VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
Amiga Virus Encyclopedia
---------------------------
Amiga Virus Encyclopedia
Biomechanic 1 to 7 Variants
---------------------------
Biomechanic Trojans:
Destruction: The files are NOT shortened, but at least five bytes in the
file are changed.
Grouping: The files were each shortened up to the 3E9 Trojan start.
Files with approximately the same Trojan code length (exception:
jump instructions and garbage between the program parts and the same
5-byte change sequence) were assigned to one type.
Please DO NOT equate with Circle Of Power trojans.
COP variants shorten files and write a text into them
Biomechanic 1:
ViroCop-HD_install 5912 bytes - Found in archive: trsi-ins.lha ← Read our warning
SWOS-HD_install 9588 bytes - Found in archive: trsi-ins.lha ← Read our warning
SensibleGolf-HD_install 4776 bytes - Found in archive: trsi-ins.lha ← Read our warning
Mortal-Kombat2-HD_install 5512 bytes - Found in archive: trsi-ins.lha ← Read our warning
MCI-CARDS4-FREE 5912 bytes - Found in archive: trsi-ins.lha ← Read our warning
Embryo-HD_install 6764 bytes - Found in archive: trsi-ins.lha ← Read our warning
More info:
Some new files have appeared that contain the Biomech code. The names suggest that
they are installers for hard disk games.
In reality, the Biomech code was linked to Prg.e from the C directory (info, remrad,
etc.). The file lengths are, of course, different.
The "modified" medium will have an empty directory name: biomechanic trashed your hd!!
Biomechanic 2:
VirusZ II v1.21 80268 Bytes - Found in archive: vz_ii121.lha ← Read our warning
DayDream BBS v1.20 129652 Bytes - Found in archive: dd120.lha ← Read our warning
FixDiskv2.0 39156 Bytes - Found in archive: fdisk120.lha ← Read our warning
More info:
1.016 / 5.000
Two files were linked together using the 4Eb9 method.
Length of the packed destruction part: 3208 bytes
All text is now encoded.
Procedure:
The cli first displays the following output:
... catch me if you can
- b i o m e c h a n i c -
Everyone MUST be warned. Perform a reset IMMEDIATELY.
Affected directories: sys:c, sys:libs, sys:l, sys:devs and sys:prefs
The following is written to the "modified" medium as an empty directory name: biomechanic trashed your hd!!
Biomechanic 3:
Viruschecker v6.59 55428 bytes - Found in archive: vchck659.lha ← Read our warning
Length of the packed destruction part: 4944 bytes
Two files were linked together using the 4Eb9 method.
All texts are now encoded.
Procedure:
The CLI first displays the following output:
... catch me if you can
- b i o m e c h a n i c -
Everyone MUST be warned. Perform a reset IMMEDIATELY.
Affected directories: sys:c, sys:libs, sys:l, sys:devs and sys:prefs
The following is written to the "modified" medium as an empty dir name: biomechanic trashed your hd!!
Ami-Hacker 6940 Bytes - Found in archive: ACS-HACK.LHA ← Read our warning
Filename: Ami-Hacker
Length: 6940 bytes
Length of the packed destruction part: 3332 bytes
Two files were linked together using the 4Eb9 method.
A Biomech (packed length 3332 bytes, unpacked 5412 bytes) and
an Ami-Hacker. Ami-Hacker has also existed for a long time
as a standalone file.
Biomechanic 4:
lzx_1.20t-Bugfix 67504 bytes - Found in archive: bhk-lzx.lha ← Read our warning
Two compressed files were linked together using the 4Eb9 method.
The unpacked first part reads:
20204927 6d20646f 6e65210a 00313231 I'm done!..121
34393061 633164b9 00313231 34656175 490ac1d..1214eau
3164b900 31323134 3564b900 31323134 1d..12145d..1214
35363731 64b90031 32313462 64b90020 5671d..1214bd..
20202020 20202020 20202020 20202020
20202020 20202020 54686520 666f7263 The force
6573206f 66207465 72726f72 2e0a0a00 es of terror....
20202020 20202020 20202020 20202020
20204269 6f6d6563 68616e69 6320616e Biomechanic on
6420432e 4f2e5020 776f726c 6420746f d C.O.P world to
75722039 352e0a0a 00202020 2020204a ur 95.... Y
75737420 77726974 696e6720 6f766572 ust writing over
20736f6d 65206669 6c657320 6973206e some files is n
6f742073 6f20636f 6f6c2e20 496d7072 ot so cool. Impr
6f766520 74686520 636f6465 210a0a00 ove the code!...
20202020 20202020 20204d65 73736167 Messag
6520746f 20432e4f 2e502120 436f6f6c e to C.O.P! Cool
20776f72 6b2c2062 7574206d 616b6520 work, but make
6d6f7265 20636f6f 6c657220 74726f6a more cooler troj
616e732e 0a002020 20202020 20202020 ans...
20204c65 616e2062 61636b20 616e6420 Lean back and
6c697374 656e2074 6f207468 6520736f listen to the so
756e6420 6f662061 20777269 74696e67 and of a writing
2048442e 0a0a000a 20202020 20202020 HD.....
20202042 696f6d65 6368616e 69632064 Biomechanic d
69642069 74206167 61696e20 77697468 id it again with
2061206e 65772073 6d617274 65722074 a new smarter t
726f6a61 6e210a00 rojan!
Procedure:
A text output appears in the cli (The forces.... trojan!)
If you see this, please reset IMMEDIATELY.
Affected directories: sys:c, sys:libs, sys:l, sys:devs
and sys:prefs (still encoded here, see 1214bd above)
The five bytes change: 00 02 ba b7 00
File before: File after:
e.g., Addbuffers
22301800 706c286a "0..pl(j : 22301800 0002bab7 "0......
01984e95 23410058 ..N.#A.X : 00984e95 23410058 ..N.#A.X
At the end, the CLI output is: I'm done! (see above).
I've seen the GURU again and again during test contaminations.
Biomechanic 5:
Intro 4428 Bytes - Found in archive: ?
Length of the packed destruction part: 3332 bytes
Trojan part is the same up to $1076 (exception: labels)
uses the 4EB9 method.
Empty directory name: biomechanic trashed your hd!!
Biomechanic 6:
Flake_killer 3264 bytes - Found in archive: bio-warn.lha ← Read our warning
According to FileId, a Biomech. Killer
Process:
The CLI first displays the following output:
... catch me if you can
- b i o m e c h a n i c -
Everyone MUST be warned. Perform a reset IMMEDIATELY.
Affected directories: sys:c, sys:libs, sys:l, sys:devs and sys:prefs
The following is written to the "modified" medium as an empty dir name: biomechanic trashed your hd!!
Biomechanic 7:
Members.exe 8584 bytes - Found in archive: trsi-mem.lha ← Read our warning
The program code is exactly the same only in the AmigaE header.
The five bytes: 00 02 b3 78 00
Since text is output in the CLI: 'biomechanic trashed your hd!!'
this MUST be immediately noticeable.
