Name         : ELENI VIRUS

     Aliases      : Gremlin, FMFOJ

     Type/Size    : Boot/1024

     Clones       : No Clones

     Symptoms     : No Symptoms

     Discovered   : 10-04-94

     Way to infect: Boot infection

     Rating       : Less Dangerous

     Kickstarts   : 2.0 & higher

     Damage       : Overwrites boot, creates new c/Mount on disk.

     Removal      : Install boot, Delete files c/Mount & c/d.

     Comments     : If you are booting with an infected disk the
                    virus copies itself to the adress $FE000 or
                    $7F400. After that it changes the CoolCpature
                    Vector to stay resident. Furthermore it 
                    patches the DoIO()-Vector and the KickChkSum()-
                    vector from the exec.library to infect other
                    disks. 
                    But now it comes:
                    Imagine you are now booting with your HD. Now the
                    virus creates two new files called 
                    
                    c/Mount = 208 bytes (read ELENIV2.2_inst, too!)
                    
                    and
                    
                    c/D     = 1024 bytes

                    The Datafile c/D is the virus itself.
                    The executeable file c/Mount is the virusinstaller.
                    If you are now starting the file c/Mount the program
                    does the follwing:

                      1) Opens the file c/D (Virus)
                      2) Loads it into a adress
                      3) starts it & returns.

                    To remove the virus you must delete the Mount-fake
                    and the virusfile c/D. AND! Don`t forget to install
                    your disks.
                    In the Bootblock you can read:
        
                    "FMFOJ XJSVT V2.2"

                    Decrypted with "sub.b #1,(a0)+":
                    (Routine not in BB)
                    
                    "ELENI WIRUS V2.2"
                           ^
                    The programmer was urely a LAMER

                    No Textoutput-routine was found in the virus.

                    
                    ATTENTION: A FAKE X-COPY 8.5 VERSION IS GOING AROUND 
                    WHICH INSTALLS THIS DEVIL.  For further information 
                    read about the X-Copy 8.5 trojan.
              
                    NOTE: Why must people write such SHIT! ohhh gooood.



     SHI - A.D 04-94

[Go back]