| Alias: | |
| Strain: | |
| detected when: | |
| where: | |
| Classification: | Trojan Horse |
| Length: | |
Preconditions | |
| Operating System(s): | MS-DOS, PC-Dos |
| Version/Release: | --- |
| Computer model(s): | IBM PC, XT, AT and compatibles |
| Caroname: | Twelve_Tricks |
Attributes | |
| Easy identification: | "MEMORY$", a text within the program, readable with HexDump-utilities. |
Type of Infection: | |
| Infection Technique: | |
| Infection Trigger: | The trojan searches at different adresses in the ROM-Area of the computer for strings that may be the entry of INT 13h (hard disk). Adresses: String: C800H:0256H 080H,0FAH,080H,073H,005H,0CDH F000H:2A71H 080H,0FAH,080H,073H,005H,0CDH F000H:A935H 080H,0FAH,079H,077H,005H,0CDH F000H:3772H 0FBH,09CH,022H,0D2H,078H,00CH F000H:D1E7H 0FBH,080H,0FCH,000H,075H,00CH if any such string is found, the damage routine will be installed. |
| Storage Media affected: | |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: Every time the computer boots, one entry in the FAT will be changed. The hard disk will be formatted (Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC 2840 St.Thomas Expwy,suite 201 Santa Clara,CA 95051 (408)970-9420" (probability 1/4096). Moreover, either one or none of the following permanent or transient damages will occur: permanent: if INT 13 is hooked, *every access* to a floppy drive will be changed to *write- access*. transient damages: INT 08: will slow down the computer by a random loop; INT 08: will point to a IRET; every routine that was inserted within the INT 08- chain will no longer be accessible; INT 09: every keystroke will change the BIOS- variable [046dh]; INT 0D: the interrupt will point to a IRET; (probability: 1/4); INT 0E: the interrupt will point to a IRET. (probability: 1/4); INT 10: will slow down the screen by a random loop; INT 10: every time while scrolling up, the screen will be blanked; INT 16: the BIOS-variable keyboard flag [0417h] is modified; INT 17: Every character sent to the printer is manipulated (randomly); INT 17: every character sent to the printer is XORed with 020H; INT 1A: sometimes, this routine will return a random system clock value. |
| Damage Trigger: | Every boot sequence |
| Particularities: | During installation, a mark (0FFH) is set within the partition table at offset 01BDH, so the will be installed only once. The text "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC 2840 St.Thomas Expwy,suite 201 Santa Clara,CA 95051 (408)970-9420" is readable in the partition table. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG; |
| Classification by: | Thomas Lippke, Michael Reinschmiedt |
| Documentation by: | Thomas Lippke, Michael Reinschmiedt |
| Date: | 11-June-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg