          >>> following from USENET @ 17feb90am /pats. <<< 
 
The "Twelve Tricks" trojan - alert and description 
 
We have recently received and analysed a trojan that we believe 
warrants an urgent alert.  We are calling it the Twelve Tricks trojan, 
and it is very interesting, very nasty, and quite complex.  This 
message is not meant to be a complete description of the trojan - we 
feel that it is important to get a warning out quickly, rather than 
aim for completeness.  It is not a virus. 
 
The trojan consists of a program (more about this aspect later) which 
you run;  running the program, as well as the obvious things that the 
program is expected to do, also replaces the partition record (also 
called the Master Boot Record, or MBR) on your hard disk with its own 
version.  This can easily be recognised by inspecting the hard disk at 
cylinder zero, head zero, sector one, which can be done with a disk 
sector editor such as Peeka.  If the partition has this trojan in 
place, it will contain the following text near the beginning: 
 
SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC 
2840 St. Thomas Expwy,suite 201 
Santa Clara,CA 95051 (408)970-9420 
 
At this point, let us state that we believe that the company mentioned 
above has nothing whatsoever to do with the trojan;  perhaps the 
trojan author has a grudge against them. 
 
The trojan uses a far call to the hard disk Bios code in order to 
plant this partition.  To do this, it must know the location in memory 
of the entry point;  it tries five different ones, one of which is the 
one documented in the IBM PC-XT Technical reference manual, and the 
other four are presumably fairly common alternatives. 
 
The purpose of planting the trojan with a far call is, we believe, to 
escape detection by Active Monitor programs that protect a computer by 
monitoring the interrupt table, and preventing unauthorised writes to 
system areas on the hard disk.  Since Twelve Tricks doesn't use an 
interrupt to plant the MBR, such programs won't be able to prevent it. 
We tested this using Flushot+, probably the most successful of the 
Active Monitors, and Twelve Tricks went straight through it - the same 
would be true, we think, of any other Active Monitor. 
 
The Replacement MBR 
 
When the MBR is run, which is every time you boot from the hard disk, 
Twelve Tricks copies 205 (d7h) bytes of itself onto locations 0:300h 
to 0:3d6h.  This overwrites part of the interrupt vector table, but it 
is a part that doesn't get used very much.  This means that these d7h 
bytes are memory resident without having to use any of the TSR calls 
of Dos, and without having to reserve part of high memory.  Reserving 
part of high memory is the usual ploy used by Boot Sector Viruses, but 
the drawback of that route is that you might notice that a few kb from 
your 640 kb has disappeared (CHKDSK would reveal this).  The method 
used by Twelve Tricks would not show up as a loss from your 640 kb. 
 
When the computer is started up, a random number generator determines 
which of the Twelve Tricks will be installed.  It does the 
installation by replacing one of the interrupt vectors with a vector 
that points to the Twelve Tricks own code, and then chains on to the 
original code.  The twelve tricks are: 
 
1.  Insert a random delay loop in the timer tick, so that 18.2 times 
per second, the computer executes a loop that is randomly between 1 
and 65536 long (different each time it is executed).  This slows the 
machine down, and makes it work rather jerkily. 
 
2.  Insert an End-Of-Interrupt in the timer tick.  This interferes 
with the servicing of hardware interrupts, so for example, the clock 
is stopped, TSRs that depend on the timer tick don't work, and the 
floppy motor is permanently on. 
 
3.  Every time a key is pressed or released, the timer tick count is 
incremented by a random number between 0 and 65535.  This has a 
variety of effects;  programs sometimes won't run, when you type 
"TIME" you get "Current time is divide overflow", and copying files 
sometimes doesn't work. 
 
4.  Every time interrupt 0dh is executed, only do the routine three 
times out of four.  Interrupt 0dh is used on PCs and XTs for the fixed 
disk, on ATs for the parallel port. 
 
5.  Every time interrupt 0eh is executed, only do the routine three 
times out of four.  Interrupt 0eh is used for the floppy disk. 
 
6.  Every time interrupt 10h is called (this is the video routine), 
insert a delay loop that is randomly between 1 and 65536 long 
(different each time it is executed).  This slows the video down, and 
makes it work rather jerkily and/or slowly. 
 
7.  Every time the video routine to scroll up is called, instead of 
the requested number of lines being scrolled, the entire scrolling 
window is blanked. 
 
8.  Every time a request is made to the diskette handler, it is 
converted into a write request.  This means that the first time you 
try to read or write to a diskette, whatever happens to be in the 
buffer will be written to the diskette, and will probably overwrite 
the boot sector, FAT or directory, as these must be read before 
anything else can be done.  If you try to read a write protected 
diskette, you get "Write protect error reading drive A".  If you do a 
DIR of a write enabled diskette, you get "General Failure ...", and if 
you inspect the diskette using a sector editor, you'll find that the 
boot and FAT have been zeroed or over-written. 
 
9.  Every time interrupt 16h is called (read the keyboard) the 
keyboard flags (Caps lock, Num lock, shift states etc) are set 
randomly before the keystroke is returned.  This means that at the Dos 
prompt, the keyboard will only work occasionally.  Programs that poll 
interrupt 16h will be unusable.  Holding down the Del key will trigger 
a Ctrl-Alt-Del. 
 
10.  Everything that goes to the printer is garbled by xoring it with 
a byte from the timer tick count. 
 
11.  Every letter that is sent to the printer has its case reversed by 
xoring it with 20h.  Also, non-alpha characters are xored, so a space 
becomes a null, and line feeds don't feed lines. 
 
12.  Whenever the Time-Of-Day interrupt (1ah) is executed, do an 
End-Of-Interrupt instead.  This means that you can't set the system 
clock, and the time is set permanently to one value. 
 
These are the twelve tricks.  In addition there are two more things 
that the trojan does.  It uses a random number generator;  one time 
out of 4096, it does a low level format of the track that contains the 
active boot sector;  this will also destroy part of the first copy of 
the FAT.  You can recover from this by creating a new boot sector, and 
copying the second copy of the FAT back over the first copy.  After it 
does the format, it will display the message "SOFTLoK+ " etc as above, 
and hang the computer. 
 
If it doesn't do the format, it makes a random change to a random word 
in one of the first 16 sectors of the FAT, which will make a slight 
and increasing corruption in the file system.  This is perhaps the 
worst of the things that it does, as it will cause an increasing 
corruption of the files on the disk. 
 
The Dropper program 
 
The program that drops the trojan was, in the specimen that we 
analysed, a hacked version of CORETEST, a program to benchmark hard 
disk performance.  The file is CORETEST.COM, it is version 2.6, (dated 
1986 in the copyright message) had a length of 32469 bytes, and it was 
timestamped 6-6-86, 9:44.  When we looked in more detail at this 
program, we found some interesting things. 
 
It looks as if the original CORETEST program was an EXE file, and the 
trojan author prepended his code to it.  This code consists of some 
relocation stuff, then a decryptor, to decrypt the following 246h 
bytes.  The decryption is a double xor with a changing byte.  Those 
246h bytes, when run, examine the memory to try to find one of five 
sets of hard disk handler code (presumably corresponding to five 
Bioses).  When it finds one of them, (we have identified the first one 
as being the IBM XT Bios) it plants the trojan MBR in place, using a 
far call to the Bios code.  The trojan MBR is 200h of the 246h bytes. 
The trojan is patched so that it also does disk accesses using a far 
call to the same location.  Finally, the prepended trojan passes 
control to the original program.  We call the combination of the 
prepended code, plus the original program, the Dropper. 
 
The main purpose of the encryption, we would guess, is to evade 
detection by programs that check code for bombs and trojans. There 
are no suspicious strings or interrupt calls in the code until it 
is decrypted at run time. 
 
As far as we can tell, it is not a virus, but a trojan.  However, it 
is unlikely that all the patching to the original program was done by 
hand - it is far more likely that the trojan author wrote a prepender 
program (we would call this the Prepender), to automatically attach 
his code to the target executable.  If this is the case, then there 
are two consequences.  The first is that he might have trojanised 
other programs besides the one that we have examined.  In other words, 
there might be other Droppers around besides the one we have examined. 
The second is that if that is the case, we cannot rely on the 
encryption having the same seed each time, as the Prepender might 
change the seed each time it operates.  So it would be unsafe to 
search files for the encrypted MBR.  Instead, we propose a search 
string based on the decryptor. 
 
Indeed, a further possibility exists.  The Prepender program might 
have been placed into circulation, and people running it would 
unwittingly be creating additional Droppers.  There is absolutely no 
evidence to suggest that that is actually the case, but we would ask 
anyone who detects this Dropper in one of their files, to also examine 
all the others. 
 
Detection 
 
Here's a variety of ways to detect the trojan. The hexadecimal string 
e4 61 8a e0 0c 80 e6 61 is to be found in the MBR. This string will 
also be found in memory if you have booted from a trojanised MBR, 
at location 0:38b. You can use Debug to search in memory. 
 
A useful search string to detect the Dropper is 
 
be 64 02 31 94 42 01 d1 c2 4e 79 f7 
 
Getting rid of it 
 
It's easy to get rid of Droppers;  just delete them and replace them 
with a clean copy.  If you find the string above in the MBR or in 
memory at 0:38b, you need to boot from a clean Dos diskette and 
replace the partition record.  DO NOT use Fdisk to do this unless you 
are prepared for Fdisk to zero your FAT and directory;  you will lose 
all your data that way.  One way would be to do a file-by-file backup, 
low-level format to get rid of the trojan MBR, then Fdisk Format and 
restoer your backup.  We would recommend doing two backups using as 
different methods as possible if you use this route, in case one of 
them fails to restore. 
 
The other way to replace the partition is to run a program that drops 
a clean partition record onto the MBR, but doesn't change the 
partitioning data.  We are currently preparing one of these - please 
ask if you need it. 
 
Damage done 
 
The whole of the MBR is used for the code.  Most normal MBRs don't use 
more than half the space, and a number of other programs have started 
using this space.  For example Disk Manager, and the Western Digital 
WDXT-Gen controllers (but the Dropper doesn't work on the WDXT-Gen). 
This means that the Dropper might cause an immediate problem in some 
circumstances. 
 
The main damage done, however, will be in the impression that this 
trojan creates that your hardware is suffering from a variety of 
faults, which usually go away when you reboot (only to be replaced by 
other faults).  Also, the FAT gets progressively corrupted. 
 
Occurrences 
 
So far, this has only been reported in Surrey, England.  It was 
noticed because it made a disk using Speedstor to control it, 
non-bootable.  Disks that are controlled in the normal way, remain 
bootable.  We would be grateful if any sightings could be reported to 
us, especially if the Dropper program is different from the one we 
have examined;  we would also like a specimen of it, 
 
Please report instances to the addresses below: 
 
Dr Alan Solomon                Day voice:     +44 494 791900 
S&S Anti Virus Group           Eve voice:     +44 494 724201 
Water Meadow                   Fax:           +44 494 791602 
Germain Street,                BBS:           +44 494 724946 
Chesham,                       Fido node:     254/29 
Bucks, HP5 1LP                 Usenet:        drsolly at ibmpcug.co.uk 
England                        Gold:          83:JNL246 
                               CIX, CONNECT   drsolly 
or 
 
Mr Christoph Fischer           Day voice:     +49 721 6084041 
Micro-BIT Virus Centre         Eve voice:     +49 721 861540 
University of Karlsruhe        Fax:           +49 721 621479 
Zirkel 2                       BITNET:        RY15 at DKAUNI11 
D-7500 Karlsruhe 1 
West-Germany 
