💾 Archived View for spam.works › mirrors › textfiles › virus › armag911.txt captured on 2023-06-16 at 21:00:57.
View Raw
More Information
-=-=-=-=-=-=-
- **************************************************************************
- The 911 Virus *
- (An "Armagedon the Greek" Variant) *
- **************************************************************************
- Commentary and disassembly by Black Wolf *
- **************************************************************************
The 911 virus is a direct variant of the "Armagedon the GREEK"
virus, derived merely by changing the text within and the dialing string.
The virus' size is 1079 bytes, making the smallest carrier 1081 bytes. The
main effect of the virus is to dial "911" every once in a while if a modem
is present on com ports 1-4 (the original virus dialed the speaking clock
in Greece). It is a memory resident .COM infector.
When executed, the 911 virus checks for residency. If it is already
installed, it simply passes control to the host file, otherwise, it goes
memory resident, hooking Int 08h and Int 21h. When 911 goes resident, it
uses a rather strange way of doing it. It re-executes the program and uses
an Int 27 to go memory resident, but because of the second execution it does
not truly terminate and is still able to return control to the host.
Once memory resident, the 911 virus infect .COM files on execution
(whenever an Int 21, function 4bh is called) after checking if the file has
already been infected. The identification string the virus uses to check for
infection is the string "Support Your Police" located near the end of the
virus (the original was "Armagedon the GREEK").
The infection process is also somewhat strange, as the virus
allocates all unused memory for itself, the loads the entire victim file into
memory in one call. It then "infects" it in memory, and writes it back to
the disk. Afterwards, it releases the memory.
All of the dialing and timing is handled from the Int 08 (Timer
Click) handler. When activated, it will dial 911 (police/fire/emergency)
and wait for several seconds. It sends the commands to all ports 1-4, so
the results of hardware other than modems connected to these ports may be
unpredictable.
The storage bytes are found at the very end of the file, with the
first byte encrypted by adding 0bh to its value. Infected files may be
repaired by restoring these bytes to the beginning, unencrypting the first
one, and cutting the virus off the end of the host program.