Entry...............: COP-Trojan
Alias(es)...........: QuarterbackD Trojan,
                      ORS-QBD.lha trojan
Virus Strain........: -
Virusdetected  when.: 9/95
              where.: Denmark
Classification......: Trojan, memoryresident,not resetresident
Length of Virus.....: 1. Length on storage medium: 227716 Bytes (unpacked)
                      2. Length in RAM:            227716 Bytes
                                                       - redundant hunkdata
--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 3.00 and above (V39+)
                      (Some functions are supposed
                      to work only on V40 ?)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: Filelength

Type of infection...: Overwriting all files in the destination directories

Infection Trigger...: none
                        Storage media affected: all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage: 

                      Overwriting files in ENV, SYS, LIBS,NCOMM and S
                      with a 75 bytes long text containing the following
                      information:
   
                      "=CIRCLE OF POWER= [ WE ARE BACK! THE RETURN "
                      "OF THE POWER PEOPLE! / GRYZOR ]"
            
                            

Damage Trigger......: Permanent damage:
                      - Start of programm
                      Transient damage: 
                      - Start of programm

Particularities.....: The trojans uses the DosList to get access to
                      the various directories and then starts to 
                      damage the information in this files. The code
                      uses some Kickstart 3.x functions and is so
                      not working on older systems. Some failure-
                      recognition routines were build in (in
                      comparison to older COP trojans).

                      Normal behavior blockers are able to stop
                      this trojans. No tunneling techniques are used
                      for this little bastard.
                     


Similarities:         A lot of the routines are comparable to older
                      COP trojans found in various wide spread
                      utilities. Some codes are optimized, but still
                      the old style is recognizeable. This special
                      one contains nearly the same code as the
                      COP trojan found in PT4.


Stealth.............: None


Armouring...........: Important parts are crypted using a logical
                      loop, which is breakable by a normal code
                      simulator.


--------------------- Agents -------------------------------------------

Countermeasures.....: none Countermeasures successful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 16.9.1995.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: September,16. 1995
Information Source..: Reverse engineering of original trojan
Copyright...........: Markus Schmall
Special.............: No use of this analyse except VTC Uni Hamburg 
                      in their CMBase releases

===================== End of Quarterback3 COP Trojan======================

[Go back]