-------------------------------
Amiga Virus Encyclopedia
Jode Capullos 1 & 2 Trojan Test
-------------------------------
-----------------------------------------------------------------------
Entry...............: Jode Capullos 1 and 2
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: 8.2001
where.: net and Aminet
Classification......: file virus
Length of Virus.....: 1. Length of inst.1 (mz-makey) 39548 Bytes
Length of inst.2 (muahaha) 39048 Bytes
2. Lenght in action: about 80000 Bytes
Uses Rainboot files to act what trojan author
wanted. Rainboot is normal program that I don't
use, but I know that it exists.
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: Version one displays empty ILBM picture + fake
text that it needs rasal.library
Version 2:
You see a picture. ILBM picture was fucked up
(not by me), but I have read visible text:
Hey Stupido!
The mz-makey not is a trojan! it is for kill bastards pirates
of the world and you already know :P
...and so on :-)
My question to virus author:
have you ever heard that any really fast cracker
removes only the keycheck, so you might hit more
legal people than pirates?
Type of infection...: Self-identification method in files:
- none
Self-identification method in memory:
- none
System infection:
- none
Infection preconditions:
- none
Infection Trigger...: C:delete exists
Storage media affected:
system files
Interrupts hooked...: None
Damage..............: Permanent damage:
- performs:
Version 1:
c:delete s:#?key#? LIBS:#?key#? DEVS:#?key#? L:#?key#? ALL FORCE NOREQ >NIL:
Version 2:
c:delete sys:#?/#?key#? ALL FORCE NOREQ >SYS:S/startup-sequence
All possible keys will be deleted
and with version 2 startup-sequence will be
overwritten too!
Transient damage:
- none
Damage Trigger......: Permanent damage:
- running installer file
Transient damage:
- none
Particularities.....: That trojans would stay stupid joke for me,
but I had a closer look at them and found
some innovative things!
The installer executable format cheats probably
all hunk analysers including the best analyser
I have - HunkFunc.
Several programs even crash in confrontation with
this file.
The installer files were fist crunched with CrunchMania
and then mannipulated.
Look like work of extremally lazy coder,
who was even too lazy to code his own
deleter, pic viewer and so on...
The temporarily written executables seems to be
legal files of RainBoot package just crunched with
StoneCracker4.04.
Similarities........: -
Stealth.............: -
Armouring...........: As mentioned above installer files were crunched
and mannipulated to make it very resistant for
analyses - rather cool tricks than real techniques.
Comments............:
The uncrunched virus 2 contains visible text:
$VER: jode capullos BETA v2
$AUTH: [·U.n.e.t.e.A.l.O·C·A·S·O´¯`AMIGA.rlz·]
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 30.8.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 30.8.2001
Information Source..: Virus file
Copyright...........: This documentation is public domain
===================== End of J.Capullos virus =========================
