COP-QB3

Alias:	Quarterback3 Trojan, ORS-QB3.lha trojan
Strain:
detected when:	9/95
where:	Denmark
Classification:	Trojan, memoryresident, not resetresident
Length:	1. Length on storage medium: 227716 Bytes (unp.) 2. Length in RAM: 227716 Bytes - redundant hunkdata
Preconditions
Operating System(s):	AMIGA-DOS
Version/Release:	3.00 and above (V39+) (Some functions are supposed to work o
Computer model(s):	all models/processors (MC68000-MC68060)
Caroname:	COP.QB
Attributes
Easy identification:	Filelength
Type of Infection:	Overwriting all files in the destination directories
Infection Technique:
Infection Trigger:	none
Storage Media affected:	all DOS-devices
Interrupts hooked:	None
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:	Permanent damage: Overwriting files in ENV, SYS, LIBS,NCOMM and S with a 75 bytes long text containing the following information: "=CIRCLE OF POWER= [ WE ARE BACK! THE RETURN " "OF THE POWER PEOPLE! / GRYZOR ]"
Damage Trigger:	Permanent damage: - Start of programm Transient damage: - Start of programm
Particularities:	The trojans uses the DosList to get access to the various directories and then starts to damage the information in this files. The code uses some Kickstart 3.x functions and is so not working on older systems. Some failure- recognition routines were build in (in comparison to older COP trojans). Normal behavior blockers are able to stop this trojans. No tunneling techniques are used for this little bastard.
Similarities:	A lot of the routines are comparable to older COP trojans found in various wide spread utilities. Some codes are optimized, but still the old style is recognizeable.
Agents
Countermeasures:	All of the above
Standard means:	-
Acknowledgements
Location:	(C) Markus Schmall, Hannover, Germany
Classification by:	Markus Schmall
Documentation by:	Markus Schmall
Date:	September,16. 1995
Information Source:	Reverse engineering of original trojan

COP-QB3

Preconditions

Attributes

Agents

Acknowledgements