------------------------
Amiga Virus Encyclopedia
Aibon 1 and installer
------------------------
- Aibon2-Mount2-Clone:
A Toolsdaemon V2.2 appeared, infected with this one
clone part.
File length infected: 7128 bytes
Trojan expanded : 4896 bytes
This part was linked using the Hunklab method. VT offers
expansion.
Differences to Aibon:
- mount is copied to s (length 784 bytes)
- s:startup-sequence is shortened to ONE line s:mount,$0a,$0a.
- Files are shortened to 42 bytes and with memory content
$0 (yes zero page) filled. Example file with KS1.3:
0000: 00000000 00000676 00fc0818 00fc081a .......v........
0010: 00fc081c 00fc081e 00fc0820 00fc0822 ........... ..."
0020: 00fc090e 00fc0826 00fc .......&..
Or files with zero content are created (example was setpatch):
SetPatch
0000: 00000000 00000000 00000000 00000000 ................
0010: 00000000 00000000 00000000 00000000 ................
0020: 00000000 00000000 0000 ..........
- The Trojan file reads:
00000000 00000000 00000000 7379733a ............sys:
00686430 3a006466 303a0064 66323a00 .hd0:.df0:.df2:.
646f732e 6c696272 61727900 00000000 dos.library.....
;.....
03eb0000 00000000 03f2733a 6d6f756e ..........s:moun
740a0a73 3a737461 72747570 2d736571 t..s:startup-seq
75656e63 6500733a 6d6f756e 74000000 uence.s:mount...
;.....
00000000 00006864 303a0073 79733a00 ......hd0:.sys:.
72616d3a 00646f73 2e6c6962 72617279 ram:.dos.library
00736572 2e726561 6400646f 732e6c69 .ser.read.dos.li
62726172 79000000 00000000 0000646f brary........do
732e6c69 62726172 79004261 636b4772 s.library.BackGr
6f756e64 5f50726f 63657373 00000000 ound_Process....
So also smaller changes in the drives.
VT searches for the process and attempts a shutdown.
A GURU is to be expected.
The install process has a dos delay ($29bf8 = fast
one hour) . For the rest, see the express description above.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by Heiner Schneegold
Translated to englisg with Google Translate
