AX Fucker Linkvirus - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia
    AX Fucker Linkvirus
    AX Fucker Linkvirus:
    Kickstart 2.x only based on the DOS patchroutines.
    MC68040: yes (without caches)
    Increases filelength by 928 bytes

    This is  an ordinary linkvirus,  which adds  its code to  the first
    hunk and does only work on the following conditions:

    - file contains only 1 hunk
    - no reloc hunk at the beginning

    It puts  an additional  $3f1 hunk  in the  beginning containing the
    string /X Fucker. The virus patches the DosOPEN() and DOS LoadSeg()
    vectors and is not resetproof.

    Based on the $3f1 file at the beginning, b etter viruskillers could
    atleast say that a $3f1 hunk is at the beginning.  The virus itself
    is coded quite bad and seems to be spreaded bad.

    The first infected archive was the "axripii.lha".

    The LoadSeg() routine  is only thought  for the infection of loaded
    files.  The DosOPEN() routine contains a destruction routine, which
    is  timebased.  Starting with 24 Feb `95 all  opened files  will be
    opened  using the  NEWMode (they will be cleared), if the access is
    to the BBS: directory.

    Hexdump of parts of this virus:

    0000: 000003F3 00000000 00000001 00000000    ...ó............
    0010: 00000000 000000E5 000003F1 00000003    .......å...ñ....
    0020: 2F582046 75636B65 72000000 000003E9    /X Fucker......é
    0030: 000000E5 48E7FFFE 2C780004 43FA02F8    ...åHç.þ,x..Cú.ø
    0040: 4EAEFE68 41FA02EC 20800C39 005A0000    N®þhAú.ì ..9.Z..
    0050: 00006700 03046104 4AFC02FE 13FC005A    ..g...a.Jü.þ.ü.Z
    0060: 00000000 2C780004 2A7A02C8 203C0000    ....,x..*z.È <..
    0330: 351D0001 12F0646F 732E6C69 62726172    5....ðdos.librar
    0340: 79000000 03F10000 00032F58 20467563    y....ñ..../X Fuc
    0350: 6B657200 00000003 4CDF7FFF 41FA0004    ker.....Lß..Aú..

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III with Xvs.library installed

    Test by Markus Schmall                   Detection tested 12.3.1995


Virum Help Team
Denmark & Canada
Copyright © All rights reserved