95 lines
4.5 KiB
Plaintext
95 lines
4.5 KiB
Plaintext
|
------------------------------
|
|||
|
|
|
|||
|
|
Date: 24 January 89, 17:25:02 +0100 (MEZ)
|
|||
|
|
From: Otto Stolz <RZOTTO@DKNKURZ1.BITNET>
|
|||
|
|
Subject: Features of Blackjack Virus (PC)
|
|||
|
|
|
|||
|
|
Hello,
|
|||
|
|
|
|||
|
|
perhaps you remember the virus incident I reported on this list, on 2
|
|||
|
|
September 88, 14:44:40 +0200 (MESZ). This note is intended to present
|
|||
|
|
some of the results and insights I gained since. Most of the facts
|
|||
|
|
presented here have not been detected by myself; rather I have to
|
|||
|
|
thank several people in the local area, and several VIRUS-L
|
|||
|
|
subscribers, for their hints and contributions.
|
|||
|
|
|
|||
|
|
This virus has been termed "Blackjack", which is a pun on the German
|
|||
|
|
name "17+4" of the popular card game. Blackjack reveals its existence
|
|||
|
|
by the length of infected COM-files, which is 1704 Bytes too large.
|
|||
|
|
|
|||
|
|
As with the Israeli virus strains, the virus has a two-stage
|
|||
|
|
life-cycle:
|
|||
|
|
|
|||
|
|
- - when you invoke an infected program, Blackjack will infect RAM;
|
|||
|
|
|
|||
|
|
- - when Blackjack is active in RAM, it will infect every COM file being
|
|||
|
|
invoked. This can be exploited for an easy test, e.g.:
|
|||
|
|
copy con: test.com
|
|||
|
|
{ALT-144} {ALT-205} {Blank} {CTRL-z} {return}
|
|||
|
|
dir test.com
|
|||
|
|
test
|
|||
|
|
dir test.com
|
|||
|
|
In the second line above, every brace-pair represents one byte entered;
|
|||
|
|
if you key in these bytes correctly, you'll read a Capital Letter E
|
|||
|
|
with Acute Accent, a Horizontal Double-Line Segment, a Blank, a Circum-
|
|||
|
|
flex Accent, and a Capital Letter Z. The 1st dir-command, above,
|
|||
|
|
should report that
|
|||
|
|
TEST.COM is 3 bytes long; if the 2nd dir reports 1707 bytes, instead,
|
|||
|
|
your RAM, and hence the TEST.COM file, are infected by some virus--most
|
|||
|
|
probably Blackjack.
|
|||
|
|
|
|||
|
|
Blackjack infects only COM-files which are at least 3 Bytes long, and
|
|||
|
|
it does so only once for any given file. It overwrites the 1st three
|
|||
|
|
bytes with a JMP to the beginning of the viral code, which is appended
|
|||
|
|
to the file. The 2 byte address of this JMP instruction is probably
|
|||
|
|
the reason why only COM files are susceptible to infection. Blackjack
|
|||
|
|
retains the file's time stamp. It even infects read-only files; on
|
|||
|
|
write-protected floppy disks, it attempts writing 5 times per file,
|
|||
|
|
thus revealing its activity.
|
|||
|
|
|
|||
|
|
In the infected file, the viral code is cryptographically encoded,
|
|||
|
|
using a simple Vigenere code depending on the length of the file; only
|
|||
|
|
the instructions for decoding the encrypted part of the code are in
|
|||
|
|
plain machine-language. This is obviously intended as a impediment
|
|||
|
|
against disassembling. Hence, every copy of the virus looks different
|
|||
|
|
(depending on the length of the file).
|
|||
|
|
|
|||
|
|
On invocation of an infected program, Blackjack installs itself in RAM
|
|||
|
|
(if no copy is already installed), then replaces the JMP instruction
|
|||
|
|
with its former contents and resumes normal program operation.
|
|||
|
|
|
|||
|
|
The storage map shows that Blackjack has tinkered with the free
|
|||
|
|
storage pointer-chain to hide the fact that it has hooked interrupt
|
|||
|
|
21. Hence, only a minor part of Blackjack is visible in the storage
|
|||
|
|
map.
|
|||
|
|
|
|||
|
|
In every year, from October to December, Blackjack will interfere with
|
|||
|
|
CGA or EGA operated screens, moving randomly chosen characters down,
|
|||
|
|
like falling leaves in autumn. After a while, you'll have a big heap
|
|||
|
|
of characters at the bottom of your screen, and as you cannot see
|
|||
|
|
anymore what the computer is trying to display, you'll probably have
|
|||
|
|
to restart the system. This behaviour has been predicted by two
|
|||
|
|
people, who have disassembled Blackjack, and has later been observed
|
|||
|
|
on many EGA-equipped ATs.
|
|||
|
|
|
|||
|
|
Together with two students, I have written a VIRCHECK program to check
|
|||
|
|
for Blackjack in RAM and in disk files. VIRCHECK exploits the
|
|||
|
|
signaling device Blackjack uses to ensure at most one active copy to
|
|||
|
|
detect Blackjack in RAM; it searches the files for the few
|
|||
|
|
instructions which are alike in every copy, to detect infected files.
|
|||
|
|
At our consultant desk, everybody can obtain a copy of VIRCHECK
|
|||
|
|
(Pascal source, and EXE-file), plus a 16 kByte memo (in German) and
|
|||
|
|
the 3 Byte TEST.COM (cf. above).
|
|||
|
|
|
|||
|
|
An employee of a nearby software-house, who has detected Blackjack, in
|
|||
|
|
the 1st time, has circulated a DELVIRUS program to detect Blackjack
|
|||
|
|
and, optionally, repair infected files (taking the original contents
|
|||
|
|
of the 1st three bytes from the viral code meant to replace them, as
|
|||
|
|
explained above. As the DELVIRUS's source is not available to the
|
|||
|
|
public (nor to myself), we do not distribute this program (nor
|
|||
|
|
recommend its use).
|
|||
|
|
|
|||
|
|
That's it, folks. I hope I didn't bore you.
|
|||
|
|
Otto
|
|||
|
|
|
|||
|
|
[Ed. Thanks for the detailed description, Otto!]��������������������
|