--------------------------------
Amiga Virus Encyclopedia
GV_HS15 Trojan or Karacic Trojan
--------------------------------
GV_HS15 Trojan or Karacic Trojan Virus:
Filelength packed: 1460 Bytes (Rob Northern !!!)
1924 Bytes (unpacked)
Other possible names: GVP-HS15 Trojan
Works only with Kickstart 3.0 and ahead (V39 funtions will be
used).
Some other suspicius fact is, that the programm was packed using
the Rob Northern cruncher, also called Propack. The file was
afterwards modified a little bit, so that no existing depacker
can unpack it.
This trojan is programmed quite simple. The needed libraries will
be opened and it will we checked for the old SnoopDos task.
Then the file "s:nothere" will be tested. If it exists, no damage
will be caused.
Then a TimeDisplayAlert (timer some seconds) will pop up and show
you:
LMB> Kill system RMB>Reboot
The code analyzer behind is programmed like this:
1.If the user gave no input in the 5 seconds and/or presses the
right mousebutton, the system will be trashed using some basic
format and delete routines.
2.If the user presses the left mousebutton, then a ColdReboot
will be performed.
SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS, THEN RESET
YOUR AMIGA BY HAND !
The routine to show the Alert is a Kickstart V39 function. It will
be not tested, if the used system is really V39 or higher.
FileID of this archive (GVP-HS15.lha):
HardDiskSpeeder v1.5 ©GVP Inc. 1995
(a little cache program for HDs!)
...
If you start the programm, it will show you the following text:
'HardDiskSpeeder v1.5 installed ...'
If you start it using a "?", then the following text will show
up:
'HardDiskSpeeder v1.5 by GVP Inc. ©1995'
The trojan tries to destroy the following directories and devices:
dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c:
The formatted new devices will have the name:
'"Karacic Virus strikes back"'
Test by Markus Schmall Detection tested 21.06.1995.
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
