-----BEGIN PGP SIGNED MESSAGE----- ......................... VIRUS HELP DENMARK ..................... -------------------- 26 January 2001 Hi All.... A new 'TCP' trojan has been found in New Zealand, and the installer is still unknown, but Zbigniew Trzcionkowski the programmer of Safe has made an update of the program, that will decect this new TCP trojan in memory. The TCP trojan will replace your "c:mount" with a new size: 7484 bytes and make another file "f". But the new "c:mount" is another clone of those stupid Vaginitis viruses, but it appeared with some support stuff (probably not found until now). Here is some info about this new TCP Trojan: Virus Type.... : TCP Trojan Trojan name....: Explode Trojan size....: 7484 bytes (c:mount) 232 bytes (f) Archive name.. : ? (Not known yet) Archive size.. : ? (Not known yet) This TCP trojan can be decected by "Safe v14.7" right now, and within a few days by the "xvs.library" Here is a analyse from Zbigniew Trzcionkowski: ==================== Start of Expl0de virus ======================== Entry...............: Expl0de Virus Alias(es)...........: VaginitisClone Virus Strain........: none Virus detected when.: 1.2001 where.: New Zealand Classification......: System/Linkvirus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: ca 730 Bytes 2. Length in RAM: 2048 Bytes - --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) - --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - none (the virus infects only C:mount) Self-identification method in memory: - checks for $60ea at LoadSeg patch offset -2 System infection: - infects the following function: Dos LoadSeg() Infection preconditions: - Hunk Code is found - File is not infected already (double infections are impossible) - device is validated - device contains free blocks Infection Trigger...: Direct accessing C:mount Storage media affected: C: Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - none Particularities.....: (Installer is currently unknown.) Installer infects only one file - C:mount, the code of Vaginitis/Fungus virus is used here only to implement TCP: new shell opener to system. The virus performs: run >nil: newshell TCP:9876 Similarities........: Link-method is first hunk increasing. Last RTS will be rewritten with nop. Whole code is 95% equal to Fungus/Vaginitis viruses. Stealth.............: Only one file is infected. One of the additional files is file called c:f which is small lame coded patcher for dos/Write prepared to prevent writing files that contain string '.987'. This is to hide existence of the secret shell in TCP:, also may damage some files with this string. Armouring...........: very simply eor crypter with static key $1337 Comments............: The virus contains string 'expl0de!'. The virus probably appeared with some other support stuff that will be analyzed if we get it. Author of this virus in love with the longword $DEADF00D. - --------------------- Agents ------------------------------------------- Countermeasures.....: - above Standard means......: - - --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 25.1.2001 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 25.1.2001 Information Source..: Virus disassembly Copyright...........: This documentation is public domain ===================== End of Expl0de virus ======================= This archive has been send to all the antivirus programers..... Thanx to Patrick Ford for the info and sending the files to us.. Regards.... __ Jan Andersen E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0 ... Did you know, that the newest version of Safe is v14.7 !! - ------------------------------------------------------- Archive has been checked and a .sig file has been added so you can verify there was no tampering with the file after placed on the server. MD5SUMS and Readme PGP signed by: Charlene e-mail: ml-clm@mailandnews.com md5sum: ftp.vapor.com/pub/3rdparty/ [Start md5sum checksum file]----------------------- c23da3e9f55b18732c99073f4644b15f *file_id.diz 049c4afd282487dd231eb366638aa72d *VHT-DK.txt 129e1954d1f46932c0d1ef336127c979 *vht-dk94.txt [End md5sum checksum file]----------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv Comment: Signed by Charlene, using PGPAmiga iQCVAwUBOnHa2/rh//oWbqdVAQFCvAQAgBheqqOskjlBvnhSo6keeh/GWV8SvPGb oZs3qFdmuwPCDjUXmphXYz7hLu3LONe/jYLNY3QdoOm/nSxCiwxxmPTnUvWLiokU jR21kBa9veey2Dq0Rl2+l79l4LbzXwKvgH4L2x40Owfh/ZajNOYo3Od972lQgeEA j/7CHe1HuJA= =U1mB -----END PGP SIGNATURE-----