VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
Amiga Virus Encyclopedia
------------------------------
Amiga Virus Encyclopedia
COP (Circle Of Power) Variants
------------------------------
Destruction: Files a shortened, and overwriten with a text.
Please do not equalize this with Biomechanic.
Biomechanic-variants do Not shorten files. It changes at least five bytes
inside file, not in start!
Groupbuild: Files were shortened with 3E9-Trojanbegin. Files with the same
Trojancodelength and the same Destruktiontext were give a Type
-> Circle Of Power 1:
Known filename : NComm32 ← Read our warning
File size packed : 121.896 Bytes - (StoneCracker 4.04 packed)
File size unpacked : 226.116 Bytes
Archive name : NCOMM32.LHA
Archive size : ?
FILE_ID.DIZ : ********************************************
NCOMM V3.2 *CRACKED* KEYFILE CHECK REMOVED!
********************************************
Info : Trojan-part is two Hunks, 1920 Bytes.
Filelength after destruction: 21 Bytes.
Length of the destruction part: 1920 bytes
The unpacked file you can read:
CIRCLE OF POWER 1995
CIRCLE OF POWER 1995
NComm 3.2 18-Mar-95...NComm
Damage : Ncomm started in the S: directory replacing the data's in EVERY file with the
text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files
in the S dir was totally destroyed.
-> Circle Of Power 2:
Known filename : LHA3.0 ← Read our warning
File size packed : 69.888 Bytes
File size unpacked : 105.808 Bytes
Archive name : LHA30.LHA
Archive size : ?
FILE_ID.DIZ : LHA 3.0 FROM STEFAN BOBERG
Info : Length of the destruction part: 1904 bytes
: Trojan-part is two Hunks, 1904 Bytes
: Filelength after destruction: 19 Bytes
Damage : LHA started in the S: directory replacing the data's in EVERY file with the
text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files
in the S dir was totally destroyed.
Known filename : CED4 ← Read our warning
File size packed : 174.500 Bytes
File size unpacked : 214.216 Bytes (Powerpacked)
Archive name : CED4.LHA
Archive size : ?
FILE_ID.DIZ : CYGNUS EDITOR V4.0 (MAIN)
Info : Packed length + 3E8-*Art-Hunk: 174500 bytes
So, here, a 3E8-*Art-Hunk was even added to make packer detection more difficult.
Damage : CED started in the S: directory replacing the data's in EVERY file with the
text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files
in the S dir was totally destroyed. This goes for all the files in your 'DEVS'
directory to.
-> Circle Of Power 3:
Known filename : DOpus5 ← Read our warning
File size packed : 347.296 Bytes
File size unpacked : 547.296 Bytes
Archive name : OPUS5.LHA
Archive size : 464.397 Bytes
FILE_ID.DIZ : -
Info : Trojan-part is two Hunks, 1860 Bytes.
Filelength after destruction: 6 Bytes.
Packed length + 3E8-*Art-Hunk: 347296 bytes
So, a 3E8-*Art-Hunk was even added here to make packer detection more difficult.
The file reads: libs:.COP'95..
Files from devs: s: and libs: are truncated to 6 bytes.
Therefore, envarc and ncomm are missing. Such a file would then read: COP'95
Unfortunately, NOTHING can be salvaged.
Damage : CED started in the S: directory replacing the data's in EVERY file with the
text 'CIRCLE OF POWER 1995:', so the startup-sequence and rest of the files
in the S dir was totally destroyed. This goes for all the files in your 'DEVS'
directory to.
-> Circle Of Power 4:
Known filename : SInfo ← Read our warning
File size : 2.852 Bytes
Archive name : SINFO10.LHA
Archive size : 4.432 Bytes
FILE_ID.DIZ : .------------------------------------------.
| SYSTEMINFO V1.0 BY JURGEN HUNSMANN 1995! |
| A VERY GOOD REPLACEMENT OF THE INFO CMD! |
`----------------------------------(baron)-'
Info : Trojan-part is unknown, only one Hunk.
Filelength after destruction: 5 Bytes.
No corrupted vectors
The file cannot replicate itself.
Difference from other COP types:
Standalone program and NOT linked.
The Trojan part is partially encoded.
The startup sequence is changed:
So, a few lines are inserted before the actual startup sequence.
These lines are processed first after a reset.
A file cop is created in RAM with the following contents at the end: cop!
Sorry, there's nothing left to salvage.
Damage : SInfo will replace every file in your S:, Libs: and C: with a new file,
with a size of 5 bytes, in this file you can read 'cop!'. This is another
program from 'CIRCLE OF POWER!'. The same programmer that has written the
other COP trojans 'NComm32.LHA', 'OPUS5.LHA', 'LHA30.LHA' and 'CED4.LHA'.
Comments : There is another thing, SInfo v1.0 will ask for 'SINFO.library', and the
library is in the archive, BUT it is not 'Sinfo.library', it is the reel
'Bootblock.library v3.1' from SHI, why this ????????
-> Circle Of Power 5:
Known filename : Virusworkshop V5.0 ← Read our warning
File size : 135.744 Bytes
Archive name : TRSI-VW5.LHA
Archive size : 221.737 Bytes
FILE_ID.DIZ : _________________ ____________
\ . ___.___._¬\/ ____/_____) TRiSTAR &
\/| .| | ¬| _/_____¬\| ¬|
| || | : ¬\ ¬V \\ || RSi
|___| |___|___\______/_____|
·+*#*+·^·TRN!·|____\·+*#*V·^·+*#*+·PRESENT!·
VIRUS-WORKSHOP 5.0
Info : Trojan-part is unknown, only one Hunk.
Filelength after destruction: 38 Bytes.
It was reported online that the respective programmers did NOT write the files.
NO file contains the program, which could be assumed based on the filename.
The file consists of the COP destruction routine and a piece of music.
No corrupted vectors.
The files CANNOT replicate themselves.
Coded by Khanan ([cOp]:Khanan / Circle Of Power :[cOp]
A window opens and a COP text is displayed. This
MUST be noticed by the user. I recommend an immediate RESET. Perhaps
the damage can still be limited. Caution: the hard drive may then have validation problems.
The files in devs, s, envarc, L, and NCOMM are reduced to 38 bytes. shortened.
Content after that, e.g.: Port Handler
[cOp]: Khanan / Circle Of Power :[cOp]
Sorry, there's nothing left to save.
Damage : Virusworkshop will replace every file in your S:, Libs: and C: with a new file,
with a size of 5 bytes, in this file you can read 'cop!'.
-> Circle Of Power 6:
Known filename : acp ← Read our warning
File size : 71.904 Bytes
Archive name : PSG-AE5.LHA
Archive size : 71.982 Bytes
FILE_ID.DIZ : AmiExpress 5.0
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruction: 20 Bytes.
NO bent vectors
NO proliferation
Decoded (NOT.B D0) the file reads:
Coded by Khanan & Grajsah (c)
[cOp].[cOp]: Khanan :[cOp]
Process: : A window opens and a COP text is output. This
MUST be noticeable to the user. I recommend an immediate RESET. Perhaps
the damage can still be limited.
Caution: the hard drive may then have validation problems.
The files in devs, s, bbs, L, and NCOMM will be truncated to 20 bytes.
The contents after that, for example: [cOp]: Khanan :[cOp]
Sorry, there's nothing left to salvage.
Damage : acp will replace every file in your S:, Devs: and L: with a new file,
in this file you can read '[cOp]: Khanan :[cOp]'.
-> Circle Of Power 7:
Known filename : CopKiller ← Read our warning
File size : 8.428 Bytes
Archive name : Copkill1.LHA
Archive size : 9.801 Bytes
FILE_ID.DIZ : _____ ______ ___ DIRECT UPLOAD FROM
__ / ___// / // /\ SAFE HEX
\___ // _/ // / / INTERNATIONAL
/ / // __ // / / -------------
/____//__/__//__/ / AGAIN A NEW TOP-HIT!
\____\\__\__\\__\/ -------------
->> PRESENTS C.O.P. Killer v1.1 <<-
An excellent trojankiller that recognises
the new encoding system used by C.O.P.
Also read about the SHI reward >$5000<
for the name of a virus programmer.
°°±±²²Û²²±±°° Update 18-05-95 °°±±²²Û²²±±°°
Known filename : cALLERSLOG.SFX ← Read our warning
File size : 8.428 Bytes
Archive name : MST-CA12.LHA
Archive size : 19.349 Bytes
FILE_ID.DIZ : .--------[____ mYSTIC ____]--------.
|__ ______\ \____ / /_________|____
/ | \ / /___/_/ ___/______/ ___/__
/ \___ /____ \ \ / \ \ /
\___\/ /____/ / /______/_____/______/
| /___/ \________/AdN! _|_
| \_/
| cALLERSLOG 1.2 fOR lOGIC bBS |
| 100% fIXED - iNC iFF sCREENsHOT |
| |
`-[LoGIC DeVELOPeMENT]-[/X cOMPAT]-'
Info for both files : Both files are EXACTLY identical to the byte and are simply passed on under different names.
Trojan-part is two Hunks, 460 Bytes.
Filelength after destruktion: 31 Bytes.
NO distorted vectors
NO multiplication
Deception through unpacked text at the end of the file:
CoppKiller v1.1 by Jolle / SHI . 1995....J".
Decoded (NOT.B D0 and addi.b #$7F,d0) the following can be read in the file:
[cOp]: Scotch & Khanan on tour '95 :[cOp]
Due to a programming error, "only" the files indevs: are truncated to 41 bytes.
Contents, for example:
[cOp]: Scotch & Khanan on tour ' :[cOp]
Sorry, there's nothing left to save.
Larger parts of the Destruction files are NEVER reached.
They are therefore only intended to extend the file size.
Damage both files : Both files will rewrite the files in DEVS:, and in the new file you can read
this: [cOp]: Scotch & Khanan on tour '95 :[cOp]
-> Circle Of Power 8:
Known filename : LZX130_680000EC ← Read our warning
File size : 67.680 Bytes
Known filename : LZX130_680020 ← Read our warning
File size : 64.896 Bytes
Known filename : LZX130_680040 ← Read our warning
File size : 65.385 Bytes
Archive name : lzx130.lha
Archive size : ?
FILE_ID.DIZ : LZX Version 1.30 (Evaluation) Jun 5, 1995
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruktion: 63 Bytes.
ALL LZX in this archive were contaminated.
NO corrupted vectors
NO propagation
Decoded can be read in the file:
=CIRCLE.OF.POWER= [ THE RETURN OF THE POWER PEOPLE! PHEAR US! ]
The files in the subdirectories should be truncated to #63 bytes
CIRCLE.OF.POWER [ THE RETURN OF THE POWER PEOPLE! PHEAR US! ]
Damage : These files will trash your HD. It will rewrite every file in the following dirs:
'ncomm'
'bbs'
'devs'
's'
'envarc'
'libs'
And in the new file you can read this:
=CIRCLE OF POWER=
[ THE RETURN OF THE POcER PEOPLE! PHEAR US! ]
-> Circle Of Power 9:
Known filename : FutureTracker ← Read our warning
File size : 317.608 Bytes
Archive name : TRSI-FT.LHA
Archive size : 278.290 Bytes
FILE_ID.DIZ : _ _ __________________________- --.
.--------\\\\_ ___/___ / ______/--^-|.
| bACk tO | | __/ _/______ \ |:
| tHe rOOTs l____|___/ \_________\____||
|-------------------/_______\----------cDr-|
| FutureTracker - ProTracker Clone by PSI! |
| 6 channels, 256 samples, full MIDI port! |
`------------------------------------------'
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruction: 75 Bytes.
Decoded the file reads:
CIRCLE.OF.POWER=
[ WE ARE BACK! THE RETURN OF THE POWER PEOPLE! / GRYZOR ]
The files in the subdirectories should be truncated to #75 bytes.
See text above. The files cannot be recovered.
Damage : Futuretracker will rewrite every file in DEVS:, L:, and S:,
with another file where you can read this:
[cOp]: Khanan / Circle Of Power :[cOp]
This time the trojan will show a text on the screen Click here ← to see picture
-> Circle Of Power 10:
Known filename : ACP-420
File size packed : 62.384 Bytes
File size unpacked : 71.904 Bytes
Archive name : LSD_AE42.lha
Archive size : 278.290 Bytes
FILE_ID.DIZ : ?
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruction: 71 Bytes.
An Ami Express file after FileID
The programmer was unable to properly integrate the decoding loop.
SUB instead of ADD would have been correct!!
That's why it ALWAYS results in a GURU.
If SUB had been used, the corrupted files would have been
71 bytes long, and the Trojan would read:
CIRCLE.OF.POWER= [ THE TERROR WILL NEVER STOP, PHEAR THE MIGHTY COP! ]
-> Circle Of Power 11:
Known filename : dmv05.exe ← Read our warning
File size : 36.480 Bytes
Archive name : -
Archive size : -
FILE_ID.DIZ : _________ _
____/"""./###/____)\_____________
/"""/ //_______ /"""/""./"___/_
/ / //"""/" / // / //____ \_
\ // / ____/ / //""""/X\@!/
\_____/\__/___/ ""\______/_________/
--> /____/ ><>-!WARNING!-<>< --
Brought To You Diskmaster V5.1 Debugged
And Updated With VirusX2.4 VirusKiller!!
> >----------------------------------<<<
Info : Trojan-part is two Hunks, 432 Bytes.
Filelength after destruction: 41 Bytes.
The second part is the destruction part. This part alone IS EXECUTIVE!!!
Decoded reads: .FausT / cIRCLE oF pOWER'95 - TRUE POWER!
The files in the subdirectories should be shortened to #41 bytes.
The destruction part was linked as the first part using the 4EB9 method.
Damage : The trojan will replace files in LIBS:, DEVS:, S:, with a new file with
the length of 41 bytes, and in this file you can read this text:
"FausT / cIRCLE oF pOWER'95 - TRUE POWER!"
-> Circle Of Power 12:
Trojan-part is unknown, no 4EB9.
Filelength after destruction: 31 Bytes.
Known filename : TP5_Andromeda.exe ← Read our warning
File size : 40.216 Bytes
Archive name : TP5-ANDR.LHA
Archice size : 47.000 bytes
FILE_ID.DIZ : .------------------------------------------.
| DIRECTLY FROM THE PARTY 5 |
`------------------------------------------'
.------------------------------------------.
| |
| Andromeda's 40k intro called 'feelings'. |
| |
`------------------------------------------'
Known filename : TP5_Parallax.exe ← Read our warning
File size : 39.980 Bytes
Archive name : TP5-PRLX.LHA
Archice size : 41.000 bytes
FILE_ID.DIZ : .------------------------------------------.
| DIRECTLY FROM THE PARTY 5 |
`------------------------------------------'
.------------------------------------------.
| |
| Parallax's 40k intro called 'Cubic'. |
| |
`------------------------------------------'
Known filename : TP5_SilentsDK.exe ← Read our warning
File size : 39.440 Bytes
Archive name : TP5-TSL.LHA
Archive size : 46.000 bytes
FILE_ID.DIZ : .------------------------------------------.
| DIRECTLY FROM THE PARTY 5 |
`------------------------------------------'
.------------------------------------------.
| |
| Silents DK's 40k intro called |
| 'Byte Kitchen' |
| |
`------------------------------------------'
Known filename : TP5_Spaceballs.exe ← Read our warning
File size : 38.060 Bytes
Archive name : TP5-SPAC.LHA
Archice size : 45.000 bytes
FILE_ID.DIZ : .------------------------------------------.
| DIRECTLY FROM THE PARTY 5 |
`------------------------------------------'
.------------------------------------------.
| |
| Spaceballs 40k intro called |
| 'Ice Frontier' |
| |
`------------------------------------------'
Info : NO bent vectors
NO multiplication
According to FileID 40k intros
The files contain a lot of garbage that is never reached.
The device reports itself in the CLI with DOS-Extender...
The decoded file reads:
+46-620-13141 DUNGEON OF DOOM DOS-Extender V1.5 .1993 Fornax is..
Unable to wrrte Swapfile. remove write-protectction and retry
Creating new Swapfile. Pleasehold....
The files in the subdirectories should be shortened to #31 bytes.
The files are NOT salvageable. Text content:
Note : I have included the parts here, even though COP is not readable in the
destroyed file. However, the decoding routine, for example, with d7,
corresponds to the COP pattern.
-> Circle Of Power 13:
Known filename : PHA_XMAS.EXE ← Read our warning
File size : 461.384 Bytes
Archive name : PHA-XMAS.lha
Archive size : -
FILE_ID.DIZ : .------------------------------------------.
: Phenomena presents ' merry x-mas ! ' :
: Pha's very last production on the Amiga! :
: :
: Code & Graphics : Photon, Color & Twins :
: Music : Tip & Mantronix :
`------------------------------------------'
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruction: 31 Bytes.
Other name: DUNGEON-OF-DOOM
NO corrupted vectors
NO proliferation
Decoded can be read in the file:
+46-620-13 141 - DUNGEON OF DOOM
Phenomena DOS extender V1.1 .1993 by Photon
Unable to write Swapfile.
Remove write-protection and retry
Creating new Swapfile. Please hold....
-> Circle Of Power 14:
Known filename : QBTools3 ← Read our warning
File size : 227.716 Bytes
Archive name : ORS-QBD.LHA
Archive size : 227.716 Bytes
FILE_ID.DIZ : ____ ___ ____ _ ___ ___ ____
::::: / . \_/ ___)_/_)/ .__)(___)/ ___)::::.
:::::/ ª \___ \ \ ª \/ \___ \:::::
:::::\_____/___ /_ /__| \_ /___ /:::::
`--[RD10/CodX]¼\/--\/--¼ª____\\/---¼\/---'
QUARTER BACK TOOLS DIAMOND
SUPPORTS AFS FILE SYSTEM, XPK PARTITIONS,
REORGANIZES BETTER THEN REORG, AND USES A
SAFETY DISK WHEN REORGANIZING! NO CRASH!
RELEASED BY : ERICO / OSIRIS
Info : Trojan-part is unknown, no 4EB9.
Filelength after destruction: 75 Bytes.
NO corrupted vectors
NO proliferation
The files in the subdirectories should be shortened to 75 bytes.
See text above. The files are NOT salvageable. The written text
corresponds EXACTLY to Type I.
But: - the individual subdirectories are swapped
- the actual Trojan code is a few bytes longer
- an additional text that is NOT written to the file is present:
"Please hold while scanning directory structure."
-> Circle Of Power 15:
Known filename : TETRIS.EXE ← Read our warning
File size : 21.244 Bytes
Archive name : HF-TETA1.LHA
Archive size : 646.347 bytes
FILE_ID.DIZ : _ ____________________________________
/ I \_ ___\ / / ___\__/____ \_ __/
/ _ / __)/ /\ /\ _// \| / // __)
/ ! / ! / / / / \ |/ | \ \ ! \
\___! \____\____\____/ |\____| |\__\____/
----| \--------| |-----| |PreSENtS
TETRIS ATTACK *FULL RELEASE* [1/2]
Known filename : TETRIS2.EXE ← Read our warning
File size : 21.244 Bytes
Archive name : HF-TETA2.LHA
Archive size : 550.826 bytes
FILE_ID.DIZ : _ ____________________________________
/ I \_ ___\ / / ___\__/____ \_ __/
/ _ / __)/ /\ /\ _// \| / // __)
/ ! / ! / / / / \ |/ | \ \ ! \
\___! \____\____\____/ |\____| |\__\____/
----| \--------| |-----| |PreSENtS
TETRIS ATTACK *FULL RELEASE* [1/2]
Info for both : The two TETRIS.EXE have the same content!
Trojan-part is two Hunks, 432 Bytes.
Filelength after destruction: 41 Bytes.
The second part is the destruction part. This part alone IS EXECUTIVE!!!
Decoded reads: .FausT / cIRCLE oF pOWER'95 - TRUE POWER!
The files in the subdirectories should be shortened to #41 bytes.
The destruction part was linked as the first part using the 4EB9 method.
Damage : The trojan will replace files in LIBS:, DEVS:, S:, with a new file with
the length of 41 bytes, and in this file you can read this text:
"FausT / cIRCLE oF pOWER'95 - TRUE POWER!"
