Fileghost 3 Linkvirus: ---------------------- MC68040 and MC68060: yes Kickstart V35 and above Patched vectors: DOS LoadSeg() Increases filelength by 1288 bytes Detected: Jun`95 in the south of Germany This is another linkvirus out of the Fileghost series. This linkviruses just add their code to the end of the first hunk and then search for the last "rts" and modify it to a "bsr.b" to get activated. So the relochunks will stay unchanged. Differences to the previous versions of the virusfamily: 1. Some more indirect adressing 2. Test, if SnoopDos (FindTask "SnoopDos") is active 3. It will be searched for 2 longwords in the first hunk $53460C46 at offset $2A from the loadseg() memptr $2F49003C at offset $3A " " " If you know, which programm has such longs in the first hunk, please let me know. Thanks. 4. The cryptroutine is a little bit advanced. 5. The word $1994 will be used to check, if the virus already infected the LoadSeg() vector. This routine is comparable to Fileghost2 and to the Polygonifrikator viruses. 6. Depending on a spreading counter, the virus will set new windowtitles (see at the bottom of the description). The fileghost virus contains no destructive routine. As on every type of this type of virus, it is possible that programms, which need a 100% correct hunkstructure (e.g. some packers) will get problems and will not work. The virus is, in my opinion, not from the author of the last Fileghost viruses. This one has display routines and will be recognized by the infected user in this way very fast. The last versions of Fileghost just worked around in the background. New texts for the windowtitles: ------------------------------- 'AUA! schlag nicht so auf die Tasten!' 'FileGhost3 - the nightmare continues!' 'Hallo DEPP!' 'Was machst Du denn als nächstes ?' 'Weißt Du eigentlich, daß Du dumm bist ?' 'Und schon wieder eine Datei weniger!' 'Gib mir mal `n Bier!' 'Tötet alle Nazis + RAPER!' 'AMIGA kills PC! (HEHE)' 'INTeL Outside !' Greets Markus Schmall (Please remember, that this analysis is copyrighted by Markus Schmall and it is not allowed to include this analysis in SHI productions!) [Go back]