What is Twelve Tricks??
Twelve Tricks is a trojan horse that first appeared around 1990. Purdue University issued a bulletin about the Trojan on March 8, 1990. The Trojan came in an altered utility file called CORETEST.COM, which was intended to test performance of hard drives. The trojan affected IBM platform computers running MS-DOS or PC-DOS. The trojan alters the master boot record (partition sector) and, at every reboot, it installs one of twelve "tricks" that causes issues with hardware or operation of the computer. The trick vanishes when the power is cut off, and any of the twelve tricks may appear or reappear on the next reboot. In addition, on each boot the trojan uses a random number generator to determine whether to do a low-level format of the active copy of the boot sector and the first copy of the FAT; there is a 1/4096th chance of this happening. If the format does not happen, the trojan randomly changes one random word in any of the first sixteen sectors of the FAT, leading to a gradual corruption of the file system.
Facts about Twelve Tricks Trojan Horse
Name: Twelve Tricks Trojan
Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp
6-6-86 9:44
Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS
Damage: Varies from slow program execution to low level formatting of disk
Symptoms: A variety of disruptions and/or damage, based on a random number
between one and twelve. Affects system performance, writing to screen, clock,
printer and/or keyboard malfunctions, random disk writes, garbled printer
output, boot sector, File Allocation Table (FAT) or directory overwrites, and a
low level format of select tracks on the hard disk. Other symptoms include the
floppy disk motor continuously running, FAT, directory and/or boot sector
damaged diskettes.
Detection: Examine the Master Boot Record (MBR) for the message:
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
(see important note below)
or search the MBR and memory for the following hex string:
e4 61 8a e0 0c 80 e6 61.
If you suspect a program, you can use the search string:
64 02 31 94 42 01 d1 c2 4e 79 f7
Caution: These search strings are based on the Trojan program examined by the
discoverer. If there are modifications to this program, the above search
strings may not work.
Eradication: Remove Trojan program by deleting. To recover from a corrupt MBR,
back-up current data files and programs, perform a low level format and restore
data files and programs from a recent backup.
Facts about Twelve Tricks Trojan Horse
Name: Twelve Tricks Trojan
Types: Only one known variant: CORETEST.COM VERSION 2.6, 32469 bytes, timestamp
6-6-86 9:44
Platform: IBM PC and PC clones running MS DOS or IBM-PC DOS
Damage: Varies from slow program execution to low level formatting of disk
Symptoms: A variety of disruptions and/or damage, based on a random number
between one and twelve. Affects system performance, writing to screen, clock,
printer and/or keyboard malfunctions, random disk writes, garbled printer
output, boot sector, File Allocation Table (FAT) or directory overwrites, and a
low level format of select tracks on the hard disk. Other symptoms include the
floppy disk motor continuously running, FAT, directory and/or boot sector
damaged diskettes.
Detection: Examine the Master Boot Record (MBR) for the message:
SOFTLOK+ V3.0 SOFTGUARD SYSTEMS INC
2840 St. Thomas Expwy, Suite 201
Santa Clara, CA 95051
(see important note below)
or search the MBR and memory for the following hex string:
e4 61 8a e0 0c 80 e6 61.
If you suspect a program, you can use the search string:
64 02 31 94 42 01 d1 c2 4e 79 f7
Caution: These search strings are based on the Trojan program examined by the
discoverer. If there are modifications to this program, the above search
strings may not work.
Eradication: Remove Trojan program by deleting. To recover from a corrupt MBR,
back-up current data files and programs, perform a low level format and restore
data files and programs from a recent backup.
0 comments:
Post a Comment