PLASTQUE viruses

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Reports on PLASTQUE viruses

  ---------------------------


  Date:    19 Oct 90 14:20:30 -0400

  From:    "David.M.Chess" <CHESS@YKTVMV.BITNET>

  Subject: Plastique/Anti-CAD viruses (PC)


  There are now four known viruses in this series; all are based

  heavily on the JV, with the addition of a timer-interrupt handler

  that plays music periodically, some routines to make the occasional

  disk-write fail, and (in the later ones) code to infect boot records

  as well as executables; the later two (I think) also infect on OPENs

  of files called EXE or COM, as well as on executions.  Most or all

  of them also react in various ways to attempts to execute any

  program called ACAD.EXE (is that familiar to everyone?).  Each one

  contains a string (stored garbled in all but the first, earliest

  virus).  I give the strings in clear (and slightly reformatted)

  below.  Does anyone know where Fen Chia U.  is?  (I've also removed

  the vowel from the leading obscenity in the first message...)


  DC


  >From the one just discovered at Western Michigan U:


  > Sh*t!  As you can see this document, you may know what this

  > program is.  But I must tell you:  DO NOT TRY to WRITE ANY

    ANTI-PROGRAM

  > to THIS VIRUS.This is a test-program, the real dangerous code will

  > implement on November.  I use MASM to generate varius virus

  > easily and you must use DEBUG aginst my virus hardly, that is

  > foolish.  Save your time until next month.  OK?  Your Sincerely,

    ABT

  > Group., Oct 13th, 1989 at FCU.



  > From the "Plastique 4.51":

  > Program:  Plastique 4.51 (plastic bomb),

  > Copyright (C) 1988, 1989 by ABT Group.

  > Thanks to:  Mr.  Lin (IECS 762??),

  > Mr.  Cheng (FCU Inf-Center)



  >From the "Plastique 5.21":

  > PLASTIQUE 5.21 (plastic bomb)

  > Copyright (C) 1988-1990 by ABT Group

  > (in association with Hammer LAB.)

  > WARNING: DON'T RUN ACAD.EXE!



  >From the "Invader":

  > by Invader, Feng Chia U.,

  > Warning: Don't run ACAD.EXE!


==============================   MORE   ==================


  Date:    Fri, 07 Dec 90 18:37:59 -0500

  From:    Bob McCabe <PSYMCCAB@VM.UoGuelph.CA>

  Subject: New Virus? (The Invader?) (PC)


  I got word today of a possible new virus that was apparently

  deliberaty spread around at the Canadian Computer Show.  As I have

  not heard or seen any postings of a simular virus I thought I'd post

  a description here to see if anyone knows anything about it.


  The virus apparently infects (Ed: NO!  No virus can infect the CMOS;

  only alter it) the CMOS on an AT, changing the drive type after an

  incubation period, and the locking out the hard drive.  It can be

  spread by running a program from an infected disk (how disks are

  infected is unknown, nor is it know if a particular program is the

  source).


  According to one distributor that got hit, the only way to remove

  the virus is to disconect the AT board from the battery backup and

  to wipe the BIOS on the hard disk controler.  (Ed: NO! Simply reset

  the CMOS) This may be a little extreme, but I have yet to see an

  infected machine.


  Apparently there is also a message displayed when the virus becomes

  active, calling the virus 'THE INVADER'.


  Does this sound simular to any know virus? Does SCAN pickup the

  virus, and if so which version?  Is there a simpler way to remove

  the virus from an infected machine?  Any help would be appreciated.

  I should get a copy of an infected disk on monday and may have more

  information then.


======================================================================

INET       : PSYMCCAB@VM.UOGUELPH.CA            Bob McCabe

CoSy       : bmccabe                            Psycholgy Dept.,

Compuserv  : 72260,1501                         University of Guelph

Phone      : (519) 821-8982                     Guelph,

                                                Ont. Canada

======================================================================


++++++  more  +++++


  Report from Jim Bates - The Virus Information Service - 4th January

  1991


  === Plastique Virus ===


  The Plastique Virus is Parasitic on COM and EXE files but excludes

  COMMAND.COM.  The infection method is slightly unusual in that COM

  files have the virus code prepended to the file, while EXE files

  have it appended.  In either case, the infective length is 2900

  bytes and no stealth capabilities exist to mask this increase in

  file length.  After infection, file attributes and date/time

  settings are restored to their original values.  The virus code is

  partially encrypted but allows the extraction of a recognition

  string.


  This virus becomes resident in high memory by using the DOS

  Terminate and Stay Resident function 31H.  During installation a

  timing routine determines the processing speed and this is used for

  sound effects later.


  As it becomes resident, INT 21H is intercepted by a special handler

  which will cause file infection on function requests 4B00H and

  3D00H, these correspond to Load and Execute, and Open file for Read

  Only.  The DOS Critical Error handler (INT 24H) is bypassed during

  the infection cycle to avoid error messages.


  On a random basis, virus installation after 20th Sept 1990 may cause

  other handlers to be installed which will produce certain sound

  effects and may result in execution of the trigger routine.  These

  handlers are as follows :- One of two INT 08 - Timer Interrupt

  handlers are installed (chances are even of either one being

  installed).


  Handler 1 increments a timer counter and slows processing

  progressively up to a limit decided during installation timing.


  Handler 2 also increments the timer counter and makes "explosion"

  noise about every 4.5 minutes


  An INT 09 - Keyboard Interrupt handler is installed which will

  intercept a Ctrl-Alt-Del key sequence and then act accordng to which

  INT 08 handler is installed.  If Handler 1 is present then the

  trigger routine is activated.  If Handler 2 is present then

  Non-volatile RAM is overwritten with 0FFH bytes.  The INT 09 handler

  also counts keypresses and after 4000 keypresses, an error will be

  forced on the next disk write request to INT 13H


  An INT 13H - Disk Access handler is installed which intercepts write

  requests and forces an error according to the condition of a flag.

  The error consists of putting -1 into DX (Head and Drive) and

  completing the call.  The routine then returns without setting the

  relevant flags so that the caller is not aware that his data has NOT

  been written.


  The Trigger routine occurs immediately on execution of ACAD.EXE,

  otherwise during a Ctrl-Alt-Del sequence from within INT09 handler

  if INT08 Handler 1 is installed and the timer counter has reached a

  predetermined limit.  The actual routine checks if there is a floppy

  disk in drive A:, if so it overwrites head 0 of all tracks with the

  contents of memory from address 0000:0000.  Processing continues

  similarly for floppy in drive B:, zapping it if possible.  Then the

  "explosion" routine is set to occur as both the first and second

  fixed disk drives are overwritten on all heads and tracks.  Finally

  a loop overwrites the contents of CMOS by direct port access.


  The virus recognises itself in memory by issuing an INT 21H with

  4B40H in the AX register.  If the virus is resident, the call

  returns with 5678H in AX.  Recognition on disk is by examining the

  word at offset 12H in the target file.  If this word is 1989H then

  the file is assumed to be infected.


  The recognition string for the Plastique virus is as follows :-


         B840 4BCD 213D 7856 7512 B841 4BBF 0001


  and this will be found at offset 82CH into the virus code.


  VIS Classification - CEOARK2900A



  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all known algorithms [1, 2, 3, 4, 5, 6]. Our persistent inability to emulate perception gives reason to doubt the current paradigm and to look for an alternative paradigm.      Penrose[7] and many others [8, 9, 10] argue from practical considerations, Godel's theorem, and
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs.        Complete instructions for building this simple, deadly weapon  could be given in half the space I'm using here and not require a  single illustrat
Read more