Fileghost 3 Virus - Amiga Virus Encyclopedia


  Amiga Virus Encyclopedia
  Fileghost 3 Virus

  Fileghost 3 Linkvirus:

  MC68040 and MC68060: yes
  Kickstart V35 and above
  Patched vectors: DOS LoadSeg()
  Increases filelength by 1288 bytes
  Detected: Jun`95 in the south of Germany

  This is another linkvirus out of the Fileghost series. This linkviruses
  just add their code to the end of the first hunk and then search for the
  last "rts" and modify it to a "bsr.b" to get activated. So the relochunks
  will stay unchanged.

  Differences to the previous versions of the virusfamily:

  1. Some more indirect adressing
  2. Test, if SnoopDos (FindTask "SnoopDos") is active
  3. It will be searched for 2 longwords in the first hunk

        $53460C46 at offset $2A from the loadseg() memptr
        $2F49003C at offset $3A      "       "      "

     If you know, which programm has such longs in the first hunk, please
     let me know. Thanks.

  4. The cryptroutine is a little bit advanced.
  5. The word $1994 will be used to check, if the virus already infected the
     LoadSeg() vector. This routine is comparable to Fileghost2 and to
     the Polygonifrikator viruses.
  6. Depending on a spreading counter, the virus will set new windowtitles
     (see at the bottom of the description).

  The fileghost virus contains no destructive routine. As on every type of
  this type of virus, it is possible that programms, which need a 100%
  correct hunkstructure (e.g. some packers) will get problems and will
  not work.

  The virus is, in my opinion, not from the author of the last Fileghost
  viruses. This one has display routines and will be recognized by the
  infected user in this way very fast. The last versions of Fileghost just
  worked around in the background.

  New texts for the windowtitles:
  'AUA! schlag nicht so auf die Tasten!'
  'FileGhost3 - the nightmare continues!'
  'Hallo DEPP!'
  'Was machst Du denn als nachstes ?'
  'Weist Du eigentlich, das Du dumm bist ?'
  'Und schon wieder eine Datei weniger!'
  'Gib mir mal n Bier!'
  'Totet alle Nazis + RAPER!'
  'AMIGA kills PC! (HEHE)'
  'INTeL Outside !'

  Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
           Kickstart all others: VirusZ III, and also Xvs.library must be installed

  Greets Markus Schmall

  (Please remember, that this analysis is copyrighted by Markus Schmall and it
  is not allowed to include this analysis in SHI productions!)

  Animated picture of the FileGhost 3 virus:


Virum Help Team
Denmark & Canada
Copyright © All rights reserved