COP 14 Trojan (Circle Of Power) - Amiga Virus Encyclopedia

VIRUS HELP TEAM
Amiga Antivirus Website
www.vht-dk.dk


Amiga Virus Encyclopedia

     -------------------------------    
     Amiga Virus Encyclopedia    
     COP 14 Trojan (Circle Of Power)
     -------------------------------


     Please do not equalize this with Biomechanic.
     Biomechanic-variants do Not shorten files.  It changes at least five bytes
     inside file, not in start!

     Groupbuild: Files were shortened with 3E9-Trojanbegin. Files with the same
                 Trojancodelength and the same Destruktiontext were give a Type


    -> Circle Of Power 14:
     Known filename      : QBTools3
     Trojan warning      : Read our warning
     File size           : 227.716 Bytes
     Archive name        : ORS-QBD.LHA
     Archive size        : 227.716 Bytes
     FILE_ID.DIZ         : ____  ___   ____   _   ___  ___  ____
                           ::::: / . \_/ ___)_/_)/ .__)(___)/ ___)::::.
                           :::::/  ª  \___  \   \  ª  \/   \___  \:::::
                           :::::\_____/___  /_  /__|   \_  /___  /:::::
                           `--[RD10/CodX]¼\/--\/--¼ª____\\/---¼\/---'
                                 QUARTER BACK TOOLS DIAMOND
                           SUPPORTS AFS FILE SYSTEM, XPK PARTITIONS,
                           REORGANIZES BETTER THEN REORG, AND USES A
                           SAFETY DISK WHEN REORGANIZING! NO CRASH!
                           RELEASED BY : ERICO / OSIRIS
     Info                : Trojan-part is unknown, no 4EB9.
                           Filelength after destruction: 75 Bytes.
                           NO corrupted vectors
                           NO proliferation
                           The files in the subdirectories should be shortened to 75 bytes.
                           See text above. The files are NOT salvageable. The written text
                           corresponds EXACTLY to Type I.
                           But: - the individual subdirectories are swapped
                                - the actual Trojan code is a few bytes longer
                                - an additional text that is NOT written to the file is present:
                           "Please hold while scanning directory structure."
     Permanent damage    : Overwriting files in ENV, SYS, LIBS,NCOMM and S
                           with a 75 bytes long text containing the following
                           information:
                           "=CIRCLE OF POWER= [ WE ARE BACK! THE RETURN "
                           "OF THE POWER PEOPLE! / GRYZOR ]"
     Particularities     : The trojans uses the DosList to get access to
                           the various directories and then starts to 
                           damage the information in this files. The code
                           uses some Kickstart 3.x functions and is so
                           not working on older systems. Some failure-
                           recognition routines were build in (in
                           comparison to older COP trojans).

                           Normal behavior blockers are able to stop
                           this trojans. No tunneling techniques are used
                           for this little bastard.
Virus Help Team
Denmark & Canada
Copyright © All Rights Reserved