a 6d6f756e ..........s:moun
         740a0a73 3a737461 72747570 2d736571 t..s:startup-seq
         75656e63 6500733a 6d6f756e 74000000 uence.s:mount...

         00000000 00006864 303a0073 79733a00 ......hd0:.sys:.
         72616d3a 00646f73 2e6c6962 72617279 ram:.dos.library
         00736572 2e726561 6400646f 732e6c69 .ser.read.dos.li
         62726172 79000000 00000000 0000646f brary.........do
         732e6c69 62726172 79004261 636b4772 s.library.BackGr
         6f756e64 5f50726f 63657373 00000000 ound_Process....

      You see some little changes at the drives. VT searches for a
      Process and tries to stop it. Expect a Guru !
      The installation Process uses a Dos-Delay ($29bf8 = nearly an
      hour). For the rest, look at the Express-Description.


  ------------------------------------------------------
   Translated to English by M0rpheus Đ 2001 VHT-Denmark
   Org. Test by Heiner Schneegold.
  ------------------------------------------------------

[Go back]