WireFace Type C Virus:
  ----------------------

  found in lzx120t.lha (trojan in lzx_1.20t.lha 83660 bytes long)
   and  in hdtb409.lha (trojan in hdtoolsbox2 106508 bytes long)

  Comment: 25.07.1995: Another WireFace Typ C trojan was found in
  vchck660.lzx with the mainfile containing 52400 bytes.
  This trojan seems to be based on the (at this time) old Virus
  Checker 6.56 release.

  Found when: night from 21.07. to 22.07. 1995 on a european mailbox
  See also at: VCKey110.lha and SLINKV10.lha

  Both files were created using the 4eb9 linking method and are highly
  dangerous ! The linked file is 1880 bytes powerpacked and 2876 bytes
  unpacked long and contains a formatroutine for several drives and
  assign just like the COP trojans. It will be done via a Dos COmmand
  and not via the systemcommand.

  The code was enhanced in comparision to the last version and it was
  probably rewritten.

  The files contain a lot of text at the end of the hunk and even some
  kind of nickname for me well be used. You surely know the famous
  Cornflakes from KELLOGS ? Some guys in the past from my school always
  called me Cornflake and now this "%/&%" viruscoder tells me this waY.

  The viruscode was partly optimized since the last versions of this
  virus but in general the fucking formatroutine stays.

  At the end of the virus you can read:


  'dos.library'
  'BBS'
  'BBS:'
  'CHOKe'
  'CHOKe:DOPisGOD%ld'
  'ALFONS ┼BERG ViRUS v2.0 ▀eta by WiREFACE / dEMONS oF tHE pENTAGRAM, "
  "dedicated to (Corn)Flake/TRSI'
  'CHOKe:GODisEViL'
  'DH0'
  'DH0:'
  'dOP'
  'dOP:aNuS%ld'
  'dOP:hihihi'
  'DH1'
  'DH1:
  'dEMONS'
  'dEMONS:pENiS%ld'
  'DH2'
  'DH2:'
  'pENTAGRAM'
  'pENTAGRAM:rEVENGE!'
  'DH3'
  'DH3:'
  'WiRELESS'
  'WiRELESS:hELL%ld'
  'WiRELESS:!hATe!'
  'You''ve been hit by (boom) (boom), you''ve b'
  'een hit by (boom) a smooth criminal (Alfons '
  'that is, tihi)! - Good luck restoring your l'
  'ousy hD - WE HATE YOU ALL! HA HA HA HA HA !!'
  '! (echo) ha ha ha'


  The file id of the hdtoolsbox looks like this:

  hdtoolbox 40.9 (9.7.95)

  The file id of the lzx120t fake looks like this:

  +-----------------------------------------+
  |         Lzx v1.20 TURBO Version         |
  `-----------------------------------------'
             12% Faster Testing
             10% Faster Adding!
              3% Faster Packing (-lh5-)
  .-----------------------------------------.
  |  ę 1995 Data Compression Technologies   |
  +-----------------------------------------+


  It is really surprising. At first SHI (slinkv10) and VirusChecker(vckey110)
  got attacked by this crazy guys and now I seem to be the destination of
  this person? . I don`t know, why...



  Test by Markus Schmall                      Detection tested 22.07.1995.

[Go back]