Hi ! Back in the street...
Warning ! Warning ! Warning ! Warning ! Warning ! Warning ! Warning !
The archiv "PHA-XMAS.lha" contains a new trojan. The code looks like
the COP trojans, but this time no word from them. Via the access of
DosLists it will be tried to access the files and overwrite them with
a $1f byte long string, which look like this:
"+46-620-13141 - DUNGEON OF DOOM"
A swedish number, I suppose.
If the sys partition is protected, the following text will be up:
'Phenomena DOS-Extender V1.1 ',$A9,'1993 by Photon'
'Unable to write Swapfile. Remove write-protection and retry'
'Creating new Swapfile. Please hold...'
Of course Photon has nothing to do with it.
The FileID of this files looks like this:
.------------------------------------------.
: Phenomena presents ' merry x-mas ! ' :
: Pha's very last production on the Amiga! :
: :
: Code & Graphics : Photon, Color & Twins :
: Music : Tip & Mantronix :
`------------------------------------------'
But it`s only a little lame trojan.
The archive already popped up in Germany on 24.12., but the archive
was corrupted. 2 days later I found it as intact archive on the
D-o-E BBS, where I want to thank Mercury for his freedl, otherwise
I wouldn`t have been able to analyse this one.
Some people had real luck. E.g. Hitpoint downloaded the corrupted
archive and could so not start the shit (hi Dieter !)...
Ok, that is all for now, it`s morning time and I want to sleep...
Greets
Markus Schmall (Programmer of VirusWorkshop)