------------------------
Amiga Virus Encyclopedia
Gotcha 1 Trojan
------------------------
- GoTcHa 1 Trojan file name change
Other possible name: UNLZX-Trojan
Known file name: unlzx Length: 37400 bytes
No bent vectors
Not reset-proof
The file reads:
54634861 21000000 000c7379 733a632f TcHa! ..... sys: c /
6c6f6164 77620000 000d7379 733a632f loadwb .... sys: c /
6c6f6164 77622000 0000000e 7379733a loadwb ..... sys:
632f7365 74706174 63680000 00107379 c / setpatch .... sy
733a632f 73657470 61746368 20200000 s: c / setpatch ..
000d7379 733a632f 6d616b65 64697200 ..sys: c / makedir.
0000000f 7379733a 632f6d61 6b656469 .... sys: c / makedi
72202000 0000000c 20202020 20476f54 r ..... GoT
63486121 00000000 00000000 00000017 cHa! ............
20207748 59206449 4420794f 55207255 wHY dID yOU rU
4e206d45 203f2100 00000000 00000011 N mE?! .........
20202020 20202020 6e4f5720 49277645 NOW I'vE
20000000 00000000 00102020 20202020 .........
20202047 6f546348 6121 GoTcHa!
Damage:
The file names loadwb, makedir and setpatch are characters
added (see above). After the next reset can therefore no
longer process the startup sequence become. Changes in the
files were NOT determined provides. With a bit of luck, VT
will also recognize these files.
Caution: There could be errors, though programmers work
with these names AND spaces. After the rename, a window
appears with the text "wHY dID yoU rUN mE?.... etc..
If you close the window, a reset is carried out triggered.
So the part MUST attract attention. Change the three file
name back with SID or another DirUtil.
VT only offers delete f or the UNLZX because the unlzx
Function is NOT fulfilled
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
Original test by Heiner Schneegold
Translated from german to english by Google translate
