Entry...............: Jode Capullos 1 and 2
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: 8.2001
              where.: net and Aminet
Classification......: file virus
Length of Virus.....: 1. Length of inst.1 (mz-makey)       39548 Bytes
                         Length of inst.2 (muahaha)        39048 Bytes
                      2. Lenght in action:           about 80000 Bytes
                      Uses Rainboot files to act what trojan author
                      wanted. Rainboot is normal program that I don't
                      use, but I know that it exists.

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: Version one displays empty ILBM picture + fake
                      text that it needs rasal.library

                      Version 2:
                      You see a picture. ILBM picture was fucked up
                      (not by me), but I have read visible text:

Hey Stupido!
The mz-makey not is a trojan! it is for kill bastards pirates
of the world and you already know :P

                      ...and so on :-)

                      My question to virus author:
                      have you ever heard that any really fast cracker
                      removes only the keycheck, so you might hit more
                      legal people than pirates?

Type of infection...: Self-identification method in files:

                      -  none

                      Self-identification method in memory:

                      -  none

                      System infection:

                      -  none

                      Infection preconditions:

                      -  none

Infection Trigger...: C:delete exists

Storage media affected:
                      system files

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - performs:

Version 1:
c:delete s:#?key#? LIBS:#?key#? DEVS:#?key#? L:#?key#? ALL FORCE NOREQ >NIL:

Version 2:
c:delete sys:#?/#?key#? ALL FORCE NOREQ >SYS:S/startup-sequence

                      All possible keys will be deleted
                      and with version 2 startup-sequence will be
                      overwritten too!

                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - running installer file
                      Transient damage:
                      - none

Particularities.....: That trojans would stay stupid joke for me,
                      but I had a closer look at them and found
                      some innovative things!
                      The installer executable format cheats probably
                      all hunk analysers including the best analyser
                      I have - HunkFunc.
                      Several programs even crash in confrontation with
                      this file.
                      The installer files were fist crunched with CrunchMania
                      and then mannipulated.
                      Look like work of extremally lazy coder,
                      who was even too lazy to code his own
                      deleter, pic viewer and so on...
                      The temporarily written executables seems to be
                      legal files of RainBoot package just crunched with
                      StoneCracker4.04.

Similarities........: -

Stealth.............: -

Armouring...........: As mentioned above installer files were crunched
                      and mannipulated to make it very resistant for
                      analyses - rather cool tricks than real techniques.

Comments............:

The uncrunched virus 2 contains visible text:

$VER: jode capullos BETA v2
$AUTH: [U.n.e.t.e.A.l.OCASO`AMIGA.rlz]

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  30.8.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 30.8.2001
Information Source..: Virus file
Copyright...........: This documentation is public domain

===================== End of J.Capullos virus =========================

[Go back]