home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- == Computer Virus Catalog 1.2: "12-TRICKS" Trojan (11-June-1990) ====
-
- Entry...............: "12-Tricks" Trojan
- Alias(es)...........: ---
- Trojan Strain.......: ---
- Trojan detected when: ---
- where.: Karlsruhe (West-Germany)
- Classification......: Trojan Horse
- Carrier of Trojan...: Contained in "CORETEST.COM", a file that will
- test the speed of a hard disk.
-
- ------------------- Preconditions -----------------------------------
-
- Operating System(s).: MS-DOS, PC-Dos
- Version/Release.....: ---
- Computer model(s)...: IBM PC, XT, AT and compatibles
-
- ------------------- Attributes --------------------------------------
-
- Easy Identification.: "MEMORY$", a text within the program, readable
- with HexDump-utilities.
- Infection Trigger...: The trojan searches at different adresses in the
- ROM-Area of the computer for strings that may
- be the entry of INT 13h (hard disk).
- Adresses: String:
- C800H:0256H 080H,0FAH,080H,073H,005H,0CDH
- F000H:2A71H 080H,0FAH,080H,073H,005H,0CDH
- F000H:A935H 080H,0FAH,079H,077H,005H,0CDH
- F000H:3772H 0FBH,09CH,022H,0D2H,078H,00CH
- F000H:D1E7H 0FBH,080H,0FCH,000H,075H,00CH
- if any such string is found, the damage
- routine will be installed.
-
- Storage media affected: Partition table of a hard disk.
-
- Interrupts Hooked...: INT 08, INT 09, INT 0D, INT 0E, INT 10, INT 13,
- INT 16, INT 17, INT 1A.
- Either one or none of the interrupts will be
- hooked (random selection).
-
- Damage..............: Permanent damage:
- Every time the computer boots, one entry in
- the FAT will be changed.
- The hard disk will be formatted (Track 0,
- Head 1, Sector 1, 1 Sector) followed
- by the message:
- "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC
- 2840 St.Thomas Expwy,suite 201
- Santa Clara,CA 95051 (408)970-9420"
- (probability 1/4096).
- Moreover, either one or none of the following
- permanent or transient damages will occur:
- permanent: if INT 13 is hooked, *every access*
- to a floppy drive will be changed to *write-
- access*.
- transient damages:
- INT 08: will slow down the computer by a
- random loop;
- INT 08: will point to a IRET; every routine
- that was inserted within the INT 08-
- chain will no longer be accessible;
- INT 09: every keystroke will change the BIOS-
- variable [046dh];
- INT 0D: the interrupt will point to a IRET;
- (probability: 1/4);
- INT 0E: the interrupt will point to a IRET.
- (probability: 1/4);
- INT 10: will slow down the screen by a random
- loop;
- INT 10: every time while scrolling up, the
- screen will be blanked;
- INT 16: the BIOS-variable keyboard flag
- [0417h] is modified;
- INT 17: Every character sent to the printer
- is manipulated (randomly);
- INT 17: every character sent to the printer
- is XORed with 020H;
- INT 1A: sometimes, this routine will return a
- random system clock value.
-
- Damage Trigger......: Every boot sequence
-
- Particularities.....: During installation, a mark (0FFH) is set within
- the partition table at offset 01BDH, so the
- will be installed only once.
- The text
- "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC
- 2840 St.Thomas Expwy,suite 201
- Santa Clara,CA 95051 (408)970-9420"
- is readable in the partition table.
-
- -------------------- Acknowledgement ---------------------------------
- Location............: Virus Test Center, University Hamburg, FRG;
- Classification by...: Thomas Lippke, Michael Reinschmiedt
- Documentation by....: Thomas Lippke, Michael Reinschmiedt
- Date................: 11-June-1990
-
- ==================== End of "12-TRICKS" - Trojan =====================
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++