Fileghost Virus I: ------------------ Works with Kickstart 3.1 and MC68040 ! Is able to overjump symbol and debughunks at the beginning of the file. This is a linkvirus, which adds NO hunk to the infected file. It will increase the first hunk (876 bytes) and changes the "RTS" at the end of the hunk or tries to go back several steps and searchs for a "RTS". This "RTS" will be replaced by a "BRA XYZ". -> A virustype like Infiltrator, DA and others. The virus changed DOS(NEW)Loadseg and Exec Forbid. No reset- vectors will be changed. At the end of the file you can read: (this text ist mostly decrypted by a "eor.b d0,(0)+" routine. Nothing special... 'dos.library' 'Hi Friend! Don`t worry... It`s only the ' 'FileGhost.' Fileghost Virus II: ------------------- Works with Kickstart 3.1 and MC68040 Please not, that this virus will be not installed by the recognized Installer II !!!! This is a linkvirus, which adds NO hunk to the infected file. It will increase the first hunk (796 bytes) and changes the "RTS" at the end of the hunk or tries to go back several steps and searchs for a "RTS". This "RTS" will be replaced by a "BRA XYZ". -> A virustype like Infiltrator, DA and others. The $3e8 hunks will be overjumped. Caution ! Read the DHunk documentation ! The virus changes DOSLoadseg. No resetvectors will be changed. Selfrecognitioncode in memory: Test for the single longword: $ABCD1234 At the end of the file you can read: (this text ist mostly decrypted by a "add.b d0,(0)+" routine. Nothing special... FileGhost 2 - Merry X-Mas and a happy new year... Detection for the Fileghost2 tested 26.09.1994. Comment 11.10.1994: As far as I know this virus is very wide spreaded in Germany. Many PD disks are infected and even a CD was infected and NOT released. I have just found a bug in my memorycheck routine, which I have now fixed. Sorry guys... Test by Markus Schmall.... [Go back]