Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



WireFace Trojan Typ G
  
       A short beta analyse of the chkmount.lha trojan !

       THIS IS COPYRIGHTED MATERIAL ! NOT ALLOWED TO BE USED IN ANY SHI
       PRODUCTION !


       WireFace Trojan Typ G:
       ----------------------

       Found in   : chkmount.lha
       Type       : destructive trojan
       Protection : *Art
       Filesize   : 4672 Bytes (partly packed)


       This is another trojan from the WireFace series. This trojan looks
       in parts like  Biomechanic trojans,  some byterow comparecode  are
       for sure copied. I haven`t test up to the end, but the code  looks
       like a comparable code as in the icond biomechanic stuff.

       If you start it  and a  destruction is  not  possible (devices not
       found) a text will be printed on screen saying several times:

       nugget@dataphone.se

       It has some visible texts at the end of the virus. The virus itself
       is protected and then afterwards packed with StoneCracker 4.04. The
       final filesize is 5868 bytes.

       The following devices are tried to be accessed and the 39 first
       sectors are going to be cleared:

       'scsi.device'
       'icddisk.device'
       'oktagon.device'
       'SoftSCSI_OktagonC9X.device'

       Other visible texts are:

       '(TrojanName: iLSKNA ANDREAS v1.1) WiREFACE / dEMONS oF tHE "
       " pENTAGRAM strikes again with another stunning release (trojan) "
       " hahaha. Send postcards, money, bugreports or COMPLAINTS'
       'to me at this email adress: nugget@dataphone.se. CU in another
       relase!'
       'nugget@dataphone.se'      (This is the printed text)

       The programm looks like created with an old compiler. Some special
       1.x programming technics are used, which won`t be used nowaday
       normally anymore.

       VirusWorkshop and VT will give you the warning, that a $3e8 hunk is
       in the file. This is the protection from the trojan. Simple, but
       effective.

       Something more to wonder about: I have downloaded this file from SOS
       at 8.8.1995. and I have only used the name MOUNT-972 in one warning
       in AMiganet and the german Z-net, so the viruscoder must read it,
       too.

       The trojan is supplied with a little documentation:


                          Mount-972 Virus Checker
                          -----------------------

                  by Robert Wolvestein (ao@dataphone.se)


       This small checker finds and eliminates the Mount-972 virus
       that resently popped up! The virus must have been spread
       via Aminet or thru BBS's coz it is EVERYWHERE, almost 40% of
       my 'scene-friends' had it in some way or another.

       Regards Robert.

       (ED: A cool fake, better play with your joystick)


       Greets
                  Markus Schmall




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk