TRSi Installer Trojan - Markus Schmall

Contents | < Browse | Browse >
 Warning !

 The file TRSi-INS.lha is NO TRSi release and contains a fucking trojan !
 In the middle of the 10.6.1995. one of our members (NIKE/TRSi) got a call
 on the BBS from a guy called GRYZOR, who is supposed to be the leader of
 Circle of Power (COP), and this guy said to NIKE that TRSi is lame and
 such things. Later he uploaded there a file called TRSi-INS.lha to this
 board and NIKE wondered a little bit and contacted me and the other TRSi
 guys. So this virus is now (10.6.1995. 18:30 o`clock) about 6 hours old.
 Let us stop this bastard and finally get a solution for the COP problem
 (hi Apollo and Noise Belch).

 Here is my first analysis of the virus, which is a little bit short, but
 I ran totally out of time. Sorry dudes..

 Biomechanic Trojan
 ------------------

 other possible names: TRSI-INS Trojan
 Type: Destruction only
 Destruction caused by: simple bytemodification

 This is NO TRSi release ! It is just a FAKE !

 In the File-ID it is stated that this are some hd installers for actual
 games. In real this is just a trojan, which will manipulate your files
 on your HD.

 The contents of the archive:

 ViroCop-HD_install.exe           5912 ----rwed 02-Sep-92  12:49:54
 SWOS-HD_install.exe              9588 ----rwed 02-Sep-92  12:51:12
 SensibleGolf-HD_install.exe      4776 ----rwed 02-Sep-92  12:51:24
 Mortal-Kombat2-HD_install.exe    5512 ----rwed 02-Sep-92  12:50:12
 MCI-CARDS4-FREE.EXE              5912 ----rwed 02-Sep-92  12:49:30
 Embryo-HD_install.exe            6764 ----rwed 02-Sep-92  12:50:24


 The virus is looking for a special enviroment and then manipulates the
 files:

 Here a original PGP signed message:

 0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../I.R oº.uE
 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..A...~ÖYß9Ä-,
 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    IO..!üëyó1 ªU.
 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    O3R._ûç5N.pß"AÉ.
 0040: 2235ABB5 BE37E843 79CCD140 7AA2ACA5    "5«µ 7èCyIÑ@z¢¬¥ <-

 Here the manipulated one:

 0000: 89009502 05002FCF 1B5220F5 BA1075CB    ....../I.R oº.uE
 0010: 69450101 C11D03FF 7ED659E1 39C4AD2C    iE..A...~ÖYß9Ä-,
 0020: CED29280 21FCEB79 5CF3B9A0 AADB5C14    IO..!üëyó1 ªU.
 0030: D2B35295 5FFBE735 4E8070E1 A8C2C909    O3R._ûç5N.pß"AÉ.
 0040: 2235ABB5 BE37E843 79CC0002 B37800A5    "5«µ 7èCyI..3x.¥ <-

 If you start the virus (it is in all the above listed files), a little
 text will show up:

                 - b i o m e c h a n i c -

 and the work begins. If the work is completed, the following text will
 be printed out, too:

                  ... trashed your hd ...

 and a directory named "biomechanic trashed your hd !!" will be created,
 which is empty.

 The code looks quite good. This is not the work of a real beginner. The
 guy behind has some programming knowledge. This way of programming is
 better than from the COP viruses. The programm uses indirect adressing
 and a lot of stackusage, which cannot be done by a beginner (atleast I
 think so).


 Greets
          Markus Schmall   (Programmer of VirusWorkshop)

       (IT`S HEREBY PROHIBIT, THAT SHI USES THIS ANALYSE IN ANY FORM
       IN ANY RELEASE OF THEM !)