Amiga Virus Encyclopedia
Orb 95 Trojan
Biomech-TypeH Trojan - Other name Orb95
The five bytes: 00 02 b9 b2 00
The difference to type A in the Prg code is too big for the part
Length: 3176 bytes
NO bent vectors
VT ONLY recognizes the trigger file !!
Why I should start the file ORB95 voluntarily:
No idea (the file only consists of the destruction part)
The file reads:
4e5d4e75 b9b20073 79733a70 72656673 N] Nu ... sys: prefs
2f007379 733a6465 76732f00 7379733a /.sys:devs/.sys:
6c2f0073 79733a63 2f007379 733a6c69 l / .sys: c / .sys: left
62732f00 4f524239 350a0000 bs / .ORB95 ..
The text ORB95 is output in the cli and should be deceived
serve. In reality, the subdirectories of sys:
searches prefs, devs, l, c and libs.
File before: File after:
4eb90000 08582200 N .... X ".: 4eb90000 08582200 N .... X".
508f6608 4eb90000 P.f.N ... : 0002b9b2 00b90000 ........
^^^^^^^^ ^^ ^^^^^^^^^^
So 5 bytes are always written = 00 02 b9 b2 00.
I have not found a system. The files are unfortunately
NOT to save anymore.
VT does NOT recognize changed files because I risk
Detection is too big with only five bytes. In case of concerns
in your system because the trigger
file was, then try a file monitor (e.g. hex).
Enter $ 0002b9b2 in the search string and examine in the
the files in certain subdirectories. It goes fast. I
habs tried with the c directory.
Original test by Heiner Schneegold
Translated from german to english by Google translate