*************************************************************************** * The 911 Virus * * (An "Armagedon the Greek" Variant) * *************************************************************************** * Commentary and disassembly by Black Wolf * *************************************************************************** The 911 virus is a direct variant of the "Armagedon the GREEK" virus, derived merely by changing the text within and the dialing string. The virus' size is 1079 bytes, making the smallest carrier 1081 bytes. The main effect of the virus is to dial "911" every once in a while if a modem is present on com ports 1-4 (the original virus dialed the speaking clock in Greece). It is a memory resident .COM infector. When executed, the 911 virus checks for residency. If it is already installed, it simply passes control to the host file, otherwise, it goes memory resident, hooking Int 08h and Int 21h. When 911 goes resident, it uses a rather strange way of doing it. It re-executes the program and uses an Int 27 to go memory resident, but because of the second execution it does not truly terminate and is still able to return control to the host. Once memory resident, the 911 virus infect .COM files on execution (whenever an Int 21, function 4bh is called) after checking if the file has already been infected. The identification string the virus uses to check for infection is the string "Support Your Police" located near the end of the virus (the original was "Armagedon the GREEK"). The infection process is also somewhat strange, as the virus allocates all unused memory for itself, the loads the entire victim file into memory in one call. It then "infects" it in memory, and writes it back to the disk. Afterwards, it releases the memory. All of the dialing and timing is handled from the Int 08 (Timer Click) handler. When activated, it will dial 911 (police/fire/emergency) and wait for several seconds. It sends the commands to all ports 1-4, so the results of hardware other than modems connected to these ports may be unpredictable. The storage bytes are found at the very end of the file, with the first byte encrypted by adding 0bh to its value. Infected files may be repaired by restoring these bytes to the beginning, unencrypting the first one, and cutting the virus off the end of the host program.