MUI v4.00 Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM




 ------------------------
 Amiga Virus Encyclopedia
 MUI v4.00 Trojan
 ------------------------
    
 
 Hi All....                                              02.11.1999

 We  have  finally  recived  an trojan  archive that  we have  been
 looking for  since April 1999.  It was found  on a BBS in England.
 The trojan is a FAKE 'MUI v4.0', and in  the archive  there  are 3
 files that will make trouble for you (see below), and at this time
 only one killer can find this  trojan, and that is "VT v3.16", but
 the other big killers will make a recog for this trojan as soon as
 possible.

 Here is some info about the archive:

 Name........... : MUI v4.0@
 Trojan name.... : MUI 4.0 FAKE
 Archive name... : mui40usr.lha
 Archive size... : 832.990 bytes
 Trojan name.... : MUI            (7536 bytes)
                   Install-MUI   (27034 bytes)
                   ClickForColors (1340 bytes)


 Mr. Heiner Schneegold (programmer of VT) has made this test of the
 fake MUI v4.0:

 ------------------- CUT Start from VT 3.16 Doc -------------------

   - MUI40-Fake
        No increase
        A message should be sent
        Min. three files changed.
        Recommendation: delete and reload the clean archive.

       Install Fake-L: 27034
        A line was inserted and numbers changed:
        ; $ VER: Install-MUI 4.0 (04/01/99)
        (set current_version "4.0")
        (set current_libver 19)
        (set lng @language)
        (set #tmpdir "t: mui.inst")
        (complete 0)
        (run (cat "goodies / clickforcolors")) <---- this line 

	  MUI     Fake-L: 7536
       Date changed and text hunk added 
          4e752456 45523a20 4d554920 32312e31 Nu$VER: MUI 21.1
          34202830 312e3034 2e393929 00000000 4 (01.04.99)....
          ;......
          00000000 000003f2 000003f1 0000000f ................
          77616861 68616861 68616861 20417072 wahahahahaha Apr
          696c2046 6f6f6c73 20796f75 20736f72 il Fools you sor
          72792061 73736564 20486f70 6566756c ry assed Hopeful
          204d6f74 68657266 75636b21 000003f2  Motherfuck!....

      ClickForColors Fake-L: 1340
       Normally a txt file now a PRG. (not coded) 
          6e696d62 75732e73 75706572 696f722e nimbus.superior.
          6e657400 62736473 6f636b65 742e6c69 net.bsdsocket.li
          62726172 79004845 4c4f2073 6173672e brary.HELO sasg.
          636f6d0d 0a004d41 494c2046 524f4d3a com...MAIL FROM:
          3c706973 73656420 75736572 3e0d0a00 < pissed user >.
          52435054 20544f3a 7374756e 747a4073 RCPT TO:stuntz@s
          6173672e 636f6d0d 0a004441 54410d0a asg.com...DATA..
          00005375 626a6563 743a204d 6f766520 ..Subject: Move
          796f7572 206e617a 69206173 73207769 your nazi ass wi
          7468206f 7572204d 55492075 70646174 th our MUI updat
          65206375 6e74210d 0a0d0a2e 0d0a0000 e cunt!.........


 -------------------- CUT End from VT 3.16 Doc ---------------

 This trojan has been sendt to all the antivirus programmers
 and they will make recog. for this trojan in the next update.

 Thanx to Heiner for the test.
 And to Adam James for sending the archive to us.


   Regards....
      __          Jan Andersen
 __  ///          ------------
 \\\///        Virus Help Denmark
  \XX/            www.vht-dk.dk





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk