------------------------
Amiga Virus Encyclopedia
IconDepth v1.3 Trojan
------------------------
- Biomech-TypA-Trojan destruction file
Othername: Icondepth13
The Prg code is the same up to $ E18 (exception: Spruenge)
5 bytes are written = 00 02 b9 b2 00
does not yet contain any biomechanic text, but it is from
Programming (Amiga-E) from this group.
A4000: yes
Length packed: 2384 bytes
Unpacked length: 4188 bytes
NO bent vectors
NO propagation
VT ONLY recognizes the trigger file !!
Filename: IconD
The unpacked file reads:
65737366 756c6c79 210a0073 79733a70 essfully! .. sys: p
72656673 2f007379 733a6465 76732f00 refs / .sys: devs /.
7379733a 6c2f0073 79733a63 2f007379 sys: l / .sys: c / .sy
733a6c69 62732f00 486f6c64 206f6e20 s: libs / .Hold on
7768696c 65204963 6f6e4465 70746820 while IconDepth
56312e33 20697320 636f6e76 65727469 V1.3 is converti
6e672079 6f757220 69636f6e 73210a00 ng your icons! ..
The text is output in the cli and should be deceived
serve. In reality, the subdirectories of sys:
searches prefs, devs, l, c and libs. Except in prefs and devs
but there should normally be NO icons. It will NOT
all files in these directories changed. Under-subdirectories
Drawings (e.g. devs / printers) were NOT searched for me.
Some examples:
File before: File after:
printer.device
4eb90000 08582200 N .... X ".: 4eb90000 08582200 N .... X".
508f6608 4eb90000 P.f.N ...: 0002b9b2 00b90000 ........
^^^^^^^^ ^^ ^^^^^^^^^^
09ba2200 4a81661e .. ". J.f.: 09ba2200 4a81661e ..". J.f.
to you
4e954a81 6700000a N.J.g ...: 4e954a81 6700000a N.J.g ...
42a90014 6000028c B ... `...: 0002b9b2 0000028c ........
22290004 e5894ab0 ") .... J.: 22290004 e5894ab0") .... J.
icon.library
28804fef 00106700 (.O ... g.: 28804fef 00106700 (.O ... g.
00822f2e fff82f14 ../.../. : 00820002 b9b20014 ........
2f052f02 4e934a80 /./.N.J. : 2f052f02 4e934a80 /./.N.J.
So 5 bytes are always written = 00 02 b9 b2 00.
I have not found a system. The files are unfortunately
NOT to save anymore.
VT does NOT recognize changed files because I risk
Detection is too big with only five bytes. In case of concerns
in your system because the trigger
file was, then try a file monitor (e.g. hex).
Enter $ 0002b9b2 in the search string and examine in the
the files in certain subdirectories. It goes fast. I
habs with the l directory tried (e.g. was destroyed
validator).
Supplement June 95:
File name:
hd_install.exe (KidCurry game name ??). I only have the file.
Length packed: 2576 bytes
Unpacked length: 8052 bytes
The file reads:
4e5d4e75 b9b2004e 6f742065 6e6f7567 N] Nu ... Not enoug
68207370 61636521 0a007379 733a7072 h space! .. sys: pr
6566732f 00737973 3a646576 732f0073 efs / .sys: devs / .s
79733a6c 2f007379 733a6c69 62732f00 ys: l / .sys: libs /.
7379733a 632f0057 61697420 7768696c sys: c / .Wait whil
65206368 65636b69 6e672048 44207370 e checking HD sp
6163652e 0a0074ff 4e754e75 4aacfff8 ace ... t.NuNuJ ...
So an HD install is faked in the Cli. In reality
the above-mentioned dirs are searched and for some files
(not all), the above 5 bytes written.
Loadwb before: LoadWB after:
0000015a 00000112 ... Z ....: 0000015a 00000112 ... Z ....
0000000a 00000003 ........ : 0002b9b2 00000003 ........
^^^^^^^^ ^^ ^^^^^^^^^^
Original test by Heiner Schneegold
Translated from german to english by Google translate
