Enough for this. Going straight to what this virus
*is* the first thing i should say is that it's just an experiment. Don't expect to find
any-thing new here because, though pretty bizarre and uncommon, there's nothing in this
virus nobody else has ever seen. While being in 29A i had something like a moral debt,
which made impossible to me to think about ever writing weird viruses like this one.
However it had been always my wish, especially in those moments in which i used to check
"Q"'s viruses, which made me feel something like an internal envy i couldn't
free. As soon as i left 29A i decided to wash up a little bit one virus i had written in
one of the forementioned moments, a virus i never encouraged to release because it always
seemed too lame to me in which concerns to the self-imposed minimum quality level for 29A.
I had written it in one day and even didn't try whether it worked or not... i just left it
lost in one of my directories, and it was one couple days ago when i decided to
"reactivate" it. I met mad-man on Undernet #virus and i was not surprised when
he, after having tested my virus, told me something did not work... it was just a matter
of three minutes, i had made an error while restoring COM files and jumping to their
original entry point. After i fixed this and i checked the rest had no bugs, i knew it was
the time to write this text and prepare the release of my virus.
But, having a glance at the technical aspects of Gibraltar Monkey them selves, there are
several things to say as well. It's a memory residentDOS virus which infects COM, EXE, OBJ
and SYS files. The virus, itself, is completely bizarre. While i didn't write nonsense
things nor a trash engine which generates a lot of weird instructions, Gibraltar Monkey is
bizarre in which concerns to self-contradictions. Every virus has, even if not
deliberately, a hidden purpose. It is possible, by mean of a logical analysis of the viral
code, to discover this purpose. For instance, Torero, one of my DOS viruses, was written
with the purpose of teaching two new techniques which could be useful... in fact anybody
could say it was just a vehicle for these specific routines i had written. In Gibraltar
Monkey's case, no logic can be applied to its analysis. Some body could even say its
purpose is not to have any purpose :)
What i mean is, there is no logic in combining highly infectious spreading techniques with
no polymorphism, and even no encryption... this is just a very simple example of what you
will find here. Apart from this, it is also important to realise about the use of uncommon
routines combined with maybe the most standard ones... all the virus goes just like this,
being every routine carefully written, to counteract its opposite one. It reaches the
point of "getting such an equilibrium which is able to unbalance the virus
harmony". Of course, i prefer not to give a full list of these features, but to
encourage the reader, to check this him self, on his own, which undoubtly will be much
more interesting.
Behavior
Gibraltar Monkey, once executed, checks for the type of host from which it's being run.
Normal hosts, at the start of their code create a dropper in the root directory, with a
random name, which always ends with a "G", and modify config.sys in order to get
loaded in every boot. Later, the virus checks whether there is an active copy of itself in
memory or not. In case there is not, it checks for the type of processor in which is
running. If it's not a Pentium nor a 486 it will activate SYS infection. Otherwise,
because of some incompatibilities of possible problems which might happen, SYS infection
will get disabled. Once this check is done the Monkey tries to go resident and then
restores its host and logically jumps back to its original entry point, having determined
before whether it deals with a COM or an EXE file. Gibraltar Monkey's memory handler just
checks for internal and 4eh/4fh calls. In case the latter happen, the virus jumps straight
to its file processing and infecting routines, which are able to deal with COM, EXE, OBJ
and SYS formats comprehensively.
Body copies which were dropped from normal generations of the Monkey dohave a different
flag, and hence a different behavior. These viral copies create a new virus dropper, under
the name of "gbmonkey.com" in the root directory. Later they create a file
called "winstart.bat". It will be executed every time Windows (both Win 3.1x and
Win32) is started. It contains some commands which execute the virus dropper gbmonkey.com
and later delete both this file and itself, leaving no track of any kind of virus
presence. This way, Gibraltar Monkey will go resident, every time a Windows session is
started, since the DOS functions it hooks are shared and thus called directly from
Windows.
Nothing left to say, besides of the fact that anyone can appreciate the virus performs a
series of actions which allow it to keep its surviving cycle alive: normal copies create
virus droppers which get loaded in every boot, and these droppers at their time create new
droppers, which, as well, make sure to keep the virus memory resident, even when Windows
is started. However, having no stealthing mechanism at all makes it easier to detect viral
activity... a new counterpoint :)
Last but not least, remains to say that the virus has two different activations which
trigger their own payload depending on the system date. The first of these activations
takes place on every march 8th, the date in which over 700 gibraltarians went back to the
Rock after having been threatened by the spanish government. The virus payload which gets
triggered on this day trojanizes every GIF file processed by means of find first and find
next calls, overwriting these images, with the Gibraltar flag (two horizontal frames,
white + red, with a design of Calpe Castle between them). This may cause, for instance,
your Internet browser dis-playing a lot of Gibraltar flags instead of GIF files which may
be part of a given website.
The other activation takes place every september 10th, trying to commemorate year 1967,
when gibraltarians were submitted to a referendum, in which they had to decide whether
they wanted to be dependent of the UK, or of Spain, having won the former. In this date,
infected SYS files do hang the computer once they have displayed the following message:
Gibraltar Monkey!
(A)bort, (R)etry, (I)gnore?
I decided to call this virus "Gibraltar Monkey" after the typical tailless
monkeys which live free in Apes' Den, one of the most significative places in Gibraltar.
Every tourist who goes to Apes' Den can't avoid to be told about a tale, related with
these monkeys, a tale which has a lot to do with the behavior of this virus. Don't
hesitate to pay a good visit to this place if you have the chance, which will turn as well
into an oportunity of understanding the forementioned relationship between this virus and
the famous tale.