Entry...............: rexxfunc.library trojan Alias(es)...........: - Virus Strain........: none Virus detected when.: 5.2000 where.: England Classification......: File virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 4716 Bytes 1136 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: new files L:wb.handler, LIBS:rexxfunc.library Type of infection...: Fake program MiamiSpoof (8468 bytes crunched) performs such operations: 1. replacing of C:loadwb with fake file (1136 bytes), 2. writing original loadwb to LIBS:rexxfunc.library, 3. writing new file L:wb.handler (4716 bytes) System infection: Fake Loadwb executes L:wb.handler which creates fake process `SetPatch`. This process every 60 seconds will try to open remote shell TCP:2000. This try is performed only if found MIAMI.1 or AMITCP ports and not found SNOOPDOS port. This is stupid because everybody can see FindPort SNOOPDOS on SnoopDos screen :-) Infection Trigger...: executing executables belongs to this kit Storage media affected: SYS: Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - none Particularities.....: The fake LoadWB have same length as original one even part of original LoadWB is stored inside to confuse user. Similarities........: I can`t say this is comparable because in most parts this kit has been made with compiler like E Stealth.............: [See Particularites]. Fake process name SetPatch. Armouring...........: Made with compiler :-) Little bit complicated crypting routines were used. The `MiamiSpoof` has been crunched with StoneCracker and modified to prevent decrunching. Anyway. Decrunched length is: 10044 (I`ve sent it to VHT-DK) Comments............: There is another comparable trojan called rexxfifo.library trojan. --------------------- Agents ------------------------------------------- Countermeasures.....: - above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 23.6.2000 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 23.6.2000 Information Source..: Virus disassembly Copyright...........: This documentation is public domain ================= End of rexxfunc.library trojan ======================= [Go back]