------------------------
Amiga Virus Encyclopedia
AX Fucker Linkvirus
------------------------
AX Fucker Linkvirus:
Kickstart 2.x only based on the DOS patchroutines.
MC68040: yes (without caches)
Increases filelength by 928 bytes
This is an ordinary linkvirus, which adds its code to the first
hunk and does only work on the following conditions:
- file contains only 1 hunk
- no reloc hunk at the beginning
It puts an additional $3f1 hunk in the beginning containing the
string /X Fucker. The virus patches the DosOPEN() and DOS LoadSeg()
vectors and is not resetproof.
Based on the $3f1 file at the beginning, b etter viruskillers could
atleast say that a $3f1 hunk is at the beginning. The virus itself
is coded quite bad and seems to be spreaded bad.
The first infected archive was the "axripii.lha".
The LoadSeg() routine is only thought for the infection of loaded
files. The DosOPEN() routine contains a destruction routine, which
is timebased. Starting with 24 Feb `95 all opened files will be
opened using the NEWMode (they will be cleared), if the access is
to the BBS: directory.
Hexdump of parts of this virus:
0000: 000003F3 00000000 00000001 00000000 ...ó............
0010: 00000000 000000E5 000003F1 00000003 .......å...ñ....
0020: 2F582046 75636B65 72000000 000003E9 /X Fucker......é
0030: 000000E5 48E7FFFE 2C780004 43FA02F8 ...åHç.þ,x..Cú.ø
0040: 4EAEFE68 41FA02EC 20800C39 005A0000 N®þhAú.ì ..9.Z..
0050: 00006700 03046104 4AFC02FE 13FC005A ..g...a.Jü.þ.ü.Z
0060: 00000000 2C780004 2A7A02C8 203C0000 ....,x..*z.È <..
0330: 351D0001 12F0646F 732E6C69 62726172 5....ðdos.librar
0340: 79000000 03F10000 00032F58 20467563 y....ñ..../X Fuc
0350: 6B657200 00000003 4CDF7FFF 41FA0004 ker.....Lß..Aú..
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test by Markus Schmall Detection tested 12.3.1995
