Eleni v2.2 Bootblockvirus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



 
     -------------------------
     Amiga Virus Encyclopedia
     Eleni v2.2 Bootblockvirus
     -------------------------
    
    
     Name         : Eleni 2
     
     Aliases      : Mount

     Clones       : No Clones

     Type         : Bootblock
     
     Size         : 1024 bytes

     Symptoms     : No Symptoms

     Discovered   : 10 april 1994

     Way to infect: Boot infection

     Rating       : Less Dangerous

     Kickstarts   : 2.0+
                    3.0+

     Damage       : Overwrites boot, creates new c/Mount on disk

     Removal      : Install boot, Delete files c/Mount & c/d

     Comments     : If you are booting with an infected disk the
                    virus copies itself to the adress $FE000 or
                    $7F400. After that it changes the CoolCpature
                    Vector to stay resident. Furthermore it 
                    patches the DoIO()-Vector and the KickChkSum()-
                    vector from the exec.library to infect other
                    disks. 
                    But now it comes:
                    Imagine you are now booting with your HD. Now the
                    virus creates two new files called 
                    
                    c/Mount = 208 bytes (read ELENIV2.2_inst, too!)
                    
                    and
                    
                    c/D     = 1024 bytes

                    The Datafile c/D is the virus itself.
                    The executeable file c/Mount is the virusinstaller.
                    If you are now starting the file c/Mount the program
                    does the follwing:

                      1) Opens the file c/D (Virus)
                      2) Loads it into a adress
                      3) starts it & returns.

                    To remove the virus you must delete the Mount-fake
                    and the virusfile c/D. AND! Don`t forget to install
                    your disks.
                    In the Bootblock you can read:
        
                    "FMFOJ XJSVT V2.2"

                    Decrypted with "sub.b #1,(a0)+":
                    (Routine not in BB)
                    
                    "ELENI WIRUS V2.2"
                           ^
                    The programmer was urely a LAMER

                    No Textoutput-routine was found in the virus.

     Important    : A FAKE X-COPY 8.5 VERSION IS GOING AROUND WHICH INSTALLS
                    THIS DEVIL
              
     Test made by : Safe Hex International
     
     
     Ascii of Eleni 2.2 (Mount) virus:
     
     
     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk