VIRUS HELP TEAM



     ------------------------
     Amiga Virus Encyclopedia
     Zinko Trojan
     ------------------------
     
     
     - ZINKO Trojan destruction
            Filename maybe: FlowerPower.exe L: 166992 bytes
             VT only offers deletions
             Compare also: VoxelSvind Trojan
      
       Procedure:
         A picture is shown:
         Dark, wide diagonal bar with light letters
         Iris presents
         I can't do anything with the text. In reality
         are made on sys: changes.
     
       Damage:
         A text section is attached to files behind 3F2
         variable length:
            000003f2 5a494e4b 4f204d41 44452054 .... ZINCO MADE T
            48495321 20492052 554c4521 20484148 HIS! I RULE! HAH
            41484148 41484148 4121204e 4f525448 AHAHAHAHA! NORTH
            45524e20 50414c41 43453a20 2b343520 ERN PALACE: +45
            35383530 20363038 31005a49 4e4b4f20 5850 6081.ZINKO

         Directories before:
           s / startup-sequence
                   7 13-09-95
           devs / parallel.device
                1812 13-09-95
           devs / printer.device
               26964 13-09-95
           devs / printers / Nec
                6732 13-09-95
           devs / system configuration
                 232 13-09-95

         Directories after:
           s / 000000000111000110100001110011
               18150 20-12-96
           s / 000000000110110100100111100000
                6528 20-12-96
           s / 000000000110110011001101100100
                2554 20-12-96
           devs / 000000000011000100101100111111
                 147 20-12-96
           devs / 000000000111010100001100000011
               19202 20-12-96
           devs / 000000001000100100010100010111
                3038 20-12-96
     
         So not only the names are changed and text changed
         hung, but also copied back and forth between the dirs.
         e.g. None of the files in the modified s-Dir is the startup
         sequence. I don't see any rescue option here with one
         reasonable time. You can easily with one
         File monitor cut off the text, but not in every file
         is an ASCII string through which you assign the file name
         can. I'm sorry.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     

     

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk