Mount Virus:
        ------------

        other possible names: Gremlins or Xcopy faker
                              Eleni Wirus 2.2

        Some other viruskillers detect a Gremlins virus in memory and
        crash due to wrong values. In  this way the  name  "Gremlins"
        was founded for this virus.

        It`s pure bullshit to say, that this virus performs a LOW-
        level format of your harddisc.

        The installerfile is  a version of a wellknown  copyprogramm.
        The virus was linked  together with a little  installer using
        the  wellknown  4eb9  linker, which  was  used for  many  BBS
        viruses in the past.



        Installer      : 66424 bytes (4eb9 linked on a XCopy version)
        Loader(c/mount):   208 bytes
        Virus (BB&File):  1024 bytes

        The virus works with  Kickstart 2.x and  higher. Using  older
        Kickstart versions with this virus is not possible.

        SumKickData, Doio and Coolcapture will be patched. The  orig.
        values will be stored in the low memory region  around  $100.

        VirusWorkshop can remove both Coolcapture and  Doio, but  the
        SumkickData Function is NOT recoverabel  because of a bug  in
        virus.

        The virus is an ordinary bootblockvirus  with  a  new  little
        feature: If a counter reaches  -$67 (starting by 1), two  new
        files will be written to disk. In this way the virus  can  be
        spread on harddiscs, too.

        The virus does not need the trackdisk.device. Therefore  your
        HDs (exactly the RDB) can be destroyed, too.

        The  virus contains  NO  formatroutine. I  saw a text  saying
        this. It`s not possible with this thing !

        In the virus you can read "MOUNT". That`s the  reason, why  I
        have choosen this name.



                                       Detection tested 02.04.1994.


        Comment 01.05.1994: I got the hint from another viruskiller to
        decrypt a string, which can be found at the top of the
        bootblock. The virus itself does not touch this string. In the
        bootblock it look like this: "FMJOJ XJSUT V2.2". If you decode
        it:
                lea        string,a0
                move.l        #10,d7
        .loop   move.b  (a0),d0
                subq        #1,d0
                move.b        d0,(a0)
                dbf        d7,.loop
                rts

        Now you will be able to read the following string:
        ELENI WIRUS V2.2. The "w" in wirus is not a bug in my english,
        it stands in this way in the virus ! I am sure that this is
        not the ELENI virus, which will be detected by SHIs BootX.

        Special thanks to J.Walker/TRSi for the fast supply with this
        virus !

        Some messages:

        Metal Force/Anthrox`94: NEVER release resourced viruses ! So
        you force clones !

        Quite interesting ! TRSi released the first real technical
        infos about his virus and several other known crews
        released their warnings after us (partly with such wrong
        things like: Lowlevel format .....).


        Test by Markus Schmall

[Go back]