Fileghost Virus I:
------------------
Works with Kickstart 3.1 and MC68040 !
Is able to overjump symbol and debughunks at the beginning
of the file.
This is a linkvirus, which adds NO hunk to the infected file.
It will increase the first hunk (876 bytes) and changes the
"RTS" at the end of the hunk or tries to go back several
steps and searchs for a "RTS". This "RTS" will be replaced
by a "BRA XYZ". -> A virustype like Infiltrator, DA and
others.
The virus changed DOS(NEW)Loadseg and Exec Forbid. No reset-
vectors will be changed.
At the end of the file you can read:
(this text ist mostly decrypted by a "eor.b d0,(0)+" routine.
Nothing special...
'dos.library'
'Hi Friend! Don`t worry... It`s only the '
'FileGhost.'
Fileghost Virus II:
-------------------
Works with Kickstart 3.1 and MC68040
Please not, that this virus will be not installed by the
recognized Installer II !!!!
This is a linkvirus, which adds NO hunk to the infected file.
It will increase the first hunk (796 bytes) and changes the
"RTS" at the end of the hunk or tries to go back several
steps and searchs for a "RTS". This "RTS" will be replaced
by a "BRA XYZ". -> A virustype like Infiltrator, DA and
others.
The $3e8 hunks will be overjumped. Caution ! Read the DHunk
documentation !
The virus changes DOSLoadseg. No resetvectors will be changed.
Selfrecognitioncode in memory: Test for the single longword:
$ABCD1234
At the end of the file you can read:
(this text ist mostly decrypted by a "add.b d0,(0)+" routine.
Nothing special...
FileGhost 2 - Merry X-Mas and a happy new year...
Detection for the Fileghost2 tested
26.09.1994.
Comment 11.10.1994: As far as I know this virus is very wide
spreaded in Germany. Many PD disks are infected and even a CD
was infected and NOT released.
I have just found a bug in my memorycheck routine, which I have
now fixed. Sorry guys...
Test by Markus Schmall....
[Go back]