------------------------
Amiga Virus Encyclopedia
Aibon installer & Virus
-------------------------
Name : Aibon Virus
Aliases : Express2.20
Type/Size : Installer: 194064 bytes
Virus....: 776 bytes
Clone : No Clones
Symptoms : No Symptoms
Discovered : 16-11-90
Way to infect: No infection
Rating : Very DANGEROUS !
Kickstarts : 1.2
1.3
2.0
3.0
Damage : Damage files.
Removal : Delete File.
Comments : A file which pretends to be a new mailing system for
BBS's. It is unique. Express2.20 135400 bytes packed
with lha. Unpacked 194064 bytes with an 776 bytes
executable appendage named "aibon".
When the Express 2.20 program is runned it does an
unconditional jump to the label aibon and from there
the tracking halts.
The Express 2.20a bomb you can download yourself from
several BBS's with the name:
d-aex220.lha
If you are starting the virus it tries to copy
Aibon to ":s". Then the virus modifies the startup-
sequence with the virusname. After all changings were
successful all files in "sys:" will be cut down to 42
bytes.
This files CANNOT.... be repaired. The virus checks
for "bbs:", too. If existing ALL files will be first
destroyed there.
It is very common to fabricate installers with an
executeable and a Path-generating part. From the
moment the program is installed there is no need for
the installer anymore.
The task of the Path-generating part is only to
enquire the users preferable device, then embed it in
the executable and sometimes, after that, throw
itself away.
In this case it's obviously not the concern. It
probably is a spin from a hackers workshop.
If convenient, see the file EM-Wurm, too.
Advice : a) Delete s/Aibon
b) Delete Express2.20
c) Change your Startup-Sequence (!)
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by : Markus Schmall
