-------------------------
  Amiga Virus Encyclopedia    
  COP BIO Trojan (Type B)
  Other name: Biomechanic 1
  -------------------------


  Warning ! The file TRSi-INS.lha is no TRSi release and contains a fucking
  trojan !  In the middle of the 10.06.1995. one of our members (NIKE/TRSi)
  got a call on the BBS from a guy called GRYZOR, who is supposed to be the
  leader of  Circle of Power (COP),  and this guy said to NIKE that TRSi is
  lame and such things.  Later he uploaded there a file called TRSi-INS.lha
  to this  board and  NIKE wondered a  little bit and  contacted me and the
  other TRSi guys.  So this  virus is now (10.06.1995. 18:30 o`clock) about
  6 hours old.  Let us  stop this  bastard and  finally get a  solution for
  the COP problem (hi Apollo and Noise Belch).

  Here is my first analysis of the virus,  which is a little bit short, but
  I ran totally out of time. Sorry dudes..


  Greets
  Flake/TRSi


  Biomechanic Trojan
  ------------------
  other possible names: TRSI-INS Trojan
  Type: Destruction only
  Destruction caused by: simple bytemodification

  This is no TRSi release ! It is just a fake !

  In the File-ID it is stated that this are some hd installers for actual
  games. In real this is just a trojan, which will  manipulate your files
  on your HD.

  The contents of the archive:


  ViroCop-HD_install.exe           5912 ----rwed 02-Sep-92  12:49:54
  SWOS-HD_install.exe              9588 ----rwed 02-Sep-92  12:51:12
  SensibleGolf-HD_install.exe      4776 ----rwed 02-Sep-92  12:51:24
  Mortal-Kombat2-HD_install.exe    5512 ----rwed 02-Sep-92  12:50:12
  MCI-CARDS4-FREE.EXE              5912 ----rwed 02-Sep-92  12:49:30
  Embryo-HD_install.exe            6764 ----rwed 02-Sep-92  12:50:24


  The virus is looking for a special enviroment and then manipulates the
  files:

  Here a original PGP signed message:

    0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../Ï.R õº.uË
    0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..Á...~ÖYá9Ä­,
    0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    ÎÒ..!üëy\ó¹ ªÛ\.
    0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    Ò³R._ûç5N.pá¨ÂÉ.
->  0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5    "5«µ¾7èCyÌÑ@z¢¬¥

  Here the manipulated one:

    0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../Ï.R õº.uË
    0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..Á...~ÖYá9Ä­,
    0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    ÎÒ..!üëy\ó¹ ªÛ\.
    0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    Ò³R._ûç5N.pá¨ÂÉ.
->  0040: 2235ABB5 BE37E843 79CC0002 B37800A5    "5«µ¾7èCyÌ..³x.¥

  If you start the virus (it is in all the above listed files), a little
  text will show up:

                 - b i o m e c h a n i c -

  and the work begins. If the work is completed, the following text will
  be printed out, too:

                  ... trashed your hd ...

  and a directory named "biomechanic trashed your hd !!" will be created,
  which is empty.

  The code looks quite good. This is not the work of a real beginner. The
  guy behind has some  programming knowledge.  This way of programming is
  better than from the COP viruses.  The programm uses indirect adressing
  and a lot of stackusage,  which cannot be done by a beginner (atleast I
  think so).


  Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
           Kickstart all others: VirusZ III, and also Xvs.library must be installed


  Test by Markus Schmall