Warning ! M-hac.lha and Bloody.exe contain LINKVIRUSES ! BE CAREFULL !

   Here a first BETA ANALYSE of it:



   ConMan 1995 Linkvirus:
   ----------------------

   Other possible names: M-Hac Virus, Bloody Virus
   Detected in: M-hac.lha and Bloody.EXE
   Detected when: August 1995/Germany SOS
   Linking method: 4eb9 (!!!!)
   Resident: NO 
   Length: 1836 bytes


   This is a new type of linkvirus. There are 2 installers known yet.
   It simply creates a new process with the known CONMAN code , but
   now with different names.

   Possible names are:
   
   C:DIR
   ramlib
   Background_Process
   RAm
   L:FastFileSystem
   LIBS: gadtools.library
   Workbench
   DF0
   addbuffers
   CON
   LIB:req.library
   CLI(0): no command loaded
   CLI(1): no command loaded            

   Please note that several of this takss can appear in normal systems,
   too.

   The speciality of this virus is, that it uses a intern 4eb9 linker
   to link to files. Quite tricky. Viruskillers like VT, VZ_II and
   VW should so be able to detect the infected files.

   The linking routine knows the following hunksymbols: $3f2,$3f3,$3ec
   and $3eb. The code is a little bit dangerous, but I will implent
   in VirusWorkshop a complete reverse analyzed routine, so it should
   be no problem to repair even not working infected files.

   The virus adds 4 hunks to the file and the linked code is partly
   packed. It is packed with StoneCracker 4.04 and then afterwards
   manipulated.

   The virus is not memory resident.
   
   Some words about the installers:



   m-hack.lha FILE_ID.DIZ

   .-------------------------------.
   | MASTER AMIEX ONLINE PW HACKER |
   | PREVIOUS VERSION HAVE A BUG!  |
   `-------------------------------'

   The programm hack (4388 bytes long) contains the trojan.


   bloody.exe FILE_ID.DIZ:

   NON DOS DISK READER >>>>-BEST!

   The programm is including this ID 25560 bytes unpacked long.





  Greets

        Markus Schmall


  P.S.: This analyse is copyrighted and strictly forbidden to be used
  in any SHI production....

[Go back]