------------------------
Amiga Virus Encyclopedia
Joker A & B Trojan
------------------------
- Joker-Trojan Propagation and Damage
Type A:
Filename: InstSG, assign etc, see below.
Length: 42676 Bytes
No patched vectors
Not resetproof
According to the FileID it should be a game-installer.
In reality it is an old packed VirusZ and the trojan
linked together using the 4EB9-method.
VT offers only to delete.
readable in the decrunched trojan-part:
20200a00 54686520 4a6f6b65 72204675 ..The Joker Fu
636b6564 20596172 20486172 64646973 cked Yar Harddis
6b210a00 20202020 20202020 20202020 k!..
20202020 20202020 20202020 20202020
20200a00 6468303a 632f6465 6c657465 ..dh0:c/delete
20646830 3a6c6962 732f0064 68303a63 dh0:libs/.dh0:c
2f64656c 65746520 6468303a 77627374 /delete dh0:wbst
61727475 702f0064 68303a63 2f64656c artup/.dh0:c/del
65746520 6468303a 6c6f6361 6c652f00 ete dh0:locale/.
6468303a 632f6465 6c657465 20646830 dh0:c/delete dh0
3a707265 66732f00 6468303a 632f6465 :prefs/.dh0:c/de
6c657465 20646830 3a646576 732f0064 lete dh0:devs/.d
68303a63 2f64656c 65746520 6468303a h0:c/delete dh0:
732f0073 79733a63 2f6d6170 75730073 s/.sys:c/mapus.s
79733a63 2f6c6f61 64776200 7379733a ys:c/loadwb.sys:
632f6c6f 636b0073 79733a63 2f656469 c/lock.sys:c/edi
74007379 733a632f 65640073 79733a63 t.sys:c/ed.sys:c
2f446973 6b646f63 746f7200 7379733a /Diskdoctor.sys:
632f436f 6e666967 4f707573 00737973 c/ConfigOpus.sys
3a632f61 6d696761 67756964 65007379 :c/amigaguide.sy
733a632f 61737369 676e0025 730a0000 s:c/assign.%s...
Progression:
First, an attempt is made to copy the virus (length 42676)
It writes with different names (see above) to sys:c .
After that, different subdirectories (see above) on dh0: will
be deleted.
In conclusion, a text is passed to the CLI: The Joker .. (see
above). So it should attract attention. Please realize that,
for example, the assign-command is present in almost every
startup-sequence.
Type B:
Filename: Condom1.5
Length packed: 2948 Bytes
According to FileID: 'Condom V1.50 Check files after newer
biomechanic trojan!'
VT offers to delete.
After decrunching you can see that two files have been linked
using the 4EB9-method.
In the second link is readable:
20202020 200a0044 61204a6f 6b657220 ..Da Joker
73747269 6b656420 6f6e6365 20616761 striked once aga
696e2121 0a002020 20202020 20202020 in!!..
20202020 20202020 20202020 20202020
2020200a 00737973 3a732f75 7365722d ..sys:s/user-
73746172 74757000 7379733a 70726566 startup.sys:pref
732f5363 7265656e 4d6f6465 00737973 s/ScreenMode.sys
3a6c6962 732f7265 71746f6f 6c732e6c :libs/reqtools.l
69627261 72790073 79733a63 2f646973 ibrary.sys:c/dis
6b646f63 746f7200 7379733a 632f646f kdoctor.sys:c/do
70757352 54007379 733a632f 6d617075 pusRT.sys:c/mapu
73007379 733a632f 61737369 676e0073 s.sys:c/assign.s
79733a63 2f64656c 65746500 7379733a ys:c/delete.sys:
732f7374 61727475 702d7365 7175656e s/startup-sequen
Progression:
NO propagation
The files (see above) will be deleted.
In the CLI a text will be passed: Da Joker .... (see above)
---------------------------------------------------------
Translated to English by Dennis Boon © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
---------------------------------------------------------
| ☣ |
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk |
☣ |
| |
