Warning ! M-hac.lha and Bloody.exe contain LINKVIRUSES ! BE CAREFULL !
Here a first BETA ANALYSE of it:
ConMan 1995 Linkvirus:
----------------------
Other possible names: M-Hac Virus, Bloody Virus
Detected in: M-hac.lha and Bloody.EXE
Detected when: August 1995/Germany SOS
Linking method: 4eb9 (!!!!)
Resident: NO
Length: 1836 bytes
This is a new type of linkvirus. There are 2 installers known yet.
It simply creates a new process with the known CONMAN code , but
now with different names.
Possible names are:
C:DIR
ramlib
Background_Process
RAm
L:FastFileSystem
LIBS: gadtools.library
Workbench
DF0
addbuffers
CON
LIB:req.library
CLI(0): no command loaded
CLI(1): no command loaded
Please note that several of this takss can appear in normal systems,
too.
The speciality of this virus is, that it uses a intern 4eb9 linker
to link to files. Quite tricky. Viruskillers like VT, VZ_II and
VW should so be able to detect the infected files.
The linking routine knows the following hunksymbols: $3f2,$3f3,$3ec
and $3eb. The code is a little bit dangerous, but I will implent
in VirusWorkshop a complete reverse analyzed routine, so it should
be no problem to repair even not working infected files.
The virus adds 4 hunks to the file and the linked code is partly
packed. It is packed with StoneCracker 4.04ß and then afterwards
manipulated.
The virus is not memory resident.
Some words about the installers:
m-hack.lha FILE_ID.DIZ
.-------------------------------.
| MASTER AMIEX ONLINE PW HACKER |
| PREVIOUS VERSION HAVE A BUG! |
`-------------------------------'
The programm hack (4388 bytes long) contains the trojan.
bloody.exe FILE_ID.DIZ:
NON DOS DISK READER >>>>-BEST!
The programm is including this ID 25560 bytes unpacked long.
Greets
Markus Schmall
P.S.: This analyse is copyrighted and strictly forbidden to be used
in any SHI production....