karadic Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM




     ------------------------
     Amiga Virus Encyclopedia
     Karaçiç Trojan
     ------------------------
    
    
        Warning ! The archive "gvp-hs15.lha" contains a new trojan !

        Here is my first analyse:


        Karaçiç Trojan Virus:
        ---------------------

        Filelength packed:    1460 Bytes (Rob Northern !!!)
                              1924 Bytes (unpacked)

        Other possible names: GVP-HS15 Trojan

        Works  only with  Kickstart 3.0 and  ahead (V39 funtions will be
        used).

        Some other suspicius fact is, that the programm was packed using
        the  Rob  Northern  cruncher,  also called Propack. The file was
        afterwards  modified  a little bit, so that no existing depacker
        can unpack it.

        This  trojan  is  programmed  quite simple. The needed libraries
        will be opened and it will we checked for the old SnoopDos task.

        Then  the  file "s:nothere"  will be  tested. If  it  exists, no
        damage will be caused.

        Then  a  TimeDisplayAlert  (timer some seconds)  will pop up and
        show you:

                           LMB> Kill system RMB>Reboot


        The code analyzer behind is programmed like this:

        1.If the user gave no input  in the 5 seconds and/or presses the
          right mousebutton, the system will be trashed using some basic
          format and delete routines.

        2.If the  user presses  the left  mousebutton, then a ColdReboot
          will be performed.


        SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS,  THEN RESET
        YOUR AMIGA BY HAND !


        The  routine to  show the Alert is a  Kickstart V39 function. It
        will be not tested, if the used system is really V39 or higher.

        FileID of this archive (GVP-HS15.lha):
        HardDiskSpeeder v1.5 ©GVP Inc. 1995
        (a little cache program for HDs!)

        If you start the programm, it will show you the following text:
        'HardDiskSpeeder v1.5 installed ...'


        If you  start it using a "?",  then the following text will show
        up:
        'HardDiskSpeeder v1.5 by GVP Inc. ©1995'


        The  trojan  tries  to  destroy  the  following  directories and
        devices: dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c:

        The formatted new devices will have the name:
        '"Karaçiç Virus strikes back"'


        THIS ANALYSE IS COPYRIGHTED BY MARKUS SCHMALL AND IT IS STRICTLY
        FORBIDDEN TO INCLUDE THIS IN ANY SHI PRODUCTION !


        Warning written by Markus Schmall, programmer of VirusWorkshop.....


     


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk