ЪДДДДДДДДДДДДДДДДДДДДДДДДДДДДДї
                    і        VIRUS REPORT         і
                    і         1704 Format         і
                    АДДДДДДДДДДДДДДДДДДДДДДДДДДДДДЩ

Synonyms: Blackjack, 1704, Falling Letters.

Date of Origin: September, 1988.

Place of Origin: Germany.

Host Machine: PC compatibles.

Host Files: Remains resident. Infects COM files.

Increase in Size of Infected Files: 1704 bytes.

Nature of Damage: Affects system run-time
     operation. Corrupts program or overlay files. Formats or erases
     all/part of the hard disk upon activation.

Detected by: Scanv56+, F-Prot, IBM Scan, Pro
    -Scan.

Removed by: CleanUp, M-1704, Scan/D, F-Prot.

Derived from: 1701 (Cascade) virus.

Scan Code: Uses self-encryption.  FA 8B EC E8
     00 00 5B 81 EB 31 01 2E F6 87 2A 01 01 74 0F 8D B7 4D 01 BC
     85 06 31 34 31 24 46 4C 75 F8.

     The code for the 1704 virus is identical to the 1701 except for a
single instruction. The only differences are the removal of a
conditional jump from the 1701 (which would never have been taken), and
some necessary segment overrides on the BIOS tests missing in the
previous version.  The virus was designed to not infect micros
manufactured by IBM, but errors in coding enable it to infect any PC,
regardless of origin. The virus tests the BIOS for the string "COPR.
IBM", and contains code to not infect if it finds this - however there
are errors in the code which prevent it from working.

     As with the 1701, the 1704 can recognize if it has previously
infected a file. However, because recognition depends on the length of
the virus, it will infect programs already infected by variants with
different lengths. (1701 will infect COM files infected with 1704, and
vice versa.)

     The encryption of this virus is different in each instance of the
virus, being dependent on the size of the host file.

     The hard disk is formatted when the virus activates.

     This virus has been termed "Blackjack", which is a pun on the German
name "17+4" of a popular card game.

     Blackjack infects only COM-files which are at least 3 bytes long, and
it does so only once for any given file.  It overwrites the first three
bytes with a JMP to the beginning of the viral code, which is appended to
the file.  The 2 byte address of this JMP instruction is probably the
reason why only COM files are susceptible to infection.  Blackjack
retains the file's time stamp.  It even infects read-only files; on
write-protected floppy disks, it attempts writing 5 times per file, thus
revealing its activity.

     In the infected file, the viral code is cryptographically encoded,
using a simple Vigenere code depending on the length of the file; only
the instructions for decoding the encrypted part of the code are in plain
machine-language.  This is obviously intended as a impediment against
disassembling.  Hence, every copy of the virus looks different
(depending on the length of the file).

     On invocation of an infected program, Blackjack installs itself in
RAM (if no copy is already installed), then replaces the JMP instruction
with its former contents and resumes normal program operation.

     The storage map shows that Blackjack has tinkered with the free
storage pointer-chain to hide the fact that it has hooked interrupt 21. 
Hence, only a minor part of Blackjack is visible in the storage map.

     In every year, from October to December, Blackjack will interfere
with CGA or EGA operated screens, moving randomly chosen characters
down, like falling leaves in autumn.  After a while, you'll have a big
heap of characters at the bottom of your screen, and as you cannot see
anymore what the computer is trying to display, you'll probably have to
restart the system.  This behaviour has been predicted by two people, who
have disassembled Blackjack, and has later been observed on many
EGA-equipped ATs.<Note: Contributions to this section by Otto Stolz.>


ЙНННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННН»
є  This document was adapted from the book "Computer Viruses",       є
є  which is copyright and distributed by the National Computer       є
є  Security Association. It contains information compiled from       є
є  many sources. To the best of our knowledge, all information       є
є  presented here is accurate.                                       є
є                                                                    є
є  Please send any updates or corrections to the NCSA, Suite 309,    є
є  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  є
є  and upload the information: (202) 364-1304. Or call us voice at   є
є  (202) 364-8252. This version was produced May 22, 1990.           є
є                                                                    є
є  The NCSA is a non-profit organization dedicated to improving      є
є  computer security. Membership in the association is just $45 per  є
є  year. Copies of the book "Computer Viruses", which provides       є
є  detailed information on over 145 viruses, can be obtained from    є
є  the NCSA. Member price: $44; non-member price: $55.               є
є                                                                    є
є            The document is copyright (c) 1990 NCSA.                є
є                                                                    є
є  This document may be distributed in any format, providing         є
є  this message is not removed or altered.                           є
ИННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННННј

Downloaded From P-80 International Information Systems 304-744-2253