LOBO Hardcore - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



     ------------------------
     Amiga Virus Encyclopedia
     LOBO Hardcore
     ------------------------
     
     
     LOBO hardc0re virus link virus
     
       Name reason:
        In the decoded and unpacked part of the link you can read:
          203e4c4f 424f2068 61726463 3072653c> LOBO hardc0re <
          20627920 4d415a45 27393920 28342050 by MAZE'99 (4 P
          796d6129 21204d69 6c6c656e 69756d20 yma)! Millenium
          67726565 74696e67 7320746f 20616c6c greetings to all
          20416d69 67612075 73657273 2e200000 Amiga users. ..
      File extension: at least # 5000 bytes
      Not reset-proof
      Bent vectors: LoadSeg and TRAP (variable)

      Memory anchoring:
           - "c0re" is not found
           - powerpacker.library can be opened
           - Loadseg is bent and into ROM (see LOBO)
           - The TRAP command is searched for in ROM. The trap is supposed to
             be variable.
           - So it should be variably bent from $ 80 or VBR + $ 80.
      
      Link operation:
           - with LoadSeg and TRAP (0-F)
           - File executable $ 3F3
           - $ 3E9 is found exactly (i.e. no 3F1 etc.)
           - File larger than # 15360 bytes
           - File less than # 307200 bytes
           - 1.Hunk of the source file larger than # 10240 bytes
           - Medium validated
           - no disc (at least # 91978 blocks)
           - At least # 100 blocks free
           - Filename does not contain ".", "-", "!", "V" or "v"
           - The virus part is always re-encoded with $ DFF006
           - There are always contaminated files with 2 hunks
             The 1st hunk contains the virus part. Part of that hunk
             is now packed with PP.lib.
             The 2nd hunk is the whole original file. Unfortunately you can
             2.Hunk not just write back, because 8 bytes in the origin
             file can be encoded. The coding long word must be in the virus part
             be searched for. This LW always changes depending
             from $ DFF006.

      Note:  Defective files (around 1/4) were created during tests. at
             Calling a defective program always GURU. Since there are so many broken files
             VT is also trying to expand here. BUT you MUST at
             Expect attempt to expand with a guru. Then it is only up to you
             Delete the remaining files.

      Note2: There could be error detections. Please report
             Then with a sample file. VT finds the part
             JUST !!!! at filetest.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk