------------------------
     Amiga Virus Encyclopedia
     Orb 95 Trojan
     ------------------------
     
     
     Biomech-TypeH Trojan - Other name Orb95
        
         The five bytes: 00 02 b9 b2 00
         The difference to type A in the Prg code is too big for the part
         classify there
         A4000: yes
         Filename: ORB95
         Length: 3176 bytes
         NO bent vectors
         NO propagation
         VT ONLY recognizes the trigger file !!
         Why I should start the file ORB95 voluntarily:
         No idea (the file only consists of the destruction part)
     
     The file reads:
            4e5d4e75 b9b20073 79733a70 72656673   N] Nu ... sys: prefs
            2f007379 733a6465 76732f00 7379733a   /.sys:devs/.sys:
            6c2f0073 79733a63 2f007379 733a6c69   l / .sys: c / .sys: left
            62732f00 4f524239 350a0000            bs / .ORB95 ..
         The text ORB95 is output in the cli and should be deceived
         serve. In reality, the subdirectories of sys:
         searches prefs, devs, l, c and libs.
             File before: File after:
            printer.device
            4eb90000 08582200 N .... X ".: 4eb90000 08582200 N .... X".
            508f6608 4eb90000 P.f.N ...  : 0002b9b2 00b90000 ........
            ^^^^^^^^ ^^ ^^^^^^^^^^

         So 5 bytes are always written = 00 02 b9 b2 00.
         I have not found a system. The files are unfortunately
         NOT to save anymore.
         VT does NOT recognize changed files because I risk
         Detection is too big with only five bytes. In case of concerns
         in your system because the trigger
         file was, then try a file monitor (e.g. hex).
         Enter $ 0002b9b2 in the search string and examine in the
         the files in certain subdirectories. It goes fast. I
         habs tried with the c directory.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate