------------------------
Amiga Virus Encyclopedia
Bastard Dropper
------------------------
Hi All.... 1 May 2001
What we think is the installer of the "Bastard" link virus has been
found. It was on Aminet (and has been there for about 14 days), but
it has been removed now.
Okay, here is what we know so far:
Archive name : Pointers.lha
Archive size : 6.874 bytes
Installer name: Install
Installer size: 4.748 bytes
Virus name : Batstard linkvirus
Virus size : About 2100 Bytes (uses polimorphic engine)
Here is Zbigniew Trzcionkowski test:
------------------------------------
The archive 'Pointers.lha' (6874 bytes) is the installer for the
BASTARD LINKVIRUS. The executable is hidden inside installer script
and I must admit I haven't seen such thing before.
It was done ( in very clever way ) with special tool which changes
binary to valid installer script data.
This can be seen as real MACRO virus for Amiga!
NOTE: There was no script icon, so I think almost noone installed
the virus!
This installer script generates file called RAM:temp, which is
stonecracked executable with BASTARD virus. This is just TH E FIRST
file of virus. It contains also some text and even the name of the
virus:
Antidisassemblishmentaryonism v1
(I think everyone still use the name I have invented :-)
There was nothing new in file beside that additional text. It also
says about the authors, which are not the same people behind those
lame 4ef9 trojans ( I came to this conclusion only by watching the
code, so You see the differences was large.).
As always I will not publish the text inside not to satisfy virus-
makers even this is done very clever and not to infect so many
machines.
Thanks to ' Zbigniew Trzcionkowski ' the programmer of Safe for the
info.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Regards....
__ Jan Andersen
__ /// ------------
\\\/// Virus Help Denmark
\XX/ www.vht-dk.dk
