Copy LX 1.03 Trojan - Amiga Virus Encyclopedia

VIRUS HELP TEAM



  ------------------------ 
  Amiga Virus Encyclopedia    
  Copy LX 1.03 Trojan
  ------------------------


  Copy_LX 1.03 Trojan:

  Filelength 6932 Bytes (unpacked)

  This is a classical trojan horse. Installer is probably a modified
  LX 1.03 programm  (I still search for it.  The file I got from the
  AmiNet was clear). It will write a new COPY command.

  This copy command  searches for  the file "s:save".  If  this file
  exists, the  trojan will  not work and  the original  copy command
  (V38.1), which is linked behind the trojan, will be activated.

  Then the  virus checks  the  actual date:  If the  date is 5961 or
  more days after  the 01.01.1978,  the virus  will start, otherwise
  it will  skip. This  date was  somewhen in 1994.  Then a  longword
  "scsi" will  be decrypted  and  via  globaldoslist  and  the known
  routines, it will be tried to get a device, which starts with  the
  long "scsi".  If such a device was found,  it will be tried to get
  the rootblocknumber  and then  it  will  be tried to read from the
  rootblock.

  Problem: I got  the Copy  command itself  and the resourcefile. In
  the copyfile only the READ command will be used,  in the resourced
  file the WRITE command will be used. I wonder a little about this.

  If  the write  command is used,  all  reachable devices (beginning
  with scsi) will loose its rootblock. Try to recover the data using
  things like Quarterback and/or Disksalv.


  Test by Markus Schmall                 Detection tested 07.01.1995


  
  

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk