Copy_LX 1.03 Trojan:

  Filelength 6932 Bytes (unpacked)

  This is a classical trojan horse. Installer is probably a modified
  LX 1.03 programm (I still search for it. The file I got from the
  AmiNet was clear). It will write a new COPY command.

  This copy command searches for the file "s:save". If this file
  exists, the trojan will not work and the original copy command
  (V38.1), which is linked behind the trojan, will be activated.

  Then the virus checks the actual date: If the date is 5961 or
  more days after the 01.01.1978, the virus will start, otherwise
  it will skip. This date was somewhen in 1994. Then a longword
  "scsi" will be decrypted and via globaldoslist and the known
  routines, it will be tried to get a device, which starts with
  the long "scsi". If such a device was found, it will be tried
  to get the rootblocknumber and then it will be tried to
  read from the rootblock.

  Problem: I got the Copy command itself and the resourcefile.
  In the copyfile only the READ command will be used, in the
  resourced file the WRITE command will be used. I wonder a
  little about this.

  If the write command is used, all reachable devices (beginning
  with scsi) will loose it`s rootblock. Try to recover the
  data using things like Quarterback and/or Disksalv.

  Test by Markus Schmall            Detection tested 07.01.1995.

[Go back]