---------------------------
Amiga Virus Encyclopedia
COP Quaterback Tools Trojan
---------------------------
Entry...............: COP-Trojan
Alias(es)...........: Circle Of Power 14
QuarterbackD Trojan,
ORS-QBD.lha trojan
Virus Strain........: -
Virusdetected when.: 9/95
where.: Denmark
Classification......: Trojan, memoryresident,not resetresident
Length of Virus.....: 1. Length on storage medium: 227716 Bytes (unpacked)
2. Length in RAM: 227716 Bytes
- redundant hunkdata
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 3.00 and above (V39+)
(Some functions are supposed
to work only on V40 ?)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: Filelength
Type of infection...: Overwriting all files in the destination directories
Infection Trigger...: none
Storage media affected: all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
Overwriting files in ENV, SYS, LIBS,NCOMM and S
with a 75 bytes long text containing the following
information:
"=CIRCLE OF POWER= [ WE ARE BACK! THE RETURN "
"OF THE POWER PEOPLE! / GRYZOR ]"
Damage Trigger......: Permanent damage:
- Start of programm
Transient damage:
- Start of programm
Particularities.....: The trojans uses the DosList to get access to
the various directories and then starts to
damage the information in this files. The code
uses some Kickstart 3.x functions and is so
not working on older systems. Some failure-
recognition routines were build in (in
comparison to older COP trojans).
Normal behavior blockers are able to stop
this trojans. No tunneling techniques are used
for this little bastard.
Similarities: A lot of the routines are comparable to older
COP trojans found in various wide spread
utilities. Some codes are optimized, but still
the old style is recognizeable. This special
one contains nearly the same code as the
COP trojan found in PT4ß.
Stealth.............: None
Armouring...........: Important parts are crypted using a logical
loop, which is breakable by a normal code
simulator.
--------------------- Agents -------------------------------------------
Countermeasures.....: none Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 16.9.1995.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: September,16. 1995
Information Source..: Reverse engineering of original trojan
Copyright...........: Markus Schmall
Special.............: No use of this analyse except VTC Uni Hamburg
in their CMBase releases
===================== End of Quarterback3 COP Trojan===================
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
