LOBO Weird Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



     ------------------------
     Amiga Virus Encyclopedia
     LOBO Weird Link Virus
     ------------------------
     
     
     - LOBOweird virus link virus
     
           Name reason:
           In the decoded link part you can read:
           4c4f424f 77656972 642e48e7 808041fa LOBOweird.H ... A.
             ; ....
           4e732041 4e54492d 56495220 50415443 Ns ANTI-VIR PATC
           48206279 204d415a 45273937 21204eb9 H by MAZE'97! N.
                    6 < a.
          File extension: at least # 2100 bytes
          Not reset-proof
          Bent vectors: LoadSeg and TRAP (should now be variable)

       Memory anchoring:
           - "LOBO" is not found
           - Loadseg is bent into the ROM
           - The TRAP command is searched for in ROM. The trap should now
             be variable. It starts with TRAP0 ($ 4e40). In all
             my ROMs will only become TRAP1 (see above at LOBOsimple)
             found.
           - So it should be variably bent from $ 80 or VBR + $ 80.
             So I always bend $ 84 or VBR + $ 84.

       Link operation:
           - with LoadSeg and TRAP
           - File larger than # 7913 bytes
           - File less than # 255600 bytes
           - Medium validated
           - no disc (at least # 91978 blocks)
           - at least # 30 block free
           - Filename does not contain ".", "-", "!", "VIR" or "vir"
           - The virus part is always re-encoded with $ DFF006
           - There are always contaminated files with 2 hunks
             The 1st hunk contains the virus part. The 2nd hunk is the whole
             Original File. Unfortunately you cannot just go back to the 2nd hunk
             write because 8 bytes are encoded in the original file. It must
             the coding longword is searched for in the virus section. This LW
             always changes depending on $ DFF006.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     

     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk