------------------------
Amiga Virus Encyclopedia
ConClip Virus
------------------------
- Conclip Virus
Other possible names: ANDY, HEXER, Hexer/Bea1, Hexer/Bea2 & Hexer/Bea3
Type A:
Packed length: 3248 bytes
Unpacked length: 2872 bytes (yes the numbers are correct)
NO bent vectors
VT expects the file name "conclip" for recognition
Multiplication: yes
In the unpacked file you can read e.g .:
2940fdac 41fa0006 2008600e 4446303a) @ .. A ... .`.DF0:
632f636f 6e636c69 70002940 fdc0202c c / conclip.) @ ..,
; ......
700f2f00 41fa0006 20086014 416d6967 p ./. A ... .`.Amig
61444f53 20434c49 2d457272 6f720000 aDOS CLI error ..
; ......
41fa0006 2008602a 4469736b 20636f72 A ... .` * Disk cor
72757074 202d2070 6c656173 6520696e rupt - please in
73657274 20626f6f 74646973 6b2e2e2e sert bootdisk ...
; ......
fff441fa 00062008 60266563 686f2063 ..A ... .` & echo c
6f6e636c 6970203e 6466303a 732f7374 onclip> df0: s / st
61727475 702d7365 7175656e 63650000 artup-sequence ..
; ......
60387275 6e203e4e 494c3a20 7379733a `8run> NIL: sys:
73797374 656d2f66 6f726d61 74203e4e system / format> N
494c3a20 44524956 45206864 303a204e IL: DRIVE hd0: N
414d4520 414e4459 00002e80 70002f40 AME ANDY .... p./@
Affected media: DF0 :, DF1 :, DH0 :, DH1 :, HD0: and HD1:
Note: the Conclip-File is really available with a different length.
Sequence:
A window is opened. Title bar: AmigaDOS ... see above
A text is output: Disk corrupt ... see above
conclip is copied to c.
The startup-seq. will be changed. Conclip will be afterwards
called after each reset.
I didn't wait for my hard drive to be formatted
(dos-delay).
There is still a text output in this file, but I don't
seen on the screen.
VT only offers deletion. Please don't forget that too
change startup sequence.
Type B:
known lengths packed several times: 6952 bytes (installer)
11048 bytes (installer)
Installer filenames are unknown.
Length unpacked several times: 6096 bytes
NO bent vectors
Unpacked several times and treated with "EORI.B # $ 42, (A2) +" is im
File to read:
6f20746f 20626564 21290a0a 7c7c2042 o to bed!) .. || B.
45412049 2057494c 4c204e45 56455220 EA I WILL NEVER
464f5247 45542059 4f552e20 52455354 FORGET YOU. REST
20494e20 58544320 7c7c0a0a 414e4459 IN XTC || ..ANDY
20544845 20484558 45522121 0a0a0a0a THE HEXER !! ....
; ......
fdc87000 4e5d4e75 3a204e41 4d452041 ..p.N] Nu: NAME A
4e44595f 49535f42 41434b00 72756e20 NDY_IS_BACK.run
3e4e494c 3a207379 733a7379 7374656d> NIL: sys: system
2f666f72 6d617420 3e4e494c 3a204452 / format> NIL: DR
49564520 00496e73 65727420 626f6f74 IVE .Insert boot
6469736b 20696e20 4446303a 004e6f74 disk in DF0: .Not
20612044 4f532d64 69736b21 00537973 a DOS-disk! .Sys
74656d6d 656c6475 6e67003a 532f5374 temmessage.:S/St
61727475 702d5365 7175656e 6365003a artup-Sequence .:
432f436f 6e436c69 70004446 30004446 C / ConClip.DF0.DF
31004844 31004448 31004844 30004448 1.HD1.DH1.HD0.DH
30005052 4f474449 523a636f 6e636c69 0. PROGDIR: concli
7000536e 6f6f7044 6f730053 4e4f4f50 p.SnoopDos.SNOOP
444f5300 74ff4e75 4e7541fa 0060216f DOS.t.NuNuA..`! O
Changes to type B:
Now write ConClip
Tests for SnoopDos
Writes to location # $ 0 HELP
Writes to location # $ 100
0100: DEADBABE BEA0FACE
This text appears to me after a keyboard reset
also in an alert.
If you wait a while, a graphic is displayed:
- dark background
- in very large letters HEXER (red except X is blue)
- in smaller, light letters underneath:
ANDY THE HEXER IS BACK ...
Play the original conclip command after c: and over-
Also check your startup sequence.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
------------------------------------------------------
Translated to English by M0rpheus (c) 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
------------------------------------------------------
