-------------------------
Amiga Virus Encyclopedia
Eleni v2.2 Bootblockvirus
-------------------------
Name : Eleni 2
Aliases : Mount
Clones : No Clones
Type : Bootblock
Size : 1024 bytes
Symptoms : No Symptoms
Discovered : 10 april 1994
Way to infect: Boot infection
Rating : Less Dangerous
Kickstarts : 2.0+
3.0+
Damage : Overwrites boot, creates new c/Mount on disk
Comments : If you are booting with an infected disk the
virus copies itself to the adress $FE000 or
$7F400. After that it changes the CoolCpature
Vector to stay resident. Furthermore it
patches the DoIO()-Vector and the KickChkSum()-
vector from the exec.library to infect other
disks.
But now it comes:
Imagine you are now booting with your HD. Now the
virus creates two new files called
c/Mount = 208 bytes (read ELENIV2.2_inst, too!)
and
c/D = 1024 bytes
The Datafile c/D is the virus itself.
The executeable file c/Mount is the virusinstaller.
If you are now starting the file c/Mount the program
does the follwing:
1) Opens the file c/D (Virus)
2) Loads it into a adress
3) starts it & returns.
To remove the virus you must delete the Mount-fake
and the virusfile c/D. AND! Don`t forget to install
your disks.
In the Bootblock you can read:
"FMFOJ XJSVT V2.2"
Decrypted with "sub.b #1,(a0)+":
(Routine not in BB)
"ELENI WIRUS V2.2"
^
The programmer was urely a LAMER
No Textoutput-routine was found in the virus.
Important : A FAKE X-COPY 8.5 VERSION IS GOING AROUND WHICH INSTALLS
THIS DEVIL
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by : Safe Hex International
Ascii of Eleni 2.2 (Mount) virus:
