-----BEGIN PGP SIGNED MESSAGE-----

.........................  VIRUS HELP DENMARK  .....................
                          --------------------
                               1 May 2001


 Hi All....


 What we think is the installer of the "Bastard" link virus has been
 found. It was on Aminet (and has been there for about 14 days), but
 it has been removed now.


 Okay, here is what we know so far:

 Archive name  : Pointers.lha
 Archive size  : 6.874 bytes
 Installer name: Install
 Installer size: 4.748 bytes
 Virus name    : Batstard linkvirus
 Virus size    : About 2100 Bytes (uses polimorphic engine)


 Here is Zbigniew Trzcionkowski test:
 ------------------------------------
 The archive  'Pointers.lha'  (6874 bytes)  is the installer for the
 BASTARD LINKVIRUS. The executable is hidden inside installer script
 and I must admit I haven't seen such thing before.
 It was done ( in very clever way ) with  special tool which changes
 binary to valid installer script data.
 This can be seen as real MACRO virus for Amiga!

 NOTE:   There was no script icon, so I think almost noone installed
         the virus!

This  installer  script  generates  file  called RAM:temp,  which is
stonecracked executable with BASTARD virus. This is  just TH E FIRST
file of virus.  It contains also  some text and even the name of the
virus:

Antidisassemblishmentaryonism v1
(I think everyone still use the name I have invented :-)

There  was nothing new in file beside that additional text.  It also
says about the  authors, which are  not the same people behind those
lame 4ef9 trojans ( I came to  this conclusion  only by watching the
code, so You see the differences was large.).
As  always I will  not publish the text inside not to satisfy virus-
makers  even  this is  done  very clever  and not  to infect so many
machines.



 Thanks to ' Zbigniew Trzcionkowski ' the programmer of Safe for the
 info.



   Regards....
      __          Jan Andersen          E-Mail..:  vht-dk@post4.tele.dk
 __  ///          ------------             FidoNet.:  2:237/38.100
 \\\///        Virus Help Denmark             AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk                  VirNet..: 9:451/247.0

... Did you know, that the newest version of VirusExecutor is v2.16



- -------------------------------------------------------
Archive has been checked and a .sig file has been added
so you can verify there was no tampering with the file
after placed on the server.  MD5SUMS and Readme PGP
signed by:

Charlene

  e-mail: ml-clm@mailandnews.com
  md5sum: ftp.vapor.com/pub/3rdparty/

[Start md5sum checksum file]-----------------------
9f6d00f8adf237affc6fd3018abf0787 *file_id.diz
049c4afd282487dd231eb366638aa72d *VHT-DK.txt
2cacf9dd57bd3801a394145506c09285 *VHT-DK100.TXT
[End md5sum checksum file]-----------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv
Comment: Signed by Charlene, using PGPAmiga

iQCVAwUBOu8W9frh//oWbqdVAQEnlwP/Soksc+/DcGDvjm6PM9YGhTjfutuz6e1k
3rrCdN63PHudhxbOPxyTZzGGQfukBLa7khbg6qFCMT9/9L7OWdZLfzfB8p2LFQQn
/BjNz6tFv2thjPXCfBnbUIl/NowcIXEFWxWPx0ezwOYWL+eMVKvby4Rx0d4tRjYC
Td9fT50b6kk=
=itQE
-----END PGP SIGNATURE-----