Gotcha 2 Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



     ------------------------
     Amiga Virus Encyclopedia
     Gotcha 2 Trojan
     ------------------------
     
     
     - GoTcHa-2 Trojan file name change
         Another possible name: devilcheck-Trojan
         Known file name: dd-devilcheck Length: 32376 bytes
         No bent vectors
         Not reset-proof

         The file reads:
           20202020 20202047 6f546348 61212049 GoTcHa! I
           49000000 00000000 00000000 001b2020 I .............
           20202020 77485920 64494420 794f5520 wHY dID yOU
           72554e20 6d45203f 21000000 00000000 rUN mE?! .......
           00152020 20202020 20202020 20206e4f .. nO
           57204927 76452000 00000000 00000013 W I'vE .........
           20202020 20202020 20202020 20476f54 GoT
           63486100 00000000 00000015 20202020 cHa .........
           20202020 20202020 20416761 696e2021 Again!
           21000000 000c5359 533a632f 6c6f6164! ..... SYS: c / load
           77620000 000d5359 533a432f 6c6f6164 wb .... SYS: C / load
           77622000 0000000e 5359533a 632f5365 wb ..... SYS: c / Se
           74706174 63680000 00105359 533a432f tpatch .... SYS: C /
           53657470 61746368 20200000 000d5359 Setpatch .... SY
           533a632f 6d616b65 64697200 00000010 S: c / makedir .....
           5359533a 432f6d61 6b656469 72202020 SYS: C / makedir
           0000000b 5359533a 632f5374 61636b00 .... SYS: c / Stack.
           0000000a 5359533a 432f4861 434b0000 .... SYS: C / HaCK ..
           000a5359 533a632f 74797065 0000000a ..SYS: c / type ....
           7379733a 632f4879 70658054 0000 sys: c / Hype.T ..

       Damage:
         The file names loadwb, makedir and setpatch are characters
         added (see above).  Stack and  type are changed named (see
         above). After the next reset,  the startup sequence can no
         longer be processed.
         Changes in the files were NOT found.
         With a bit of luck, VT will also recognize these files.
         Caution:  There  could be  errors, though programmers work
         with these names AND spaces.
         After the rename, a window appears with the text "wHY
         dID .... etc..
         If you close the window, a reset is carried out triggered.
         So the part  MUST attract attention.  Change the five file
         name back with SID or another DirUtil.
         VT only offers delete.
         Difference to GoTcHa 1: two more file names

       Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                Kickstart all others: VirusZ III, and also Xvs.library must be installed
                
                
     Original test by Heiner Schneegold
     Translated from german to english by Google translate
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk