-----BEGIN PGP SIGNED MESSAGE----- ......................... VIRUS HELP DENMARK ...................... -------------------- 1 August 2001 Hi All.... We have now found the installer of the new 'SMEG 2' linkvirus. If the info text from the archive is correct, the 'SMEG 2' virus has been around since February 2001. The archive has only been on Elite BBS'es or Elite websites. Jan Erik Olausen the programmer of VirusExecutor & xvs.library, has made a recog for the virus, but is having problems with removing the virus from memory. As soon as Jan has solved this virus, a new update of xvs.library will be relased. There is "NO" cure for this virus right now. But with the help of the program 'Safe v16.2', you can find infected files, but not remove the virus, you will have to replace the infected files with new clean files. This virus will infect everything that is executed. And on my test A1200 over 200 files, was infected in under 5 minutes. The programmer of 'Safe' (Zbigniew Trzcionkowski) has written this about the new 'SMEG 2' virus: Released probably by mistake. Non crypted version of the next one. Code is almost equal to old SMEG, but this time author invented NEW WAY of patching PRIVATE routine of device task. This routine handles receiving of dos packets. Virus patch is stealing packets and sending them to the supervisor task called 'SMG'. I have never seen such advanced digging code that works properly. This means also that no visible changes are seen in the system beside one new task. I have noticed that freezing of SMG task stops spreading of the virus, so at the moment Safe does only that. I will add removal of the 'magic' patches if I found it necessary. File repair was as easy as Penetrator files - one move.l 4.w,a6 was replaced with jump to virus. Hidden text (decoder was included, but not used by virus code): Smeg! it's a Hostile TakeOver! (Again!) And just when you thought it was safe.. Flake and Georg have left the building! - -= On Tour 1995-2001 =- This is what we know of the virus: Virus Type.... : Linkvirus Virus name.... : SMEG 2a & SMEG 2b Virus size.... : SMEG 2a: 1556 bytes & SMEG 2b: 1604 bytes Archive name.. : MIAMIDLX.LZX Archive size.. : 3.427 bytes (lzx packed) Archive info.. : .________________ ____¦____ ( _____/__ - ------------- _/ ___/ _/\_ T ¬\_ · diGiTAL · .-\ ¦/ 7--7 l / · cORRUPTiON · | \____.-----¦ ¦----.____/------- - - - | ¯¯¯¯¯ ¯¯¯¯¯ | Miami DeLuxe | Keygenerator | Made by xxxxxxxxx `----------------------------- Design: JRYder (VHT-DK has removed the name and replaced it with 'xxxxxxxxx') There might just be more installers of the 'SMEG 2' virus out there, so do not install these fake-keys. Thank to the person that send the archive to Jan Erik Olausen, and to Zbigniew Trzcionkowski for the first test of this virus Regards.... __ Jan Andersen E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0 ... Did you know, that the newest version of Safe is v16.2 !! - ------------------------------------------------------- Archive has been checked and a .sig file has been added so you can verify there was no tampering with the file after placed on the server. MD5SUMS and Readme PGP signed by: Charlene e-mail: ml-clm@mailandnews.com md5sum: ftp.vapor.com/pub/3rdparty/ [Start md5sum checksum file]----------------------- bd142b2b60355e46b17c1b1396cf0253 *file_id.diz a2f6e7b6a4c2542d65d6217429c74aeb *vht-dk_104.txt [End md5sum checksum file]----------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv Comment: Signed by Charlene, using PGPAmiga iQCVAwUBO2hYHfrh//oWbqdVAQGO0QQAjbLoH3uMBXE64dSLhm20Og26Kd9U8X9w Jw5/lQQjh42OIBRxfBNTFBe8rrAm7rZsqTOVEcneMHneG22ymCsHZoWweh2Mu7Ry fY61WhkZw8KyQlV+nbd/nm6ZCbhDaX38MWJuJOAe8eMnygNkfVcBdRb7kGtwnGpT FvMk4G/iJlI= =pC3m -----END PGP SIGNATURE-----