666!-Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM
Amiga Antivirus Website
www.vht-dk.dk
 

     ------------------------    
     Amiga Virus Encyclopedia    
     666!-Trojan 
     ------------------------


     Name         : 666! Trojan

     Aliases      : WBPrefs

     Original     : -

     Type         : Trojan
     
     Size         : 63140 bytes

     Symptoms     : No bent vectors
                    Not resettable

     Discovered   : -

     Way to infect: Boot infection

     Rating       : -

     Kickstarts   : 1.2
                    1.3
                    2.0
                    3.0

     Damage       : -

     Visible text : -

     Comments     : Reason for the name:
                    Overwrites media with 666! (see below)
                    Outputs a screen at the end of the work:
                    - light background
                    - gray writing very large 666!
                    with the left You can then cancel the mouse button.
                    According to the notification, the startup sequence should start with:
                    SYS:C/WBPrefs
                    Since no user is willing to call up a destruction program.
                    
                    WBPrefs started from the startup-sequence creates a process.
                    File excerpt from WBPrefs:
                     70144e75 646f732e 6c696272 61727900 p.Nudos.library.
                     616d6967 616c6962 2e70726f 63657373 amigalib.process
                    The file doesn't do anything useful.
                    This process fetches the system time at certain time intervals
                    (DateStamp structure).
                    As soon as the system time is between 5:00 a.m. and 8:00 a.m.,
                    exit this loop.
                    If you have a properly running hardware clock, an unusual one
                    Time, but VERY dangerous for mailboxes.
                    If you don't have a clock in the Amiga or the clock is wrong, you can
                    Of course, at 4:00 p.m. (real) you also have a system time of 6:00 a.m
                    to have.
                    Thereafter:
                    - a memory area is decoded with eori.b #$8E,d0.
                    The result is S:HORSE
                    An attempt is now made to open this file. If so,
                    then program end. So probably a protection for
                    the programmer.
                     - Via DosEnvec test whether
                     - Low cyl higher 0
                     - more than #22 sectors
                     - or more than #100 cylinders
                     - or more than 2 heads
                    If at least one condition is not met => termination
     
     Info         : The found media will be destroyed.
                    0000: 36363621 36363621 36363621 36363621 666!666!666!666!
                    0010: 36363621 36363621 36363621 36363621 666!666!666!666!
                    0020: 36363621 36363621 36363621 36363621 666!666!666!666!
                    The blocks with 666! filled up.
                    Unfortunately, there is NO salvation for the medium.
                    It only remains Format.
                    At the end, a graphic is output.
                    
     Antivirus    : Kickstart 1.2 & 1.3 VT-Schutz
                    Kickstart 2.0 and higher VirusZ III, with the new Xvs.library installed
                  
     Test made by : Heiner Schneegold   
                    Translated from german to english, with use of Google translate
Virus Help Team
Denmark & Canada
Copyright © All Rights Reserved