Name : ELENI VIRUS Aliases : Gremlin, FMFOJ Type/Size : Boot/1024 Clones : No Clones Symptoms : No Symptoms Discovered : 10-04-94 Way to infect: Boot infection Rating : Less Dangerous Kickstarts : 2.0 & higher Damage : Overwrites boot, creates new c/Mount on disk. Removal : Install boot, Delete files c/Mount & c/d. Comments : If you are booting with an infected disk the virus copies itself to the adress $FE000 or $7F400. After that it changes the CoolCpature Vector to stay resident. Furthermore it patches the DoIO()-Vector and the KickChkSum()- vector from the exec.library to infect other disks. But now it comes: Imagine you are now booting with your HD. Now the virus creates two new files called c/Mount = 208 bytes (read ELENIV2.2_inst, too!) and c/D = 1024 bytes The Datafile c/D is the virus itself. The executeable file c/Mount is the virusinstaller. If you are now starting the file c/Mount the program does the follwing: 1) Opens the file c/D (Virus) 2) Loads it into a adress 3) starts it & returns. To remove the virus you must delete the Mount-fake and the virusfile c/D. AND! Don`t forget to install your disks. In the Bootblock you can read: "FMFOJ XJSVT V2.2" Decrypted with "sub.b #1,(a0)+": (Routine not in BB) "ELENI WIRUS V2.2" ^ The programmer was urely a LAMER No Textoutput-routine was found in the virus. ATTENTION: A FAKE X-COPY 8.5 VERSION IS GOING AROUND WHICH INSTALLS THIS DEVIL. For further information read about the X-Copy 8.5 trojan. NOTE: Why must people write such SHIT! ohhh gooood. A.D 04-94