------------------------------ Date: 24 January 89, 17:25:02 +0100 (MEZ) From: Otto Stolz Subject: Features of Blackjack Virus (PC) Hello, perhaps you remember the virus incident I reported on this list, on 2 September 88, 14:44:40 +0200 (MESZ). This note is intended to present some of the results and insights I gained since. Most of the facts presented here have not been detected by myself; rather I have to thank several people in the local area, and several VIRUS-L subscribers, for their hints and contributions. This virus has been termed "Blackjack", which is a pun on the German name "17+4" of the popular card game. Blackjack reveals its existence by the length of infected COM-files, which is 1704 Bytes too large. As with the Israeli virus strains, the virus has a two-stage life-cycle: - - when you invoke an infected program, Blackjack will infect RAM; - - when Blackjack is active in RAM, it will infect every COM file being invoked. This can be exploited for an easy test, e.g.: copy con: test.com {ALT-144} {ALT-205} {Blank} {CTRL-z} {return} dir test.com test dir test.com In the second line above, every brace-pair represents one byte entered; if you key in these bytes correctly, you'll read a Capital Letter E with Acute Accent, a Horizontal Double-Line Segment, a Blank, a Circum- flex Accent, and a Capital Letter Z. The 1st dir-command, above, should report that TEST.COM is 3 bytes long; if the 2nd dir reports 1707 bytes, instead, your RAM, and hence the TEST.COM file, are infected by some virus--most probably Blackjack. Blackjack infects only COM-files which are at least 3 Bytes long, and it does so only once for any given file. It overwrites the 1st three bytes with a JMP to the beginning of the viral code, which is appended to the file. The 2 byte address of this JMP instruction is probably the reason why only COM files are susceptible to infection. Blackjack retains the file's time stamp. It even infects read-only files; on write-protected floppy disks, it attempts writing 5 times per file, thus revealing its activity. In the infected file, the viral code is cryptographically encoded, using a simple Vigenere code depending on the length of the file; only the instructions for decoding the encrypted part of the code are in plain machine-language. This is obviously intended as a impediment against disassembling. Hence, every copy of the virus looks different (depending on the length of the file). On invocation of an infected program, Blackjack installs itself in RAM (if no copy is already installed), then replaces the JMP instruction with its former contents and resumes normal program operation. The storage map shows that Blackjack has tinkered with the free storage pointer-chain to hide the fact that it has hooked interrupt 21. Hence, only a minor part of Blackjack is visible in the storage map. In every year, from October to December, Blackjack will interfere with CGA or EGA operated screens, moving randomly chosen characters down, like falling leaves in autumn. After a while, you'll have a big heap of characters at the bottom of your screen, and as you cannot see anymore what the computer is trying to display, you'll probably have to restart the system. This behaviour has been predicted by two people, who have disassembled Blackjack, and has later been observed on many EGA-equipped ATs. Together with two students, I have written a VIRCHECK program to check for Blackjack in RAM and in disk files. VIRCHECK exploits the signaling device Blackjack uses to ensure at most one active copy to detect Blackjack in RAM; it searches the files for the few instructions which are alike in every copy, to detect infected files. At our consultant desk, everybody can obtain a copy of VIRCHECK (Pascal source, and EXE-file), plus a 16 kByte memo (in German) and the 3 Byte TEST.COM (cf. above). An employee of a nearby software-house, who has detected Blackjack, in the 1st time, has circulated a DELVIRUS program to detect Blackjack and, optionally, repair infected files (taking the original contents of the 1st three bytes from the viral code meant to replace them, as explained above. As the DELVIRUS's source is not available to the public (nor to myself), we do not distribute this program (nor recommend its use). That's it, folks. I hope I didn't bore you. Otto [Ed. Thanks for the detailed description, Otto!]