FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE
________________________________________________________________________
               THE COMPUTER INCIDENT ADVISORY CAPABILITY

                                 CIAC

                         INFORMATION BULLETIN
________________________________________________________________________

                    The Twelve Tricks Trojan Horse 

March 8, 1990, 1300 PST                                   Number A-20

Summary

CIAC has been informed of a possible new trojan horse called the Twelve Tricks
Trojan Horse.  The intention of this bulletin is to rapidly inform the DOE
community about this possible threat and to help eliminate confusion and false
rumors.  However, CIAC has been able neither to obtain a copy of this trojan
horse, nor to confirm the information received to date.  This trojan horse
affects computers running the MS DOS operating system or common variants (IBM
PC-DOS etc.).  It can produce a variety of disruptions and/or damage as
described below.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Critical Facts about Twelve Tricks Trojan Horse

Name: Twelve Tricks Trojan
Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp
6-6-86 9:44
Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS
Damage: Varies from slow program execution to low level formatting of disk
Symptoms:   A variety of disruptions and/or damage, based on a random number
between one and twelve.  Affects system performance, writing to screen,  clock,
printer and/or keyboard malfunctions, random disk writes, garbled printer
output, boot sector, File Allocation Table (FAT) or directory overwrites, and a
low level format of select tracks on the hard disk.  Other symptoms include the
floppy disk motor continuously running, FAT, directory and/or boot sector
damaged diskettes. 
Detection:  Examine the Master Boot Record (MBR) for the message:

  SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
  2840 St. Thomas Expwy, Suite 201
  Santa Clara, CA  95051
  (see important note below)

  or search the MBR and memory for the following hex string: 

  e4 61 8a e0 0c 80 e6 61.

  If you suspect a program, you can use the search string:
 
  64 02 31 94 42 01 d1 c2 4e 79 f7

Caution: These search strings are based on the trojan program examined by the
discoverer.  If there are modifications to this program, the above search
strings may not work.

Eradication: Remove trojan program by deleting.  To recover from a corrupt MBR,
back-up current data files and programs, perform a low level format and restore
data files and programs from a recent backup.  

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

CIAC has been alerted that there may be a new trojan horse called the Twelve
Tricks Trojan Horse.   CIAC has not been able to obtain a copy of this program,
and cannot at this time confirm the information contained in this bulletin.
This trojan program affects computers running the MS DOS operating system or
common variants (IBM PC-DOS etc.).  It can produce a variety of disruptions
and/or damage, including a slowdown of system performance, blanking or jerky
motion in the scrolling window, clock, printer and/or keyboard malfunctions,
random disk writes, garbled printer output, boot sector, File Allocation Table
(FAT) or directory overwrites, and a low level format of select tracks on the
hard disk.  Other symptoms include the floppy disk motor continuously running,
FAT, directory and/or boot sector damaged diskettes. The particular damage which
occurs depends on a random number between 1 and 12 that the trojan program
generates.  

DETECTION

Detecting this trojan horse is straightforward.  Using Debug or a similar
utility, inspect your machine's hard disk at cylinder zero, head zero, sector
one.  If this trojan horse has infected your machine, the following will be
displayed near the start of the master boot record:

  SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
  2840 St. Thomas Expwy, Suite 201
  Santa Clara, CA  95051

IMPORTANT NOTE:  There is absolutely no evidence to link the origin of this
trojan horse to any company or organization, such as the one mentioned above.
The motivation of the author of this trojan horse to mention the company listed
above is currently unknown.

There are several additional ways to detect the trojan.  The following
hexadecimal string can be found in the MBR of infected machines:

  e4 61 e0 0c 80 e6 61  

The above string can also be found at location 0:38b in memory if you have
booted from a corrupted MBR.  You can use Debug as a search tool.

A useful search string to detect the source program (containing the trojan
horse) is

  be 64 02 31 94 42 01 d1 c2 4e 79 f7

ERADICATION

Trojan programs can be removed by simply deleting them.  To recover from a
corrupt MBR, back-up current data files and programs, perform a low level format
and restore data files and programs.  Note: FDISK will erase other directory
information as well as replace the MBR.  Thus, we recommend that you do not use
FDISK alone to eradicate the trojan unless you are prepared to lose directory
information from other partitions.  Because the file system may be corrupted,
CIAC  recommends a full backup, low level format, and recovery.  

Trojan programs can be removed by simply deleting them.  If you find the string
above in the MBR or in memory at 0:38b, you need to boot from a clean Dos
diskette and replace the partition record.  DO NOT use Fdisk to do this unless
you are prepared for Fdisk to zero your FAT and directory; you will lose all
your data that way.  One way would be to do a file-by-file backup, low-level
format to get rid of the trojan MBR, then Fdisk Format and restore your data
files and  programs from your backup.  

ADDITIONAL INFORMATION

There is currently no evidence that anything similar to the Tweleve Tricks
Trojan has affected any machines in the United States.  It is possible, however
that there will be attempts to introduce this malicious code in the United
States.  (This trojan horse is not self-replicating, and cannot spread the way
viruses do.)  In particular CIAC urges you to carefully check any software
distributed through trade shows, U.S. mail, or electronic bulletin boards, and
to use only licensed copies of software.  Please contact CIAC if you become
aware of any machines infected by this malicious code. 

For additional information or assistance, please contact CIAC: 
 
  David S. Brown
  (415) 423-9878 or (FTS) 543-9878
  FAX: (415) 423-0913 or (415) 294-5054

CIAC's business hours phone number is (415) 422-8193 or (FTS) 532-8193. 
You may also send e-mail to:

  ciac@tiger.llnl.gov

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

(Appended message--excerpt from a message from Dr. Alan Solomon posted to
virus-l)

We have recently received and analyzed a trojan that we believe warrants an
urgent alert.  We are calling it the Twelve Tricks trojan, and it is very
interesting, very nasty, and quite complex.  This message is not meant to be a
complete description of the trojan - we feel that it is important to get a
warning out quickly, rather than aim for completeness.  It is not a virus.

The trojan consists of a program (more about this aspect later) which you run;
running the program, as well as the obvious things that the program is expected
to do, also replaces the partition record (also called the Master Boot Record,
or MBR) on your hard disk with its own version.  This can easily be recognized
by inspecting the hard disk at cylinder zero, head zero, sector one, which can
be done with a disk sector editor such as Peeka.  If the partition has this
trojan in place, it will contain the following text near the beginning:

SOFTLoK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051  (408) 970-9420

At this point, let us state that we believe that the company mentioned above has
nothing whatsoever to do with the trojan;  perhaps the trojan author has a
grudge against them.

The trojan uses a far call to the hard disk Bios code in order to plant this
partition.  To do this, it must know the location in memory of the entry point;
it tries five different ones, one of which is the one documented in the IBM
PC-XT Technical reference manual, and the other four are presumably fairly
common alternatives.

The purpose of planting the trojan with a far call is, we believe, to escape
detection by Active Monitor programs that protect a computer by monitoring the
interrupt table, and preventing unauthorized writes to system areas on the hard
disk.  Since the Twelve Tricks doesn't use an interrupt to plant the MBR, such
programs won't be able to prevent it.  We tested this using Flushot+, probably
the most successful of the Active Monitors, and Twelve Tricks went straight
through it - the same would be true, we think, of any other Active Monitor.

The Replacement MBR

When the MBR is run, which is every time you boot from the hard disk, Twelve
Tricks copies 205 (d7h) bytes of itself onto locations 0:3000h to 0:3d6h.  This
overwrites part of the interrupt vector table, but it is a part that doesn't get
used very much.  This means that these d7h bytes are memory resident without
having to use any of the TSR calls of Dos, and without having to reserve part of
high memory.  Reserving part of high memory is the usual ploy used by Boot
Sector Viruses, but the drawback of that route is that you might notice that a
few kb from your 640 kb has disappeared (CHKSK would reveal this).  The method
used by Twelve Tricks would not show up as a loss from your 640 kb.

When the computer is started up, a random number generator determines which of
the Twelve Tricks will be installed.  It does the installation by replacing one
of the interrupt vectors with a vector that points to the Twelve Tricks own
code, and then chains on to the original code.  The twelve tricks are:

1.  Insert a random delay loop in the timer tick, so that 18.2 times per second,
the computer executes a loop that is randomly between 1 and 65536 long
(different each time it is executed).  This slows the machine down, and makes it
work rather jerkily.

2.  Insert an End-of-Interupt in the timer tick.  This interferes with the
servicing of hardware interrupts, so for example, the clock is stopped, TSRs
that depend on the timer tick don't work, and the floppy motor is permanently
on.

3.  Every time a key is pressed or released, the timer tick count is incremented
by a random number between 0 and 65535.  This has a variety of effects; programs
sometimes won't run, when you type "TIME" you get "Current time is divide
overflow", and copying files sometimes doesn't work."

4.  Every time interrupt 0dh is executed, only do the routine three times out of
four.  Interrupt 0dh is used on PCs and XTs for the fixed disk, on ATs for the
parallel port.

5.  Every time interrupt 0eh is executed, only do the routine three times out of
four.  Interrupt 0eh is used for the floppy disk.

6.  Every time interrupt 10h is called (this is the video routine), insert a
delay loop that is randomly between 1 and 65536 long (different each time it is
executed).  This slows the video down, and makes it work rather jerkily and/or
slowly.

7.  Every time the video routine to scroll up is called, instead of the
requested number of lines being scrolled, the entire scrolling window is
blanked.

8.  Every time a request is made to the diskette handler, it is converted into a
write request.  This means that the first time you try to read or write to a
diskette, whatever happens to be in the buffer will be written to the diskette,
and will probably overwrite the boot sector, FAT or directory, as these must be
read before anything else can be done.  If you try to read a write protected
diskette, you get "Write protect error reading drive A.".  If you do a DIR of a
write enabled diskette, you get "General Failure...", and if you inspect the
diskette using a sector editor, you'll find that the boot and FAT have been
zeroed or over-written.  

9.  Every time interrupt 16h is called (READ THE KEYBOARD) the keyboard flags
(Caps lock, Num lock, shirt states etc) are set randomly before the keystroke is
returned.  This means that at the Dos prompt, the keyboard will only work
occasionally.  Programs that poll interrupt 16h will be unusable.  Holding down
the Del key will trigger a Ctrl-Alt-Del.

10.  Everything that goes to the printer is garbled by xoring it with a byte
from the timer tick count.

11.  Every letter that is sent to the printer has its case reversed by xoring it
with 20h.  Also, non-alpha characters are xored, so a space becomes a null, and
line feeds don't feed lines.

12.  Whenever the Time-of-Day interrupt (lah) is executed, do an
End-of-Interrupt instead.  This means that you can't set the system clock, and
the time is set permanently to one value.

These are the twelve tricks.  In addition there are two more things that the
trojan does.  It uses a random number generator; one time out of 4096, it does a
low level format of the track that contains the active boot sector; this will
also destroy part of the first copy of the FAT.  You can recover from this by
creating a new boot sector, and copying the second copy of the FAT back over the
first copy.  After it does the format, it will display the message "SOFTLoK+ "
etc. as above, and hang the computer.

If it doesn't do the format, it makes a random change to a random word in one of
the first 16 sectors of the FAT, which will make a slight and increasing
corruption in the file system.  This is perhaps the worst of the things that it
does, as it will cause an increasing corruption of the files on the disk.

The Dropper program

The program that drops the trojan was, in the specimen that we analyzed, a
hacked version of CORETEST, a program to benchmark hard disk performance.  The
file is CORETEST.COM, it is version 2.6, (dated 1986 in the copyright message)
had a length of 32469 bytes, and it was timestamped 6-6-86, 9:44.  When we
looked in more detail at this program, we found some interesting things.

It looks as if the original CORETEST program was an EXE file, and the trojan
author prepended his code to it.  This code consists of some relocation stuff,
then a decryptor, to decrypt the following 246h bytes.  The description is a
double xor with a changing byte.  Those 246h bytes, when run, examine the memory
to try to find one of five sets of hard disk handler code (presumably
corresponding to five Bioses).  When it finds one of them, (we have identified
the first one as being the IBM XT Bios) it plants the trojan MBR in place, using
a far call to the Bios code.  The trojan MBR is 200h of the 246h bytes.  The
trojan is patched so that it also does disk accesses using a far call to the
same location.  Finally, the prepended trojan passes control to the original
program.  We call the combination of the prepended code, plus the original
program, the Dropper.

The main purpose of the encryption, we would guess, is to evade detection by
programs that check code for bombs and trojans.  There are no suspicious strings
or interrupt calls in the code until it is decrypted at run time.

As far as we can tell, it is not a virus, but a trojan.   However, it is
unlikely that all the patching to the original program was done by hand - it is
far more likely that the trojan author wrote a prepender program (we would call
this the Prepender), to automatically attack his code to the target executable.
If this is the case, then there are two consequences.  The first is that he
might have trojanized other programs besides the one that we have examined.  In
other words, there might be other Droppers around besides the one we have
examined.  The second is that if that is the case, we cannot rely on the
encryption having the same seed each time, as the Prepender might change the
seed each time is operates.  So it would be unsafe to assume we can use a search
string based on the decryptor.

Indeed, a further possibility exists.  The Prepender program might have been
placed into circulation, and people running it would unwittingly be creating
additional Droppers.  There is absolutely no evidence to suggest that that is
actually the case, but we would ask anyone who detects this Dropper in one of
their files, to also examine all the others.

Detection

Here's a variety of ways to detect the trojan.  The hexadecimal string e4 61 e0
0c 80 e6 61 is to be found in the MBR.  This string will also be found in memory
if you have booted from a trojanized MBR, at location 0:38b.  You can use Debug
to search in memory.

A useful search string to detect the Dropper is

be 64 02 31 94 42 01 d1 c2 4e 79 f7

Getting rid of it

It's easy to get rid of Droppers; just delete them and replace them with a clean
copy.  If you find the string above in the MBR or in memory at 0:38b, you need
to boot from a clean Dos diskette and replace the partition record.  DO NOT use
Fdisk to do this unless you are prepared for Fdisk to zero your FAT and
directory; you will lose all your data that way.  One way would be to do a
file-by-file backup, low-level format to get rid of the trojan MBR, then Fdisk
Format and restore your backup.  We would recommend doing two backups using as
different methods as possible if you use this route, in case one of them fails
to restore.

The other way to replace the partition is to run a program that drops a clean
partition record onto the MBR, but doesn't change the partitioning data.  We are
currently preparing one of these - please ask if you need it.

Damage done

The whole of the MBR is used for the code.  Most normal MBRs don't use more than
half the space, and a number of other programs have started using this space.
For example Disk Manager, and the Western Digital WDXT-Gen controllers (but the
Dropper doesn't work on the WDXT-Gen).  This means that the Dropper might cause
an immediate problem in some circumstances.

The main damage done, however, will be in the impression that this trojan
creates that your hardware is suffering from a variety of faults, which usually
go away when you reboot (only to be replaced by other faults).  Also, the FAT
gets progressively corrupted.

(End of appended message)
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
Neither the United States Government nor the University of California nor any of
their employees, makes any warranty,  expressed or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use would not
infringe privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor the
University of California, and shall not be used for advertising or product
endorsement purposes.