ADO 3! Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


------------------------
Amiga Virus Encyclopedia
ADO 3! Trojan
------------------------    
    

- ADO!-3-Trojan    Destruction

         Filename: AGA_ITALY2.DEMO  Length: 113452 Bytes
         Filename: AGA_JHL.prefs    Length:  14960 Bytes

         Decrunched  AGA_ITALY-File contents:
            55736572 2d537461 72747570 002d5255 User-Startup.-RU
            4e203e4e 494c3a20 5359533a 50726566 N >NIL: SYS:Pref
            732f454e 562d4152 43484956 452f4147 s/ENV-ARCHIVE/AG
            415f4a48 4c2e7072 65667300 00054543 A_JHL.prefs...EC
            484f2000 002d5255 4e203e4e 494c3a20 HO ..-RUN >NIL:
            5359533a 50726566 732f454e 562d4152 SYS:Prefs/ENV-AR
            43484956 452f4147 415f4a48 4c2e7072 CHIVE/AGA_JHL.pr
            65667300 0011203e 3e533a55 7365722d efs... >>S:User-
            53746172 74757000 001f5359 533a5052 Startup...SYS:PR
            4546532f 454e562d 41524348 4956452f EFS/ENV-ARCHIVE/
            4147412e 70726566 73000023 5359533a AGA.prefs..#SYS:
            50524546 532f454e 562d4152 43484956 PREFS/ENV-ARCHIV
            452f4147 415f4a48 4c2e7072 65667300 E/AGA_JHL.prefs.
                 ;.....
            312c3135 2900000a 52414d3a 5265626f 1,15)...RAM:Rebo
            6f740004 4e494c3a                   ot..NIL:

         Timetable:
         A intro head off User and  a new line will be added to User-Startup:
            RUN >NIL: SYS:Prefs/ENV-ARCHIVE/AGA_JHL.prefs
         Two files will be copied to  Prefs/Env-Archive:
            AGA.prefs  (decoded part)
            AGA_JHL.prefs  (Trojanpart)
         Behind the end of intro a reboot will be performed .
         The user-startup load  AGA_JHL-File.

         The decrunched AGA_JHL.prefs contents:
            00000020 5359533a 50524546 532f454e ... SYS:PREFS/EN
            562d4152 43484956 452f4147 41322e50 V-ARCHIVE/AGA2.P
            52454653 0000001f 5359533a 50524546 REFS....SYS:PREF
            532f454e 562d4152 43484956 452f4147 S/ENV-ARCHIVE/AG
            412e5052 45465300 0000000f 533a5363 A.PREFS.....S:Sc
            61726543 726f772e 74787400 00000020 areCrow.txt....
            5359533a 50524546 532f454e 562d4152 SYS:PREFS/ENV-AR
            43484956 452f6167 61322e70 72656673 CHIVE/aga2.prefs
            00000014 433a4564 20533a53 63617265 ....C:Ed S:Scare
            43726f77 2e747874 0000000e 454e563a Crow.txt....ENV:
            61676133 2e707265 66730000 000e454e aga3.prefs....EN
            563a6167 61332e70 72656673          V:aga3.prefs

         This file contents the ADO!-1-assign file too(discription
         above). The destruction ability operateds fully. But on
         testsystem didn`t write AGA_JHL.prefs file correct and
         stops writing before end of File. The workability is
         questionable. Why VT the AGA_JHL.prefs detects? Only for
         a very correct kind of user.

     Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
              Kickstart all others: VirusZ III with Xvs.library installed

  --------------------------------------------------------------
   Translated to English by Alexander Jensen © 2001 VHT-Denmark
   Org. Test by Heiner Schneegold.
  --------------------------------------------------------------
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk