IconDepth v1.3 Trojan - Amiga Virus Encyclopedia


     Amiga Virus Encyclopedia
     IconDepth v1.3 Trojan 
     - Biomech-TypA-Trojan destruction file
         Othername: Icondepth13

         The Prg code is the same up to $ E18 (exception: Spruenge)
         5 bytes are written = 00 02 b9 b2 00
         does not yet contain any biomechanic text, but it is from
         Programming (Amiga-E) from this group.
         A4000: yes
         Length packed: 2384 bytes
         Unpacked length: 4188 bytes
         NO bent vectors
         NO propagation
         VT ONLY recognizes the trigger file !!
         Filename: IconD
       The unpacked file reads:
            65737366 756c6c79 210a0073 79733a70 essfully! .. sys: p
            72656673 2f007379 733a6465 76732f00 refs / .sys: devs /.
            7379733a 6c2f0073 79733a63 2f007379 sys: l / .sys: c / .sy
            733a6c69 62732f00 486f6c64 206f6e20 s: libs / .Hold on
            7768696c 65204963 6f6e4465 70746820 while IconDepth
            56312e33 20697320 636f6e76 65727469 V1.3 is converti
            6e672079 6f757220 69636f6e 73210a00 ng your icons! ..
       The text is output in the cli and should be deceived
         serve. In reality, the subdirectories of sys:
         searches prefs, devs, l, c and libs. Except in prefs and devs
         but there should normally be NO icons. It will NOT
         all files in these directories changed. Under-subdirectories
         Drawings (e.g. devs / printers) were NOT searched for me.
       Some examples:
             File before: File after:
            4eb90000 08582200 N .... X ".: 4eb90000 08582200 N .... X".
            508f6608 4eb90000 P.f.N ...: 0002b9b2 00b90000 ........
            ^^^^^^^^ ^^ ^^^^^^^^^^
            09ba2200 4a81661e .. ". J.f.: 09ba2200 4a81661e ..". J.f.

            to you
            4e954a81 6700000a N.J.g ...: 4e954a81 6700000a N.J.g ...
            42a90014 6000028c B ... `...: 0002b9b2 0000028c ........
            22290004 e5894ab0 ") .... J.: 22290004 e5894ab0") .... J.

            28804fef 00106700 (.O ... g.: 28804fef 00106700 (.O ... g.
            00822f2e fff82f14 ../.../. : 00820002 b9b20014 ........
            2f052f02 4e934a80 /./.N.J. : 2f052f02 4e934a80 /./.N.J.
         So 5 bytes are always written = 00 02 b9 b2 00.
         I have not found a system. The files are unfortunately
         NOT to save anymore.
         VT does NOT recognize changed files because I risk
         Detection is too big with only five bytes. In case of concerns
         in your system because the trigger
         file was, then try a file monitor (e.g. hex).
         Enter $ 0002b9b2 in the search string and examine in the
         the files in certain subdirectories. It goes fast. I
         habs with the l directory tried (e.g. was destroyed
       Supplement June 95:
         File name:
         hd_install.exe (KidCurry game name ??). I only have the file.
         Length packed: 2576 bytes
         Unpacked length: 8052 bytes

         The file reads:
            4e5d4e75 b9b2004e 6f742065 6e6f7567 N] Nu ... Not enoug
            68207370 61636521 0a007379 733a7072 h space! .. sys: pr
            6566732f 00737973 3a646576 732f0073 efs / .sys: devs / .s
            79733a6c 2f007379 733a6c69 62732f00 ys: l / .sys: libs /.
            7379733a 632f0057 61697420 7768696c sys: c / .Wait whil
            65206368 65636b69 6e672048 44207370 e checking HD sp
            6163652e 0a0074ff 4e754e75 4aacfff8 ace ... t.NuNuJ ...

         So an HD install is faked in the Cli. In reality
         the above-mentioned dirs are searched and for some files
         (not all), the above 5 bytes written.

       Loadwb before: LoadWB after:
            0000015a 00000112 ... Z ....: 0000015a 00000112 ... Z ....
            0000000a 00000003 ........  : 0002b9b2 00000003 ........
            ^^^^^^^^ ^^ ^^^^^^^^^^

     Original test by Heiner Schneegold
     Translated from german to english by Google translate


Virum Help Team
Denmark & Canada
Copyright © All rights reserved