------------------------
Amiga Virus Encyclopedia
XCopy v8.5 Trojan
------------------------
Name : X-Copy 8.5
Aliases : No Aliases
Type : Trojan
Size : 66424 bytes
Clones : No Clones
Discovered : 26 april 1994
Way to infect: No infection
Rating : Very dangerous
Kickstarts : 2.0 and higher
Damage : Installs the Eleni v2.2 virus
Removal : Delete File
Warning!!! : By a check in the beginning of april-94, SHI have
found this X-Copy version 8.5, in the file list by 9
of 10 bulletin boards in Scandinavian!
Please be careful and DON`T use this X-Copy-fake!!!
Comments : With the help of the "$4EB9_linker" a bomb and virus
installer was linked together witha X-Copy 8.5 fake
version. The X-Copy unpacked is 66424 bytes!!! The
fake X-Copy 8.5 says: "Legend" where the version ought
to be.
It patches SumKickData, DoIo and Coolcapture. The
X-Copy 8.5 trojan works under Kickstart 2.04 and 3.0.
The X-Copy 8.5 trojan writes 2 new files to disk:
1. File: C/mount contains a loader, which loads and
activates the second file. The first file mount is
208 bytes long. And makes a file in the C dir, called
'D' the file contains the boot Virus.
2. File: Sys:C/d contains the whole boot block virus and
is 1024 bytes long and in the boot text you can see
in ASC II text:
'FMFOJ XJSVT v2.2' and 'C/MOUNT'
You can remove the virus by deleting the C:MOUNT
command (208 bytes) and replace it with a clean MOUNT
file from your Workbench disk. But remember to
delete the C dir file called 'D', that is the FMFOJ
XJSVT V2.2 boot virus,
SOME TIPS IF YOU HAD GOT A VIRUS INFECTION:
As you probably all know by now there's a new virus
around. Some persons have encountered it allready,
but I have made some tests with it to find out what
it really does. As I'm a sissy I have only tried with
a diskbased system, but it might be the same on a HD.
Workbench 2.1 disk, kickstart 2.0 - all files damaged
Repaired with using Ami-BackTools rel. 1.02.
HERE'S WHAT I DID:
1) I installed the Trojan fake X-Copy 8.5 version on a
Workbench 2.1-Disk, and kickstart 2.0 on my Amiga
2000 and booted with it write protected.
2) I copied this disk on to an empty disk with DosCopy +
and verify!
3) I booted with the copy (write protected) and found:
Well, nothing peculiar at first;-) Still nothing when
comparing with the "original"!
4) I booted with the copy again, but this time write
enabled, only to get checksum error. The disk was now
un-bootable!
5) Booting with "the original", and starting the trojan
X-Copy 8.5, I were able to get a dir-scan of the
copy. Nothing un-usual! Trying to get a dir-scan in a
directory-utility was really a hard job! A lot of
checksum-error's came up, and all files were damaged
according to the directory-utility and DOS. I only
got:
Checksum error on disk block xxxxx
Trying to call the C-commands from Shell gave only
the same as above, plus: DOS Error 9955
6) Now trying to read the C-dir in a directory-util took
something like about 15 minutes (Hooray for Amiga-B)!
Trying to salvage files with disksalv gave a GURU:
:Error: 8000 0003 Task: 0023E7F0"
Trying to rescue with AMI-BackTools 1.02 "Analyst"
gives the following messages:
Data Block xxxx has been corrupted
Do you want to correct it ? >Fixed
The Parent field of data block xxxx is wrong >Fixed
The next field of data block xxxx is wrong >Fixed
Data block xxxx has been fixed
This above operation takes something like half an
hour, but you regain most of the lost data. HOW
useable the files are you'll have to try out for
yourself!!
Quarterback Tools only tries to convince you to
delete the data fileheaders, 'cause they are corrupt!
THERE'S A COUPLE OF THINGS THAT OUGHT TO WARN YOU:
1. When quitting the fake XCopy you'll most likely only
get a black screen. At least I did every time!
2. Check the Version: The real one says e.g. "september
1993". The fake says: "Legend" where the version
number ought to be!
SOME MORE TIPS: When the installer program X-Copy 8.5 is started the
the mount command will be written and because this
file isn't closed the validation can't be activated
if the disk or harddisk is FFS formatted and the boot
virus block write a OFS formatted boot virus block.
If the disk is FFS formatted the repair tool have
some problems to know the filesystem because the boot
block is OFS formatted by the virus infection. But
the damaged disks and proably the infected harddisks
too, can be repaired by using:
Disksalv version 11.27, mode: Salvage
Thanks to Johan Sahlberg, Sweden and to The Assassins
PD Library, England for sending this virus
Test made by : Safe Hex International
Screenshot of XCopy v8.5:
