Warning ! The archive "gvp-hs15.lha" contains a new trojan !
Here is my first analyse:
Karaçiç Trojan Virus:
---------------------
Filelength packed: 1460 Bytes (Rob Northern !!!)
1924 Bytes (unpacked)
Other possible names: GVP-HS15 Trojan
Works only with Kickstart 3.0 and ahead (V39 funtions will be
used).
Some other suspicius fact is, that the programm was packed using
the Rob Northern cruncher, also called Propack. The file was
afterwards modified a little bit, so that no existing depacker
can unpack it.
This trojan is programmed quite simple. The needed libraries will
be opened and it will we checked for the old SnoopDos task.
Then the file "s:nothere" will be tested. If it exists, no damage
will be caused.
Then a TimeDisplayAlert (timer some seconds) will pop up and show
you:
LMB> Kill system RMB>Reboot
The code analyzer behind is programmed like this:
1.If the user gave no input in the 5 seconds and/or presses the
right mousebutton, the system will be trashed using some basic
format and delete routines.
2.If the user presses the left mousebutton, then a ColdReboot
will be performed.
SO DON`T START THIS AND IF SUCH A REQUESTER APPEARS, THEN RESET
YOUR AMIGA BY HAND !
The routine to show the Alert is a Kickstart V39 function. It will
be not tested, if the used system is really V39 or higher.
FileID of this archive (GVP-HS15.lha):
HardDiskSpeeder v1.5 ©GVP Inc. 1995
(a little cache program for HDs!)
...
If you start the programm, it will show you the following text:
'HardDiskSpeeder v1.5 installed ...'
If you start it using a "?", then the following text will show
up:
'HardDiskSpeeder v1.5 by GVP Inc. ©1995'
The trojan tries to destroy the following directories and devices:
dh0-dh4, hd0-hd4, l:, libs:, devs:, s: and c:
The formatted new devices will have the name:
'"Karaçiç Virus strikes back"'
(THIS ANALYSE IS COPYRIGHTED BY MARKUS SCHMALL AND IT IS STRICTLY FORBIDDEN TO
INCLUDE THIS IN ANY SHI PRODUCTION !)
Warning written by Markus Schmall, programmer of VirusWorkshop.....
