------------------------
Amiga Virus Encyclopedia
ScareCrow 2 Trojan
------------------------
Hi All....
There is a new trojan out. The trojan in inside a Fake Ibrowse v2.0 If you
run Ibrowse a picture will be shown with a face, and a text that is telling
you that ScareCrow has done damage to your system. When I tested the archive
on my test system (68000), everything it did was to replace my userstart-up
and startup-sequence, with a text file. If it does damage to other systems
I don't know at the moment, but it will be testet very soon.
Here is text:
------------------------------- START LETTER -------------------------------
ScareCrow
Since i now have your undevided attention while you are trying to save
what is left of your hard-disk i might as well begin.
Your first question will be why? The why is becose i am playing a fair
game with someone for some time now, his name is Jan Hendrik Lots of
Virus Help team NL. He and his little buddies of AGA tryed to catch me
last year with no succes, but what would you expect if you relay on their
help lead by a clowns character calling himself KleinDuimpje. Yes,
KleinDuimpje, you better start up that board again becose we havnt finished
yet. Hunting season is open again fans, and these trojans i have been
spreading are just mearly the beginning of it. i would also like to invite
some of the people i admire: Nr. 1 is L.I.S.A. (lamers in serious agony)
They did a great job, and they inspired me. Nr. 2 is C.O.P. (faust, circle
of power) Damn, i loved that Tetris attack! Nr. 3 is smooth criminal aldo
the boy has no taste, im inviting him to this party. What have i cooked up?
i am planning to make a competition out of this, who ever wants to compete
is invited. Who can make the most trojans and virusses, who can put down the
most boards. Who can make the most hits and i am listing them all. The list
will be released in a trojan by the end of each month. time to play.
---------------------------------- END LETTER -------------------------------
I guess that Jan Hendrik Lots must know something about this guy, I'll get
in contact with Jan Hendrik Lots and have a talk with him.
Well...... But everybody should think before installing programs like this
one. A new update of Ibrowse ?????. version 2.0 ?????. Don't install these
programs that you are not 100% sure that is okay. If you want to, try and
install the programs like this on on floppy disks, it takes a bit longer,
but it might save your system........
Here is some info about this trojan & archive:
Archive name.....: DCN-IB2.LHA or DCN-IB2.LZX
Archive size.....: 595211 bytes (ripped for BBS adds)
Trojan name......: Ibrowse
Trojan size......: 327848 bytes Unpacked.
File-Id.Diz......: /\ _ _
___/ \___________(_)_______(_)__________
/ ________ / ___/ \ _____/ ____ ____ \
/ / / ___/ / / /\__ \/ / / / / /
\____/\___________ __________ /\____/\_/\_/|
.--aMiGA iLLEGAl--\/--------\/Rr!----------.
| IBrowse 2.00 FINAL 68030+ |
`----[1/1]------------------[28-04-97]-----'
-------------Test of ScareCrow 2 Trojan by Heiner Scheeegold ---------------
- SCARECROW-2 Trojan destruction
Well-known file name: ibrowse2
Name justification: see below
File length: # 327,848 bytes
Not reset-proof
No bent vectors
An AMOS program
According to FileID: IBrowse 2.00 FINAL 68030+
The file reads:
000b5261 6d3a5072 6f746563 ..Ram: Protec
7400000b 52616d3a 4b696c6c 52444200 t ... Ram: KillRDB.
002d5241 4d3a5072 6f746563 74205359.-RAM: Protect SY
533a532f 73746172 7475702d 73657175 S: S / startup-sequ
656e6365 20464c41 47532052 57454400 ence FLAGS RWED.
00295241 4d3a5072 6f746563 74205359.) RAM: Protect SY
533a532f 75736572 2d737461 72747570 S: S / user-startup
20464c41 47532052 57454400 00165359 FLAGS RWED ... SY
533a532f 73746172 7475702d 73657175 S: S / startup-sequ
656e6365 00125359 533a532f 75736572 ence..SYS: S / user
2d737461 72747570 00215241 4d3a4b49 -startup.! RAM: KI
4c4c5244 42207363 73692e64 65766963 LLRDB scsi.devic
6520414c 4c20464f 52434500 00105255 e ALL FORCE ... RU
4e203c4e 494c3a20 3e4e494c 3a200004 N NIL: ..
4e494c3a 00000000 NIL: ....
Procedure:
An image is output, which also contains text:
SCARECROW JUST ERASED ALL LAMENESS
Some parts of the file are written after Ram :.
Damage:
- user startup and startup sequence is rewritten
Length: # 1304 bytes
then contains:
ScareCrow
Since i now have your undevided attention while you are trying to save
what is left of your hard disk i might as well begin. etc....
- killrdb is started and scsi.device is searched. If
found, the rigid area is destroyed.
VT only offers delete.
The overwritten files cannot be saved. Place them
better in S-Dir copies.
-------------Test of ScareCrow 2 Trojan by Heiner Scheeegold -------------------
Regards....
__
__ /// Jan Andersen
\\\/// --------------
\XX/ VIRUS HELP TEAM DENMARK
