home *** CD-ROM | disk | FTP | other *** search
- ***************************************************************************
- * The 911 Virus *
- * (An "Armagedon the Greek" Variant) *
- ***************************************************************************
- * Commentary and disassembly by Black Wolf *
- ***************************************************************************
-
- The 911 virus is a direct variant of the "Armagedon the GREEK"
- virus, derived merely by changing the text within and the dialing string.
- The virus' size is 1079 bytes, making the smallest carrier 1081 bytes. The
- main effect of the virus is to dial "911" every once in a while if a modem
- is present on com ports 1-4 (the original virus dialed the speaking clock
- in Greece). It is a memory resident .COM infector.
-
- When executed, the 911 virus checks for residency. If it is already
- installed, it simply passes control to the host file, otherwise, it goes
- memory resident, hooking Int 08h and Int 21h. When 911 goes resident, it
- uses a rather strange way of doing it. It re-executes the program and uses
- an Int 27 to go memory resident, but because of the second execution it does
- not truly terminate and is still able to return control to the host.
-
- Once memory resident, the 911 virus infect .COM files on execution
- (whenever an Int 21, function 4bh is called) after checking if the file has
- already been infected. The identification string the virus uses to check for
- infection is the string "Support Your Police" located near the end of the
- virus (the original was "Armagedon the GREEK").
-
- The infection process is also somewhat strange, as the virus
- allocates all unused memory for itself, the loads the entire victim file into
- memory in one call. It then "infects" it in memory, and writes it back to
- the disk. Afterwards, it releases the memory.
-
- All of the dialing and timing is handled from the Int 08 (Timer
- Click) handler. When activated, it will dial 911 (police/fire/emergency)
- and wait for several seconds. It sends the commands to all ports 1-4, so
- the results of hardware other than modems connected to these ports may be
- unpredictable.
-
- The storage bytes are found at the very end of the file, with the
- first byte encrypted by adding 0bh to its value. Infected files may be
- repaired by restoring these bytes to the beginning, unencrypting the first
- one, and cutting the virus off the end of the host program.
-