Rexxfunc.library trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM




------------------------
Amiga Virus Encyclopedia
Rexxfunc.library trojan
------------------------


------------------------------------------------------------------------

Entry...............: rexxfunc.library trojan
Alias(es)...........: -
Virus Strain........: none
Virus detected when.: 5.2000
              where.: England
Classification......: File virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:        4716 Bytes
                                                          1136 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: new files L:wb.handler, LIBS:rexxfunc.library

Type of infection...: Fake program MiamiSpoof (8468 bytes crunched)
                      performs such operations:

                      1. replacing of C:loadwb with fake file (1136 bytes),
                      2. writing original loadwb to LIBS:rexxfunc.library,
                      3. writing new file L:wb.handler (4716 bytes)

                      System infection:
                      Fake Loadwb executes L:wb.handler which
                      creates fake process `SetPatch`.
                      This process every 60 seconds will try
                      to open remote shell TCP:2000.
                      This try is performed only if found
                      MIAMI.1 or AMITCP ports and not found
                      SNOOPDOS port. This is stupid because
                      everybody can see FindPort SNOOPDOS
                      on SnoopDos screen :-)

Infection Trigger...: executing executables belongs to this kit

Storage media affected:
                      SYS:

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: The fake LoadWB have same length as original one
                      even part of original LoadWB is stored inside
                      to confuse user.
                      
Similarities........: I can`t say this is comparable because
                      in most parts this kit has been made with
                      compiler like E

Stealth.............: [See Particularites].
                      Fake process name SetPatch.

Armouring...........: Made with compiler :-)
                      Little bit complicated crypting routines
                      were used. The `MiamiSpoof` has been
                      crunched with StoneCracker and modified
                      to prevent decrunching.
                      Anyway.
                      Decrunched length is: 10044 (I`ve sent it to VHT-DK)

Comments............: There is another comparable trojan
                      called rexxfifo.library trojan.

--------------------- Agents -------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  23.6.2000
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 23.6.2000
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

================= End of rexxfunc.library trojan =======================





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk