VIRUS HELP TEAM



     ------------------------
     Amiga Virus Encyclopedia
     STD Vaginitis 2 Trojan
     ------------------------
     
     
     - STD Vag2 trojan
           File extension: always # 800 bytes
           Filename: only c: mount
           Not reset-proof
           From KS2.04
           Bent vectors: LoadSeg

       Decoded can be read in the link section:
                             536e6f6f 70446f73 SnoopDos
           20537570 706f7274 2050726f 63657373 Support Process
           00433a4d 6f756e74 0072756e 203e4e49 .C: Mount.run> NI
           4c3a206e 65777368 656c6c20 54435000 L: newshell TCP.
           32353531 00005354 44207072 6573656e 2551..STD presen
           7473202d 20566167 696e6974 69732023 ts - vaginitis #
           32202d2d 2066696c 74687920 77686f72 2 - filthy whor
           6521 e!
 
       Memory anchoring:
           - FindTask changed - end
           - Examine changed - end
           - SnoopDos in memory - CCR is changed
           - Loadseg is bent
   
       Link operation:
           - behind the 1st hunk of mount
           - coding with EOR
           - Findtask not changed
           - Examine not changed
           - Search for RTS only in the last long word of the 1st hunk and
             Replace with NOP (therefore no "100% correct" removal
             construction possible cf. also fungus)
           - Write back FileDate
      
       Damage:
           - Search TCP in DosList
           - Put a colon after TCP (see above)
           - DosExecute run> NIL: .....
           - So it should probably be a third party access to the
             Computers are enabled
     
       See also all other STD variants and fungus
       Thought: a newer Trojan variant (3) is attached to one
       older libversion (0.27) and vice versa ????


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     

     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk