 |
Amiga Antivirus Website www.vht-dk.dk |
 |
------------------------
Amiga Virus Encyclopedia
FMFOJ XJSVT V2.2 virus
------------------------
Name : FMFOJ XJSVT V2.2
Aliases : Eleni v2.2, Gremlins, Mount
Type/Size : Boot/1024
Clones : No Clones
Symptoms : No Symptoms
Discovered : 10-04-94
Way to infect: Boot infection
Rating : Less Dangerous
Kickstarts : 2.0 & higher
Damage : Overwrites boot, creates new c/Mount on disk.
Removal : Please see later in this text
Comments : More correct this "FMFOJ XJSVT" boot virus had to be
named Eleni 2.2. The programmer have proably readsome
books about cryptgraphy or maybe he is studying at an
university. You see if you are going 1 step back in
the alphabet you get the name: "ELENI VIRUS". This
the classic example of cryptgraphy used by the romans
people. Thanks to Marco van den Hout, SHI Holland for
this very interresting tips.
If you are booting with an infected disk the virus
copies itself to the adress $FE000 or $7F400. After
that it changes the CoolCapture Vector to stay
resident. Furthermore it patches the DoIO()-Vector and
the KickChkSum( )-vector from the exec.library to
infect other disks.
But now it comes:
Imagine you are now booting with your HD. Now the
virus creates two new files called:
c/Mount = 208 bytes (read ELENIV2.2_inst, too!)
and
c/D = 1024 bytes
The datafile c/D is the virus itself.
The executeable file c/Mount is the virusinstaller.
If you are now starting the file c/Mount the program
does the follwing:
1) Opens the file c/D (Virus)
2) Loads it into a adress
3) starts it & returns.
In the Bootblock you can read:
"FMFOJ XJSVT V2.2"
Decrypted with "sub.b #1,(a0)+":
(Routine not in BB)
"ELENI WIRUS V2.2"
^
The Programmer was surely a LAMER
No Textoutput-routine was found in the virus.
Removal : Written By Mark Pemberton/SHI
First Check The C: Directory and have a look if you
have a file called `D` if this is so you will also see
that your C:Mount has either appeared or if you
already had it you will notice that C:Mount is only
208 bytes in length.
Now, If the above has happened read on, but all other
guyz should also read this in case they do get it.
Well first turn off your computer for a good (long)
time until the memory is 100% clear after this boot up
your workbench floppy that you got with the computer,
open a cli window (Type "Newshell" for ks2.0+) and
type:
Delete dh0:C/Mount
Delete dh0:C/D
Delete Dh0:Xcopy
Copy Sys:c/Mount Dh0:c/Mount
Also if you have run the XCopy v8.5 from a disk then
you will also have to install the disk by using the
install command in the C: Directory.
After that you should be pretty safe but watch out!
Another disk that you boot from could be infected!
And if for some unknown reason your Hard-drive is
formatted you know it's the FMFOJ XJSVT V2.2 virus
because it low level formats your hard-drive!!
Be Careful Dudes.......
Test made by : Safe Hex International
|
 |
Denmark & Canada Amiga Antivirus Website Copyright © All Rights Reserved |
|