PLASTQUE viruses

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Reports on PLASTQUE viruses

  ---------------------------


  Date:    19 Oct 90 14:20:30 -0400

  From:    "David.M.Chess" <CHESS@YKTVMV.BITNET>

  Subject: Plastique/Anti-CAD viruses (PC)


  There are now four known viruses in this series; all are based

  heavily on the JV, with the addition of a timer-interrupt handler

  that plays music periodically, some routines to make the occasional

  disk-write fail, and (in the later ones) code to infect boot records

  as well as executables; the later two (I think) also infect on OPENs

  of files called EXE or COM, as well as on executions.  Most or all

  of them also react in various ways to attempts to execute any

  program called ACAD.EXE (is that familiar to everyone?).  Each one

  contains a string (stored garbled in all but the first, earliest

  virus).  I give the strings in clear (and slightly reformatted)

  below.  Does anyone know where Fen Chia U.  is?  (I've also removed

  the vowel from the leading obscenity in the first message...)


  DC


  >From the one just discovered at Western Michigan U:


  > Sh*t!  As you can see this document, you may know what this

  > program is.  But I must tell you:  DO NOT TRY to WRITE ANY

    ANTI-PROGRAM

  > to THIS VIRUS.This is a test-program, the real dangerous code will

  > implement on November.  I use MASM to generate varius virus

  > easily and you must use DEBUG aginst my virus hardly, that is

  > foolish.  Save your time until next month.  OK?  Your Sincerely,

    ABT

  > Group., Oct 13th, 1989 at FCU.



  > From the "Plastique 4.51":

  > Program:  Plastique 4.51 (plastic bomb),

  > Copyright (C) 1988, 1989 by ABT Group.

  > Thanks to:  Mr.  Lin (IECS 762??),

  > Mr.  Cheng (FCU Inf-Center)



  >From the "Plastique 5.21":

  > PLASTIQUE 5.21 (plastic bomb)

  > Copyright (C) 1988-1990 by ABT Group

  > (in association with Hammer LAB.)

  > WARNING: DON'T RUN ACAD.EXE!



  >From the "Invader":

  > by Invader, Feng Chia U.,

  > Warning: Don't run ACAD.EXE!


==============================   MORE   ==================


  Date:    Fri, 07 Dec 90 18:37:59 -0500

  From:    Bob McCabe <PSYMCCAB@VM.UoGuelph.CA>

  Subject: New Virus? (The Invader?) (PC)


  I got word today of a possible new virus that was apparently

  deliberaty spread around at the Canadian Computer Show.  As I have

  not heard or seen any postings of a simular virus I thought I'd post

  a description here to see if anyone knows anything about it.


  The virus apparently infects (Ed: NO!  No virus can infect the CMOS;

  only alter it) the CMOS on an AT, changing the drive type after an

  incubation period, and the locking out the hard drive.  It can be

  spread by running a program from an infected disk (how disks are

  infected is unknown, nor is it know if a particular program is the

  source).


  According to one distributor that got hit, the only way to remove

  the virus is to disconect the AT board from the battery backup and

  to wipe the BIOS on the hard disk controler.  (Ed: NO! Simply reset

  the CMOS) This may be a little extreme, but I have yet to see an

  infected machine.


  Apparently there is also a message displayed when the virus becomes

  active, calling the virus 'THE INVADER'.


  Does this sound simular to any know virus? Does SCAN pickup the

  virus, and if so which version?  Is there a simpler way to remove

  the virus from an infected machine?  Any help would be appreciated.

  I should get a copy of an infected disk on monday and may have more

  information then.


======================================================================

INET       : PSYMCCAB@VM.UOGUELPH.CA            Bob McCabe

CoSy       : bmccabe                            Psycholgy Dept.,

Compuserv  : 72260,1501                         University of Guelph

Phone      : (519) 821-8982                     Guelph,

                                                Ont. Canada

======================================================================


++++++  more  +++++


  Report from Jim Bates - The Virus Information Service - 4th January

  1991


  === Plastique Virus ===


  The Plastique Virus is Parasitic on COM and EXE files but excludes

  COMMAND.COM.  The infection method is slightly unusual in that COM

  files have the virus code prepended to the file, while EXE files

  have it appended.  In either case, the infective length is 2900

  bytes and no stealth capabilities exist to mask this increase in

  file length.  After infection, file attributes and date/time

  settings are restored to their original values.  The virus code is

  partially encrypted but allows the extraction of a recognition

  string.


  This virus becomes resident in high memory by using the DOS

  Terminate and Stay Resident function 31H.  During installation a

  timing routine determines the processing speed and this is used for

  sound effects later.


  As it becomes resident, INT 21H is intercepted by a special handler

  which will cause file infection on function requests 4B00H and

  3D00H, these correspond to Load and Execute, and Open file for Read

  Only.  The DOS Critical Error handler (INT 24H) is bypassed during

  the infection cycle to avoid error messages.


  On a random basis, virus installation after 20th Sept 1990 may cause

  other handlers to be installed which will produce certain sound

  effects and may result in execution of the trigger routine.  These

  handlers are as follows :- One of two INT 08 - Timer Interrupt

  handlers are installed (chances are even of either one being

  installed).


  Handler 1 increments a timer counter and slows processing

  progressively up to a limit decided during installation timing.


  Handler 2 also increments the timer counter and makes "explosion"

  noise about every 4.5 minutes


  An INT 09 - Keyboard Interrupt handler is installed which will

  intercept a Ctrl-Alt-Del key sequence and then act accordng to which

  INT 08 handler is installed.  If Handler 1 is present then the

  trigger routine is activated.  If Handler 2 is present then

  Non-volatile RAM is overwritten with 0FFH bytes.  The INT 09 handler

  also counts keypresses and after 4000 keypresses, an error will be

  forced on the next disk write request to INT 13H


  An INT 13H - Disk Access handler is installed which intercepts write

  requests and forces an error according to the condition of a flag.

  The error consists of putting -1 into DX (Head and Drive) and

  completing the call.  The routine then returns without setting the

  relevant flags so that the caller is not aware that his data has NOT

  been written.


  The Trigger routine occurs immediately on execution of ACAD.EXE,

  otherwise during a Ctrl-Alt-Del sequence from within INT09 handler

  if INT08 Handler 1 is installed and the timer counter has reached a

  predetermined limit.  The actual routine checks if there is a floppy

  disk in drive A:, if so it overwrites head 0 of all tracks with the

  contents of memory from address 0000:0000.  Processing continues

  similarly for floppy in drive B:, zapping it if possible.  Then the

  "explosion" routine is set to occur as both the first and second

  fixed disk drives are overwritten on all heads and tracks.  Finally

  a loop overwrites the contents of CMOS by direct port access.


  The virus recognises itself in memory by issuing an INT 21H with

  4B40H in the AX register.  If the virus is resident, the call

  returns with 5678H in AX.  Recognition on disk is by examining the

  word at offset 12H in the target file.  If this word is 1989H then

  the file is assumed to be infected.


  The recognition string for the Plastique virus is as follows :-


         B840 4BCD 213D 7856 7512 B841 4BBF 0001


  and this will be found at offset 82CH into the virus code.


  VIS Classification - CEOARK2900A



  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more