PHA Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



     ------------------------
     Amiga Virus Encyclopedia
     PHA Trojan
     ------------------------
     
     
     - PHA Trojan Filename: pha-1994.exe
            Accompanying text: P H E N O M E N A '9 3 - SWEDISH ELITE! etc.
            see also CLP-Trojan, UA62-ACP-Trojan
            Destructive file:
            Packed: length 57508 bytes
            Unpacked: Length 120,624 bytes
            No bent vectors.
            No increase
            It is a CLP variant (text changed) that
            an XCopy with a Christmas motif was hung (with a $ 4EB9- $ 4EF9 link).
            A version information was found in the XCopy part: xcopver
            24564552 3a205843 6f707920 31322e39 $ VER: XCopy 12.9
            33006100 2d286100 01c02c79 00000004 3.a .- (a ..., y ....
            I cannot say whether this version really exists.
        
        Damage:
            Writes to all files in S: no matter whether data or prg. a text.
            Ed-startup before:
            73692030 20203120 2250726f 6a656374 si 0 1 "Project
            220a7369 20312020 3220224f 70656e2e ".si 1 2" Open.
            2e2e2020 20204553 436f7022 20226f70 .. ESCop "" op
            203f202f 46696c65 3a202f22 0a736920? / File: /".si
            32202034 0a736920 33202032 20225361 2 4.si 3 2 "Sa

        Ed startup after:
            64522e57 486f2077 69736865 7320796f dR.WHo wishes yo
            75206120 68617070 79206e65 77207965 u a happy new ye
            6172212e 2e2e2054 68697320 77617320 ar! ... This was
            646f6e65 20696e20 31737420 6a616e75 done in 1st janu
            61727920 31393934 2054494d 43a2030 ary 1994 TIME: 0
            393a3030 2e2e2e20 68616821 2e2e2e20 9:00 ... hah! ...
            4f4b2e2e 2e205068 756b6b20 74686973 OK ... Phukk this
            20677579 73207570 20666f72 20757320 guys up for us
            3a205248 59532f46 4149524c 49474854: RHYS / FAIRLIGHT
            2c204543 484f2647 5549444f 20414e44, ECHO & GUIDO AND
            20414c4c 204e415a 49205348 49544845 ALL NAZI SHITHE
            41445321 2053544f 50204641 53434953 ADS! STOP FASCIS
            4d202a4e 4f57212a 2e2e2e20 20202f64 M * NOW! * ... / d
            522e5748 4f212022 0a736920 38202031 R.WHO! ".si 8 1

            The files become unusable and VT offers to delete them. The
            The mode of operation is similar to that of the CLP Trojan (I have
            Not).

        File Detection:
            packed: VT recognizes PHA Trojan with QUESTION MARK. VT can
            so deceive. Please copy the part to an empty one
            Disk and unpack the part with a prg. your choice.
            unpacked: VT detects PHA Trojan without a question mark. It deals
            a 4EB9-4EF9 link. If you absolutely have the XCopy part
            want to try it out, choose expansion. If the part after
            the expansion is NOT running, then please go to the filerequester
            and switch off the trojan part with 1Linkaus. But again:
            I do not know this XCopy part. It can be in this part
            there are other mean things. Buy an original XCopy, though  
            You need something like that.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk