User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD

/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted

by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.

Page 19

VIRUS BULLETINAugust 1991

2100

Let us first examine the original virus, known as Dark

Avenger 2100 after its infective length - this is known to be at

large in the UK and has caused problems at several sites. 2100

is a ‘targeting’ virus; it deliberately sets out to circumvent

known anti-virus software written (in this case) by Vesselin

Bontchev in Bulgaria.

When a file infected with 2100 is first executed, the virus

checks for the existence of highly specific sections of code.

The first of these checks examines the address of various

interrupt handling routines to see whether the virus is already

resident. Then a check is made of both RAM and ROM,

looking for specific indications of resident anti-virus software.

This checking of RAM has been encountered before, but the

ROM examination routines are much less common and

demonstrate how a determined hacker can easily avoid the

sort of protection provided by the various add-on boards

which are now becoming available. When these checks are

completed, various flags and entry point addresses are

collected within the virus code and the virus then installs itself

into high memory and hooks intercept routines into various

system services. The list of functions and services subverted

in this way is long and bears examination.

Interrupt Services

INT 13H - Hard Disk BIOS access

INT 21H - DOS Function services

INT 24H - Critical Error handler

INT 27H - TSR handler

Function Calls (via INT 21H)

11H - FCB FIND FIRST

12H - FCB FIND NEXT

25H - GET VECTOR

35H - SET VECTOR

31H - TERMINATE STAY RESIDENT

3CH - CREATE FILE

3DH - OPEN FILE

3EH - HANDLE CLOSE

43H - CHANGE ATTRIBUTES

56H - RENAME FILE

4B00H - LOAD AND EXECUTE

4B01H - LOAD, NOT EXECUTE

4EH - HANDLE FIND FIRST

4FH - HANDLE FIND NEXT

5BH - CREATE FILE

VIRUS ANALYSES

Jim Bates

2100 and ‘Cracker Jack’ the Plagiarist

The recent ‘explosion’ of new virus variants has increased the

workload of researchers to an almost unbearable extent and

this is thought to be an inevitable result of the opening of

virus ‘exchange’ Bulletin Boards all over the world.

Computer viruses are a fascinating subject for study and quite

naturally therefore, they can be expected to arouse general

curiousity and interest. However, the ‘research’ disguise that

such BBS systems adopt should be seen to be just that - a

disguise! Genuine virus researchers have long since estab-

lished their own communications links around the globe and

have no need to exchange virus code with public access

Bulletin Boards.

The suggestion that anyone can become a ‘researcher’ by

downloading a virus and attempting to take it apart is pure

eyewash - akin to being given heroin/guns/explosives so that

one can ‘experiment’! Certainly the anti-virus community has

urgent need of genuine and dedicated researchers, but it

should be understood that the true researcher would never

consider even modifying a virus let alone writing a new one.

Yes, there are undoubtedly ‘researchers’ who have written

viruses, but their irresponsibility and lack of integrity in an

extremely difficult field will disqualify them from ever

attaining the respect of their contemporaries. No public access

Bulletin Board should ever have viruses (either as object code

or source) available for download and legislation is well

overdue to stop this malicious trade.

Plagiarism

It has always been accepted that copying and modifying an

existing virus is much easier than writing a new one from

scratch and the increasing availability of virus code in both

binary and source forms is giving the plagiarists the opportu-

nity to copy some of the more sophisticated viruses as

vehicles for their own twisted ideas.

A case in point has come to light during research into one of

the Dark Avenger ‘targeting’ viruses, 2100. Pattern recogni-

tion scanners indicated similarities between this and several

newly received viruses of Italian origin. Further research

indicated that the Dark Avenger viruses were being admired,

copied and modified by an Italian virus writer calling himself

‘Cracker Jack’. The new range of viruses are variously named

HIV, Migram and Smack (a.k.a. Patricia). They include

sections from Dark Avenger 2100 and another Dark Avenger

copy known as Murphy. The new code added by Cracker Jack

displays a laughable ignorance of basic programming tech-

niques but the combination of code sections simply confirms

the extreme dangers of virus exchange trading.

Figure 1. System services subverted by the 2100 virus.

Developers of memory-resident virus monitors beware!