------------------------------

Date: 24 January 89, 17:25:02 +0100 (MEZ)

From: Otto Stolz <RZOTTO@DKNKURZ1.BITNET>
Subject: Features of Blackjack Virus (PC)
Hello,
perhaps you remember the virus incident I reported on this list, on 2
September 88, 14:44:40 +0200 (MESZ). This note is intended to present
some of the results and insights I gained since. Most of the facts
presented here have not been detected by myself; rather I have to
thank several people in the local area, and several VIRUS-L
subscribers, for their hints and contributions.
This virus has been termed "Blackjack", which is a pun on the German
name "17+4" of the popular card game. Blackjack reveals its existence
by the length of infected COM-files, which is 1704 Bytes too large.
As with the Israeli virus strains, the virus has a two-stage
life-cycle:
- - when you invoke an infected program, Blackjack will infect RAM;
- - when Blackjack is active in RAM, it will infect every COM file being
invoked. This can be exploited for an easy test, e.g.:
copy con: test.com
{ALT-144} {ALT-205} {Blank} {CTRL-z} {return}
dir test.com
test
dir test.com
In the second line above, every brace-pair represents one byte entered;
if you key in these bytes correctly, you'll read a Capital Letter E
with Acute Accent, a Horizontal Double-Line Segment, a Blank, a Circum-
flex Accent, and a Capital Letter Z. The 1st dir-command, above,
should report that
TEST.COM is 3 bytes long; if the 2nd dir reports 1707 bytes, instead,
your RAM, and hence the TEST.COM file, are infected by some virus--most
probably Blackjack.
Blackjack infects only COM-files which are at least 3 Bytes long, and
it does so only once for any given file. It overwrites the 1st three
bytes with a JMP to the beginning of the viral code, which is appended
to the file. The 2 byte address of this JMP instruction is probably
the reason why only COM files are susceptible to infection. Blackjack
retains the file's time stamp. It even infects read-only files; on
write-protected floppy disks, it attempts writing 5 times per file,
thus revealing its activity.
In the infected file, the viral code is cryptographically encoded,
using a simple Vigenere code depending on the length of the file; only
the instructions for decoding the encrypted part of the code are in
plain machine-language. This is obviously intended as a impediment
against disassembling. Hence, every copy of the virus looks different
(depending on the length of the file).
On invocation of an infected program, Blackjack installs itself in RAM
(if no copy is already installed), then replaces the JMP instruction
with its former contents and resumes normal program operation.
The storage map shows that Blackjack has tinkered with the free
storage pointer-chain to hide the fact that it has hooked interrupt
21. Hence, only a minor part of Blackjack is visible in the storage
map.
In every year, from October to December, Blackjack will interfere with
CGA or EGA operated screens, moving randomly chosen characters down,
like falling leaves in autumn. After a while, you'll have a big heap
of characters at the bottom of your screen, and as you cannot see
anymore what the computer is trying to display, you'll probably have
to restart the system. This behaviour has been predicted by two
people, who have disassembled Blackjack, and has later been observed
on many EGA-equipped ATs.
Together with two students, I have written a VIRCHECK program to check
for Blackjack in RAM and in disk files. VIRCHECK exploits the
signaling device Blackjack uses to ensure at most one active copy to
detect Blackjack in RAM; it searches the files for the few
instructions which are alike in every copy, to detect infected files.
At our consultant desk, everybody can obtain a copy of VIRCHECK
(Pascal source, and EXE-file), plus a 16 kByte memo (in German) and
the 3 Byte TEST.COM (cf. above).
An employee of a nearby software-house, who has detected Blackjack, in
the 1st time, has circulated a DELVIRUS program to detect Blackjack
and, optionally, repair infected files (taking the original contents
of the 1st three bytes from the viral code meant to replace them, as
explained above. As the DELVIRUS's source is not available to the
public (nor to myself), we do not distribute this program (nor
recommend its use).
That's it, folks. I hope I didn't bore you.
Otto
[Ed. Thanks for the detailed description, Otto!]