ConClip Virus - Amiga Virus Encyclopedia


    Amiga Virus Encyclopedia    
    ConClip Virus

    - Conclip Virus

        other possible names : ANDY, HEXER
        Type A:
        Length packed:  3248 Bytes
        Length unpacked:2872 Bytes (yes! These values are correct !!)

        No bent Vectors
        VT needs the filename "conclip" to recognize
        Infection of other files : yes

        In the unpacked file you can read for example :
           2940fdac 41fa0006 2008600e 4446303a )@..A... .`.DF0:
           632f636f 6e636c69 70002940 fdc0202c c/conclip.)@.. ,
           700f2f00 41fa0006 20086014 416d6967 p./.A... .`.Amig
           61444f53 20434c49 2d457272 6f720000 aDOS CLI-Error..
           41fa0006 2008602a 4469736b 20636f72 A... .`*Disk cor
           72757074 202d2070 6c656173 6520696e rupt - please in
           73657274 20626f6f 74646973 6b2e2e2e sert bootdisk...
           fff441fa 00062008 60266563 686f2063 ..A... .`&echo c
           6f6e636c 6970203e 6466303a 732f7374 onclip >df0:s/st
           61727475 702d7365 7175656e 63650000 artup-sequence..
           60387275 6e203e4e 494c3a20 7379733a `8run >NIL: sys:
           73797374 656d2f66 6f726d61 74203e4e system/format >N
           494c3a20 44524956 45206864 303a204e IL: DRIVE hd0: N
           414d4520 414e4459 00002e80 70002f40 AME ANDY....p./@
        Involved Media : DF0:, DF1:, DH0:, DH1:, HD0: u. HD1:
        Hint : the conclip-file does really exist with other length

        Progress :
        A window opens. Title : AmigaDOS (look above)
        A text appears : "Disk corrupt"
        conclip will be copied to C:
        The startup-sequence will be altered. Conclip will be
        called on every startup from now on.
        I didnīt wait for the erase of my Harddisk (Dos-Delay) !!!
        The is another text output in the file, that I didnīt saw
        on the screen.
        VT only suggests erase. Donīt forget to change the startup-
        sequence back to normal !!!
        Type B :
        known length mutliple packed : 6952 Bytes (Installer)
                                      11048 Bytes (Installer)

        Name of Installer-files are unknown...
        Length multiple packed : 6096 Bytes

        NO bent vectors
        Multiple unpacked and touched with "EORI.B #$42,(A2)+"
        this can be read in the file :
           6f20746f 20626564 21290a0a 7c7c2042 o to bed!)..|| B
           45412049 2057494c 4c204e45 56455220 EA I WILL NEVER
           464f5247 45542059 4f552e20 52455354 FORGET YOU. REST
           20494e20 58544320 7c7c0a0a 414e4459  IN XTC ||..ANDY
           20544845 20484558 45522121 0a0a0a0a  THE HEXER!!....
           fdc87000 4e5d4e75 3a204e41 4d452041 ..p.N]Nu: NAME A
           4e44595f 49535f42 41434b00 72756e20
           3e4e494c 3a207379 733a7379 7374656d >NIL: sys:system
           2f666f72 6d617420 3e4e494c 3a204452 /format >NIL: DR
           49564520 00496e73 65727420 626f6f74 IVE .Insert boot
           6469736b 20696e20 4446303a 004e6f74 disk in DF0:.Not
           20612044 4f532d64 69736b21 00537973  a DOS-disk!.Sys
           74656d6d 656c6475 6e67003a 532f5374 temmeldung.:S/St
           61727475 702d5365 7175656e 6365003a artup-Sequence.:
           432f436f 6e436c69 70004446 30004446 C/ConClip.DF0.DF
           31004844 31004448 31004844 30004448 1.HD1.DH1.HD0.DH
           30005052 4f474449 523a636f 6e636c69 0.PROGDIR:concli
           7000536e 6f6f7044 6f730053 4e4f4f50 p.SnoopDos.SNOOP
           444f5300 74ff4e75 4e7541fa 0060216f DOS.t.NuNuA..`!o

        Changes at Type B :
            - now writes ConClip
            - tests for SnoopDos
            - writes to Memory #$0      HELP
            - writes to Memory #$100    DEADBABE BEA0FACE
            Also this text appears after a Keyboard-reset with
            an alert.
            If you wait for some time, a grafik will appear :
                - dark screen
                - in big letters : HEXER (red, the "X" is blue)
                - in tiny bright letters : ANDY THE HEXER IS BACK...
            Copy your original ConClip file back to C: and check
            your startup-sequence.

     Translated to English by M0rpheus Đ 2001 VHT-Denmark
     Org. Test by Heiner Schneegold.

Virum Help Team
Denmark & Canada
Copyright © All rights reserved