"12-TRICKS" Trojan (11-June-1990) Entry...............: "12-Tricks" Trojan Alias(es)...........: --- Trojan Strain.......: --- Trojan detected when: --- where.: Karlsruhe (West-Germany) Classification......: Trojan Horse Carrier of Trojan...: Contained in "CORETEST.COM", a file that will test the speed of a hard disk. --------------------- Preconditions ----------------------------------- Operating System(s).: MS-DOS, PC-Dos Version/Release.....: --- Computer model(s)...: IBM PC, XT, AT and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: "MEMORY$", a text within the program, readable with HexDump-utilities. Infection Trigger...: The trojan searches at different adresses in the ROM-Area of the computer for strings that may be the entry of INT 13h (hard disk). Adresses: String: C800H:0256H 080H,0FAH,080H,073H,005H,0CDH F000H:2A71H 080H,0FAH,080H,073H,005H,0CDH F000H:A935H 080H,0FAH,079H,077H,005H,0CDH F000H:3772H 0FBH,09CH,022H,0D2H,078H,00CH F000H:D1E7H 0FBH,080H,0FCH,000H,075H,00CH if any such string is found, the damage routine will be installed. Storage media affected: Partition table of a hard disk. Interrupts Hooked...: INT 08, INT 09, INT 0D, INT 0E, INT 10, INT 13, INT 16, INT 17, INT 1A. Either one or none of the interrupts will be hooked (random selection). Damage..............: Permanent damage: Every time the computer boots, one entry in the FAT will be changed. The hard disk will be formatted (Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC 2840 St.Thomas Expwy,suite 201 Santa Clara,CA 95051 (408)970-9420" (probability 1/4096). Moreover, either one or none of the following permanent or transient damages will occur: permanent: if INT 13 is hooked, *every access* to a floppy drive will be changed to *write- access*. transient damages: INT 08: will slow down the computer by a random loop; INT 08: will point to a IRET; every routine that was inserted within the INT 08- chain will no longer be accessible; INT 09: every keystroke will change the BIOS- variable [046dh]; INT 0D: the interrupt will point to a IRET; (probability: 1/4); INT 0E: the interrupt will point to a IRET. (probability: 1/4); INT 10: will slow down the screen by a random loop; INT 10: every time while scrolling up, the screen will be blanked; INT 16: the BIOS-variable keyboard flag [0417h] is modified; INT 17: Every character sent to the printer is manipulated (randomly); INT 17: every character sent to the printer is XORed with 020H; INT 1A: sometimes, this routine will return a random system clock value. Damage Trigger......: Every boot sequence Particularities.....: During installation, a mark (0FFH) is set within the partition table at offset 01BDH, so the will be installed only once. The text "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC 2840 St.Thomas Expwy,suite 201 Santa Clara,CA 95051 (408)970-9420" is readable in the partition table. --------------------- Acknowledgement --------------------------------- Location............: Virus Test Center, University Hamburg, FRG; Classification by...: Thomas Lippke, Michael Reinschmiedt Documentation by....: Thomas Lippke, Michael Reinschmiedt Date................: 11-June-1990 .