Amiga Virus Encyclopedia
Copy LX 1.03 Trojan
Copy_LX 1.03 Trojan:
Filelength 6932 Bytes (unpacked)
This is a classical trojan horse. Installer is probably a modified
LX 1.03 programm (I still search for it. The file I got from the
AmiNet was clear). It will write a new COPY command.
This copy command searches for the file "s:save". If this file
exists, the trojan will not work and the original copy command
(V38.1), which is linked behind the trojan, will be activated.
Then the virus checks the actual date: If the date is 5961 or
more days after the 01.01.1978, the virus will start, otherwise
it will skip. This date was somewhen in 1994. Then a longword
"scsi" will be decrypted and via globaldoslist and the known
routines, it will be tried to get a device, which starts with
the long "scsi". If such a device was found, it will be tried
to get the rootblocknumber and then it will be tried to
read from the rootblock.
Problem: I got the Copy command itself and the resourcefile.
In the copyfile only the READ command will be used, in the
resourced file the WRITE command will be used. I wonder a
little about this.
If the write command is used, all reachable devices (beginning
with scsi) will loose it`s rootblock. Try to recover the
data using things like Quarterback and/or Disksalv.
Test by Markus Schmall Detection tested 07.01.1995.