Mount Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



    ------------------------
    Amiga Virus Encyclopedia
    Mount Virus
    ------------------------
    
        
    Other possible names: Gremlins or Xcopy faker
                          Eleni Virus 2.2

    Some other viruskillers detect a Gremlins virus in memory and
    crash due to wrong values. In  this way the  name  "Gremlins"
    was founded for this virus.

    It`s pure bullshit to say, that this virus performs a LOW-
    level format of your harddisc.

    The installerfile is  a version of a wellknown  copyprogramm.
    The virus was linked  together with a little  installer using
    the  wellknown  4eb9  linker, which  was  used for  many  BBS
    viruses in the past.


    Installer      : 66424 bytes (4eb9 linked on a XCopy version)
    Loader(c/mount):   208 bytes
    Virus (BB&File):  1024 bytes

    The virus works with  Kickstart 2.x and  higher. Using  older
    Kickstart versions with this virus is not possible.

    SumKickData, Doio and Coolcapture will be patched. The  orig.
    values will be stored in the low memory region  around  $100.

    VirusWorkshop can remove both Coolcapture and  Doio, but  the
    SumkickData Function is NOT recoverabel  because of a bug  in
    virus.

    The virus is an ordinary bootblockvirus  with  a  new  little
    feature: If a counter reaches  -$67 (starting by 1), two  new
    files will be written to disk. In this way the virus  can  be
    spread on harddiscs, too.

    The virus does not need the trackdisk.device. Therefore  your
    HDs (exactly the RDB) can be destroyed, too.

    The  virus contains  NO  formatroutine. I  saw a text  saying
    this. It`s not possible with this thing !

    In the virus you can read "MOUNT". That`s the  reason, why  I
    have choosen this name.

                                      Detection tested 02.04.1994.


    Comment 01.05.1994: I got the hint from another viruskiller to
    decrypt a string, which can be found at the top of the
    bootblock. The virus itself does not touch this string. In the
    bootblock it look like this: "FMJOJ XJSUT V2.2". If you decode
    it:
            lea        string,a0
            move.l        #10,d7
    .loop   move.b  (a0),d0
            subq        #1,d0
            move.b        d0,(a0)
            dbf        d7,.loop
            rts

    Now you will be able to read the following string:
    ELENI WIRUS V2.2. The "w" in wirus is not a bug in my english,
    it  stands  in this way in the virus !  I am sure that this is
    not the ELENI virus, which will be detected by SHI's BootX.

    Special thanks to J.Walker/TRSi  for the fast supply with this
    virus !

    Some messages:
    Metal Force/Anthrox`94:  NEVER  release resourced viruses ! So
    you force clones !

    Quite  interesting !  TRSi released  the first  real technical
    infos about  his virus and  several other known crews released
    their warnings  after us  (partly with such wrong things like:
    Lowlevel format .....).


    Test by Markus Schmall


     Ascii of Eleni 2.2 (Mount) Bootblock virus:
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk