666!-Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM
Amiga Antivirus Website
www.vht-dk.dk
 

     ------------------------    
     Amiga Virus Encyclopedia    
     666!-Trojan 
     ------------------------

    
     - 666!-Trojan destruction file
       Another possible name: WBPrefs
       Length unpacked: 63140 bytes
       Length CrunchMania packed: ?????? is wanted !!!!
       No bent vectors
       Not resettable
       Reason for the name:
         Overwrites media with 666! (see below)
         Outputs a screen at the end of the work:
              - light background
              - gray writing very large 666!
         with the left You can then cancel the mouse button.
       According to the notification, the startup sequence should start with:
                   SYS:C/WBPrefs
       Since no user is willing to call up a destruction program,
       I assumed that there was an install prg. are.
       So I am urgently looking for the Install-Prg. and WBPrefs crunchmania-
       packed. Thank you in advance for your assistance. Thanks

       WBPrefs started from the startup-sequence creates a process.
       File excerpt from WBPrefs:
          70144e75 646f732e 6c696272 61727900 p.Nudos.library.
          616d6967 616c6962 2e70726f 63657373 amigalib.process
       The file doesn't do anything useful.
       This process fetches the system time at certain time intervals
       (DateStamp structure).
       As soon as the system time is between 5:00 a.m. and 8:00 a.m.,
       exit this loop.
       If you have a properly running hardware clock, an unusual one
       Time, but VERY dangerous for mailboxes.
       If you don't have a clock in the Amiga or the clock is wrong, you can
       Of course, at 4:00 p.m. (real) you also have a system time of 6:00 a.m
       to have.
       Thereafter:
           - a memory area is decoded with eori.b #$8E,d0.
             The result is S:HORSE
             An attempt is now made to open this file. If so,
             then program end. So probably a protection for
             the programmer.
           - Via DosEnvec test whether
               - Low cyl higher 0
               - more than #22 sectors
               - or more than #100 cylinders
               - or more than 2 heads
             If at least one condition is not met => termination
       Does this seem familiar to you. Correct: see ModemCheck-Virus
       after.
       
       The found media will be destroyed.
                  lcyl 0 bl 0
           0000: 36363621 36363621 36363621 36363621 666!666!666!666!
           0010: 36363621 36363621 36363621 36363621 666!666!666!666!
           0020: 36363621 36363621 36363621 36363621 666!666!666!666!
       The blocks with 666!
       filled up.
       Unfortunately, there is NO salvation for the medium. It only remains
       Format.
       At the end, a graphic is output. so.
       VT tries to shut down the process. GURU danger
       VT ONLY recognizes the unpacked file and offers to delete it.
       Please don't forget the line in the startup-sequence as well
       to delete
       
       Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                Kickstart all others: VirusZ III and Xvs.library must be installed
       
       
       Orginal text by Heiner Schneegold
       Translated from german to english, with use of Google translate
Virus Help Team
Denmark & Canada
Copyright © All Rights Reserved