Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



COP Trojan
  Warning ! The file TRSi-INS.lha is no TRSi release and contains a fucking
  trojan ! In the middle of the 10.6.1995. one of our members (NIKE/TRSi)
  got a call on the BBS from a guy called GRYZOR, who is supposed to be the
  leader of Circle of Power (COP), and this guy said to NIKE that TRSi is
  lame and such things. Later he uploaded there a file called TRSi-INS.lha
  to this board and NIKE wondered a little bit and contacted me and the
  other TRSi guys. So this virus is now (10.6.1995. 18:30 o`clock) about
  6 hours old. Let us stop this bastard and finally get a solution for
  the COP problem (hi Apollo and Noise Belch).

  Here is my first analysis of the virus, which is a little bit short,
  but I ran totally out of time. Sorry dudes..


  Greets
              Flake (Markus Schmall)



  Biomechanic Trojan
  ------------------

  other possible names: TRSI-INS Trojan
  Type: Destruction only
  Destruction caused by: simple bytemodification

  This is no TRSi release ! It is just a fake !

  In the File-ID it is stated that this are some hd installers for actual
  games. In real this is just a trojan, which will manipulate your files
  on your HD.

  The contents of the archive:


  ViroCop-HD_install.exe           5912 ----rwed 02-Sep-92  12:49:54
  SWOS-HD_install.exe              9588 ----rwed 02-Sep-92  12:51:12
  SensibleGolf-HD_install.exe      4776 ----rwed 02-Sep-92  12:51:24
  Mortal-Kombat2-HD_install.exe    5512 ----rwed 02-Sep-92  12:50:12
  MCI-CARDS4-FREE.EXE              5912 ----rwed 02-Sep-92  12:49:30
  Embryo-HD_install.exe            6764 ----rwed 02-Sep-92  12:50:24


  The virus is looking for a special enviroment and then manipulates the
  files:

  Here a original PGP signed message:

  0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../Ï.R õº.uË
  0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..Á...~ÖYá9Ä­,
  0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    ÎÒ..!üëy\ó¹ ªÛ\.
  0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    Ò³R._ûç5N.pá¨ÂÉ.
  0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5    "5«µ¾7èCyÌÑ@z¢¬¥

  Here the manipulated one:

  0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../Ï.R õº.uË
  0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..Á...~ÖYá9Ä­,
  0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    ÎÒ..!üëy\ó¹ ªÛ\.
  0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    Ò³R._ûç5N.pá¨ÂÉ.
  0040: 2235ABB5 BE37E843 79CC0002 B37800A5    "5«µ¾7èCyÌ..³x.¥

  If you start the virus (it is in all the above listed files), a little
  text will show up:

                 - b i o m e c h a n i c -

  and the work begins. If the work is completed, the following text will
  be printed out, too:

                  ... trashed your hd ...

  and a directory named "biomechanic trashed your hd !!" will be created,
  which is empty.

  The code looks quite good. This is not the work of a real beginner. The
  guy behind has some programming knowledge. This way of programming is better
  than from the COP viruses. The programm uses indirect adressing and a lot
  of stackusage, which cannot be done by a beginner (atleast I think so).




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk