Warning ! The file TRSi-INS.lha is no TRSi release and contains a fucking
trojan ! In the middle of the 10.6.1995. one of our members (NIKE/TRSi)
got a call on the BBS from a guy called GRYZOR, who is supposed to be the
leader of Circle of Power (COP), and this guy said to NIKE that TRSi is
lame and such things. Later he uploaded there a file called TRSi-INS.lha
to this board and NIKE wondered a little bit and contacted me and the
other TRSi guys. So this virus is now (10.6.1995. 18:30 o`clock) about
6 hours old. Let us stop this bastard and finally get a solution for
the COP problem (hi Apollo and Noise Belch).
Here is my first analysis of the virus, which is a little bit short,
but I ran totally out of time. Sorry dudes..
Greets
Flake (Markus Schmall)
Biomechanic Trojan
------------------
other possible names: TRSI-INS Trojan
Type: Destruction only
Destruction caused by: simple bytemodification
This is no TRSi release ! It is just a fake !
In the File-ID it is stated that this are some hd installers for actual
games. In real this is just a trojan, which will manipulate your files
on your HD.
The contents of the archive:
ViroCop-HD_install.exe 5912 ----rwed 02-Sep-92 12:49:54
SWOS-HD_install.exe 9588 ----rwed 02-Sep-92 12:51:12
SensibleGolf-HD_install.exe 4776 ----rwed 02-Sep-92 12:51:24
Mortal-Kombat2-HD_install.exe 5512 ----rwed 02-Sep-92 12:50:12
MCI-CARDS4-FREE.EXE 5912 ----rwed 02-Sep-92 12:49:30
Embryo-HD_install.exe 6764 ----rwed 02-Sep-92 12:50:24
The virus is looking for a special enviroment and then manipulates the
files:
Here a original PGP signed message:
0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../Ï.R õº.uË
0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..Á...~ÖYá9Ä,
0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 ÎÒ..!üëy\ó¹ ªÛ\.
0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 Ò³R._ûç5N.pá¨ÂÉ.
0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5 "5«µ¾7èCyÌÑ@z¢¬¥
Here the manipulated one:
0000: 89009502 05002FCF 1B5220F5 BA1075CB ....../Ï.R õº.uË
0010: 69450101 C11D03FF 7ED659E1 39C4AD2C iE..Á...~ÖYá9Ä,
0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14 ÎÒ..!üëy\ó¹ ªÛ\.
0030: D2B35295 5FFBE735 4E8070E1 A8C2C909 Ò³R._ûç5N.pá¨ÂÉ.
0040: 2235ABB5 BE37E843 79CC0002 B37800A5 "5«µ¾7èCyÌ..³x.¥
If you start the virus (it is in all the above listed files), a little
text will show up:
- b i o m e c h a n i c -
and the work begins. If the work is completed, the following text will
be printed out, too:
... trashed your hd ...
and a directory named "biomechanic trashed your hd !!" will be created,
which is empty.
The code looks quite good. This is not the work of a real beginner. The
guy behind has some programming knowledge. This way of programming is better
than from the COP viruses. The programm uses indirect adressing and a lot
of stackusage, which cannot be done by a beginner (atleast I think so).