Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Gibraltar Monkey - Virus for MS-DOS by Mister Sandman

Virus for MS-DOS

Mister Sandman
Show all viruses by this author

1999-00-00

Comments
Download gbmonkey.zip (9147 bytes) or browse online

Released in Matrix#1

Author's notes

Introduction

Welcome to my first finished virus in my career as an independent virus writer. After three years stamping the "29A" trademark, in everything i could, it got pretty strange to me to sign this virus without it.

However this wasn't the only thing which changed. In fact this virus is the most significative specimen of my transition... besides that i left 29A remains that Gibraltar Monkey is a DOS-specific virus, the last one i will ever write for this platform. Also, i'm changing a bit my coding style. While this feature ain't too remarkable in this virus it will be a completely latent fact for sure in my next viruses. And last, but not least, Gibraltar Monkey is the first of a long series of viruses, whose source code i will not comment. Now that i work for my own i don't feel like to spend a lot of time once my viruses are finished writing a comment in each line of code explaining what it does... this was something i used to do in 29A because of the educational purposes of the magazine we edited itself, but now it doesn't have sense anymore.

Description

Enough for this. Going straight to what this virus *is* the first thing i should say is that it's just an experiment. Don't expect to find anything new here because, though pretty bizarre and uncommon, there's nothing in this virus nobody else has ever seen. While being in 29A i had something like a moral debt, which made impossible to me to think about ever writing weird viruses like this one. However it had been always my wish, especially in those moments in which i used to check "Q"'s viruses, which made me feel something like an internal envy i couldn't free.

As soon as i left 29A i decided to wash up a little bit one virus i had written in one of the forementioned moments, a virus i never encouraged to release because it always seemed too lame to me in which concerns to the self-imposed minimum quality level for 29A. I had written it in one day and even didn't try whether it worked or not... i just left it lost in one of my directories, and it was one couple days ago when i decided to "reactivate" it. I met mad-man on Undernet #virus and i was not surprised when he, after having tested my virus, told me something did not work... it was just a matter of three minutes, i had made an error while restoring COM files and jumping to their original entry point. After i fixed this and i checked the rest had no bugs, i knew it was the time to write this text and prepare the release of my virus.

But, having a glance at the technical aspects of Gibraltar Monkey themselves, there are several things to say as well. It's a memory resident DOS virus which infects COM, EXE, OBJ and SYS files. The virus, itself, is completely bizarre. While i didn't write nonsense things nor a trash engine which generates a lot of weird instructions, Gibraltar Monkey is bizarre in which concerns to self-contradictions. Every virus has, even if not deliberately, a hidden purpose. It is possible, by mean of a logical analysis of the viral code, to discover this purpose. For instance, Torero, one of my DOS viruses, was written with the purpose of teaching two new techniques which could be useful... in fact anybody could say it was just a vehicle for these specific routines i had written. In Gibraltar Monkey's case, no logic can be applied to its analysis. Somebody could even say its purpose is not to have any purpose :)

What i mean is, there is no logic in combining highly infectious spreading techniques with no polymorphism, and even no encryption... this is just a very simple example of what you will find here. Apart from this, it is also important to realise about the use of uncommon routines combined with maybe the most standard ones... all the virus goes just like this, being every routine carefully written, to counteract its opposite one. It reaches the point of "getting such an equilibrium which is able to unbalance the virus harmony". Of course, i prefer not to give a full list of these features, but to encourage the reader, to check this himself, on his own, which undoubtly will be much more interesting.

Behavior

Gibraltar Monkey, once executed, checks for the type of host from which it's being run. Normal hosts, at the start of their code create a dropper in the root directory, with a random name, which always ends with a "G", and modify config.sys in order to get loaded in every boot. Later, the virus checks whether there is an active copy of itself in memory or not. In case there is not, it checks for the type of processor in which is running. If it's not a Pentium nor a 486 it will activate SYS infection. Otherwise, because of some incompatibilities of possible problems which might happen, SYS infection will get disabled. Once this check is done the Monkey tries to go resident and then restores its host and logically jumps back to its original entry point, having determined before whether it deals with a COM or an EXE file. Gibraltar Monkey's memory handler just checks for internal and 4eh/4fh calls. In case the latter happen, the virus jumps straight to its file processing and infecting routines, which are able to deal with COM, EXE, OBJ and SYS formats comprehensively.

Body copies which were dropped from normal generations of the Monkey do have a different flag, and hence a different behavior. These viral copies create a new virus dropper, under the name of "gbmonkey.com" in the root directory. Later they create a file called "winstart.bat". It will be executed every time Windows (both Win 3.1x and Win32) is started. It contains some commands which execute the virus dropper gbmonkey.com and later delete both this file and itself, leaving no track of any kind of virus presence. This way, Gibraltar Monkey will go resident, every time a Windows session is started, since the DOS functions it hooks are shared and thus called directly from Windows.

Nothing left to say, besides of the fact that anyone can appreciate the virus performs a series of actions which allow it to keep its surviving cycle alive: normal copies create virus droppers which get loaded in every boot, and these droppers at their time create new droppers, which, as well, make sure to keep the virus memory resident, even when Windows is started. However, having no stealthing mechanism at all makes it easier to detect viral activity... a new counterpoint :)

Payloads

Last but not least, remains to say that the virus has two different activations which trigger their own payload depending on the system date. The first of these activations takes place on every march 8th, the date in which over 700 gibraltarians went back to the Rock after having been threatened by the spanish government. The virus payload which gets triggered on this day trojanizes every GIF file processed by means of find first and find next calls, overwriting these images, with the Gibraltar flag (two horizontal frames, white + red, with a design of Calpe Castle between them). This may cause, for instance, your Internet browser displaying a lot of Gibraltar flags instead of GIF files which may be part of a given website.

The other activation takes place every september 10th, trying to commemorate year 1967, when gibraltarians were submitted to a referendum, in which they had to decide whether they wanted to be dependent of the UK, or of Spain, having won the former. In this date, infected SYS files do hang the computer once they have displayed the following message:

    Gibraltar Monkey!
    (A)bort, (R)etry, (I)gnore?

I decided to call this virus "Gibraltar Monkey" after the typical tailless monkeys which live free in Apes' Den, one of the most significative places in Gibraltar. Every tourist who goes to Apes' Den can't avoid to be told about a tale, related with these monkeys, a tale which has a lot to do with the behavior of this virus. Don't hesitate to pay a good visit to this place if you have the chance, which will turn as well into an oportunity of understanding the forementioned relationship between this virus and the famous tale.

Compiling it

  tasm /m gbmonkey.asm
  tlink /x gbmonkey.obj
  exe2bin gbmonkey.exe gbmonkey.com

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org