Fileghost Virus I & II Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



    ----------------------------
    Amiga Virus Encyclopedia
    Fileghost Virus I & II Virus
    ----------------------------

        
    Fileghost Virus I:
    ------------------
    Works with Kickstart 3.1 and MC68040 !

    Is able to overjump symbol and debughunks at the beginning
    of the file.

    This is a linkvirus, which adds NO hunk to the infected file.
    It will increase the  first hunk (876 bytes)  and changes the
    "RTS" at  the  end of the hunk or  tries to go  back  several
    steps and searchs for a "RTS".  This "RTS" will  be  replaced
    by  a "BRA XYZ". -> A  virustype  like  Infiltrator,  DA  and
    others.

    The virus changed DOS(NEW)Loadseg and Exec Forbid. No  reset-
    vectors will be changed.

    At the end of the file you can read:
    (this text ist mostly decrypted by a "eor.b d0,(0)+" routine.
    Nothing special...

    'dos.library'
    'Hi Friend! Don`t worry... It`s only the '
    'FileGhost.'


    Fileghost Virus II:
    -------------------
    Works with Kickstart 3.1 and MC68040


    Please not, that this virus will be not installed by the
    recognized Installer II !!!!

    This is a linkvirus, which adds NO hunk to the infected file.
    It will increase the  first hunk (796 bytes)  and changes the
    "RTS" at  the  end of the hunk or  tries to go  back  several
    steps and searchs for a "RTS".  This "RTS" will  be  replaced
    by  a "BRA XYZ". -> A  virustype  like  Infiltrator,  DA  and
    others.

    The $3e8 hunks will be overjumped. Caution ! Read the DHunk
    documentation !

    The virus changes DOSLoadseg. No resetvectors will be changed.

    Selfrecognitioncode in memory: Test for the single longword:
                            $ABCD1234

    At the end of the file you can read:
    (this text ist mostly decrypted by a "add.b d0,(0)+" routine.
    Nothing special...


    FileGhost 2 - Merry X-Mas and a happy new year...


                  Detection for the Fileghost2 tested 26.09.1994.


    Comment 11.10.1994: As far as I know this virus is very wide
    spreaded in Germany. Many PD disks are infected and even a CD
    was infected and NOT released.

    I have just found a bug in my memorycheck routine, which I have
    now fixed. Sorry guys...


    Test by Markus Schmall....


    

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk