Name         : X-Copy 8.5 Bomb

     Aliases      : No Aliases

     Type/Size    : Trojan bomb/Virus Installer 66424 bytes

     Clones       : No Clones

     Discovered   : 26-04-94

     Way to infect: No infection

     Rating       : Very dangerous

     Kickstarts   : 2.0 and higher

     Damage       : Installs the ELENIV2.2 virus

     Removal      : Delete File.

     Warning!!!   : By  a  check  in  the beginning  of april-94, SHI have
                    found  this  X-Copy version 8.5, in the file list by 9
                    of 10 bulletin boards in Scandinavian!

                    Please be careful and DON`T use this X-Copy-fake!!!

     Comments     : With  the  help of the "$4EB9_linker" a bomb and virus
                    installer  was  linked  together witha X-Copy 8.5 fake
                    version.  The  X-Copy  unpacked  is 66424 bytes!!! The
                    fake X-Copy 8.5 says: "Legend" where the version ought
                    to be.

                    It  patches  SumKickData,  DoIo  and  Coolcapture. The
                    X-Copy  8.5 trojan works under Kickstart 2.04 and 3.0.

                    The X-Copy 8.5 trojan writes 2 new files to disk:

                 1. File:  C/mount  contains  a loader,  which  loads  and
                    activates  the  second  file.  The first file mount is
                    208 bytes long.  And makes a file in the C dir, called
                    'D' the file contains the boot Virus.

                 2. File:  Sys:C/d contains the whole boot block virus and
                    is  1024  bytes  long and in the boot text you can see
                    in ASC II text:

                             'FMFOJ XJSVT v2.2' and 'C/MOUNT'

                    You  can  remove  the  virus  by  deleting the C:MOUNT
                    command  (208 bytes) and replace it with a clean MOUNT
                    file  from  your  Workbench  disk.   But  remember  to
                    delete  the  C  dir file called 'D', that is the FMFOJ
                    XJSVT V2.2 boot virus, 


                    As  you  probably  all know by now there's a new virus
                    around.   Some  persons  have encountered it allready,
                    but  I  have  made some tests with it to find out what
                    it really does.  As I'm a sissy I have only tried with
                    a diskbased system,  but it might be the same on a HD.

                    Workbench  2.1 disk, kickstart 2.0 - all files damaged
                    Repaired with using Ami-BackTools rel. 1.02.

                    HERE'S WHAT I DID:

                 1) I  installed  the  Trojan fake X-Copy 8.5 version on a
                    Workbench  2.1-Disk,  and  kickstart  2.0  on my Amiga
                    2000 and booted with it write protected.

                 2) I copied  this disk on to an empty disk with DosCopy +
                     and verify!

                 3) I booted  with  the  copy (write protected) and found:
                    Well,  nothing peculiar at first;-) Still nothing when
                    comparing with the "original"!

                 4) I booted  with  the  copy  again,  but this time write
                    enabled,  only to get checksum error. The disk was now

                 5) Booting  with "the original", and starting the trojan 
                    X-Copy  8.5,  I  were  able  to  get a dir-scan of the
                    copy.  Nothing un-usual! Trying to get a dir-scan in a
                    directory-utility  was  really  a  hard job!  A lot of
                    checksum-error's  came  up, and all files were damaged
                    according  to  the  directory-utility  and DOS. I only

                    Checksum error on disk block xxxxx

                    Trying  to call  the  C-commands  from Shell gave only
                    the same as above, plus: DOS Error 9955

                 6) Now  trying to read the C-dir in a directory-util took
                    something  like about 15 minutes (Hooray for Amiga-B)!
                    Trying  to  salvage  files  with disksalv gave a GURU:

                    :Error: 8000 0003      Task: 0023E7F0"

                    Trying  to  rescue  with  AMI-BackTools 1.02 "Analyst"
                    gives the following messages:

                    Data Block xxxx has been corrupted

                    Do you want to correct it ?                     >Fixed

                    The Parent field of data block xxxx is wrong    >Fixed

                    The next field of data block xxxx is wrong      >Fixed
                    Data block xxxx has been fixed

                    This  above  operation  takes  something  like half an
                    hour,  but  you  regain  most  of  the lost data.  HOW
                    useable  the  files  are  you'll  have  to try out for

                    Quarterback  Tools  only  tries  to  convince  you  to
                    delete  the data fileheaders, 'cause they are corrupt!


                 1. When  quitting  the fake XCopy you'll most likely only
                    get a black screen. At least I did every time!

                 2. Check  the  Version: The real one says e.g. "september
                    1993". The  fake  says:  "Legend"  where  the version 
                    number ought to be!

                                                          Torben Danø, SHI


                     When  the installer program X-Copy 8.5 is started the
                     the  mount command  will  be written and because this
                     file  isn't closed  the validation can't be activated
                     if the disk or harddisk is FFS formatted and the boot
                     virus  block  write a OFS formatted boot virus block.

                     If the  disk is FFS  formatted  the  repair tool have
                     some problems to know the filesystem because the boot
                     block  is  OFS formatted by the virus infection.  But
                     the  damaged disks and proably the infected harddisks
                     too, can be repaired by using:

                     Disksalv version 11.27, mode: Salvage

                                                       By Bjørn Reese, SHI

                                          Thanks to Johan Sahlberg, Sweden
                                          and to The Assassins PD Library,
                                          England  for  sending this virus

      SHI - A.D 04-94

[Go back]