------------------------
Amiga Virus Encyclopedia
LOBO Simple Link Virus
------------------------
- LOBO simple virus link virus
Name reason:
In the decoded link part you can read:
ffff4e75 4e7a0801 4e734454 00000000 ..NuNz..NsDT ....; ....
2f480006 41fa050e 2081205f 4e733e4c /H..A .... _Ns> L
4f424f73 696d706c 653c4cdf 4eb900f9 OBOsimple < L.N ...; ....
7fff4a80 4e752323 506c695a 20646f6e .J.Nu PliZ don
74207368 6f6f7421 20492061 6d204e4f t shoot! I am NO
54206120 56495255 53212323 536e6f6f T a VIRUS! Snoo
70446f73 000041fa 04164c90 00ff6100 pDos..A ... L ... a.; ....
00086100 03604e75 3e62794d 415a4539 ..a..`Nu> byMAZE9
363c6100 6 < a.
File extension: # 1912 bytes
Not reset-proof
Bent vectors: LoadSeg and TRAP1
Memory anchoring:
- Search for SnoopDos and DT (Debugger ??) see also note
if found, then end
- Loadseg already bent $ 4E41
- Loadseg is bent into the ROM
- the ROM is looking for the TRAP1 command 4e41 = "NA"
4e5d4e75 4e414d45 2c535452 494e472f N] NuNAME, STRING /
^^^^ ^^
- $ 84 or VBR + $ 84 will be bent
Link operation:
- with LoadSeg and TRAP1
- Medium validated
- no disc (not enough blocks)
- At least # 30 block free
- Filename does not contain ".", "-", "!", "VIR" or "vir"
- The virus part is always re-encoded with $ DFF006
- Link as new first hunk ($ 1DA) in front of the original file
So the other hunks have to be reworked.
Since the virus part does not know very many types of host,
there are also defective files (proven in tests).
Note from a user Nov. 98: Thank you
DT is certainly DOSTrace by Peter Stuer
(e.g. at the Meeting_Pearls_III: Pearls / debug / Snooper / DOSTrace
or in AmiNet under util / moni) because:
1. DT is basically the same as SnoopDos
2. The file name (and thus the task name) of DOSTrace is im
Original archive DT
Original test by Heiner Schneegold
Translated from german to english by Google translate
