Enough for this. Going straight to what this virus
*is* the first thing i should say is that it's just an experiment. Don't expect to find
any-thing new here because, though pretty bizarre and uncommon, there's nothing in this
virus nobody else has ever seen. While being in 29A i had something like a moral debt,
which made impossible to me to think about ever writing weird viruses like this one.
However it had been always my wish, especially in those moments in which i used to check
"Q"'s viruses, which made me feel something like an internal envy i couldn't
free. As soon as i left 29A i decided to wash up a little bit one virus i had written in
one of the forementioned moments, a virus i never encouraged to release because it always
seemed too lame to me in which concerns to the self-imposed minimum quality level for 29A.
I had written it in one day and even didn't try whether it worked or not... i just left it
lost in one of my directories, and it was one couple days ago when i decided to
"reactivate" it. I met mad-man on Undernet #virus and i was not surprised when
he, after having tested my virus, told me something did not work... it was just a matter
of three minutes, i had made an error while restoring COM files and jumping to their
original entry point. After i fixed this and i checked the rest had no bugs, i knew it was
the time to write this text and prepare the release of my virus.
But, having a glance at the technical aspects of Gibraltar Monkey them selves, there are several things to say as well. It's a memory residentDOS virus which infects COM, EXE, OBJ and SYS files. The virus, itself, is completely bizarre. While i didn't write nonsense things nor a trash engine which generates a lot of weird instructions, Gibraltar Monkey is bizarre in which concerns to self-contradictions. Every virus has, even if not deliberately, a hidden purpose. It is possible, by mean of a logical analysis of the viral code, to discover this purpose. For instance, Torero, one of my DOS viruses, was written with the purpose of teaching two new techniques which could be useful... in fact anybody could say it was just a vehicle for these specific routines i had written. In Gibraltar Monkey's case, no logic can be applied to its analysis. Some body could even say its purpose is not to have any purpose :)
What i mean is, there is no logic in combining highly infectious spreading techniques with no polymorphism, and even no encryption... this is just a very simple example of what you will find here. Apart from this, it is also important to realise about the use of uncommon routines combined with maybe the most standard ones... all the virus goes just like this, being every routine carefully written, to counteract its opposite one. It reaches the point of "getting such an equilibrium which is able to unbalance the virus harmony". Of course, i prefer not to give a full list of these features, but to encourage the reader, to check this him self, on his own, which undoubtly will be much more interesting.
Gibraltar Monkey, once executed, checks for the type of host from which it's being run. Normal hosts, at the start of their code create a dropper in the root directory, with a random name, which always ends with a "G", and modify config.sys in order to get loaded in every boot. Later, the virus checks whether there is an active copy of itself in memory or not. In case there is not, it checks for the type of processor in which is running. If it's not a Pentium nor a 486 it will activate SYS infection. Otherwise, because of some incompatibilities of possible problems which might happen, SYS infection will get disabled. Once this check is done the Monkey tries to go resident and then restores its host and logically jumps back to its original entry point, having determined before whether it deals with a COM or an EXE file. Gibraltar Monkey's memory handler just checks for internal and 4eh/4fh calls. In case the latter happen, the virus jumps straight to its file processing and infecting routines, which are able to deal with COM, EXE, OBJ and SYS formats comprehensively.
Body copies which were dropped from normal generations of the Monkey dohave a different flag, and hence a different behavior. These viral copies create a new virus dropper, under the name of "gbmonkey.com" in the root directory. Later they create a file called "winstart.bat". It will be executed every time Windows (both Win 3.1x and Win32) is started. It contains some commands which execute the virus dropper gbmonkey.com and later delete both this file and itself, leaving no track of any kind of virus presence. This way, Gibraltar Monkey will go resident, every time a Windows session is started, since the DOS functions it hooks are shared and thus called directly from Windows.
Nothing left to say, besides of the fact that anyone can appreciate the virus performs a series of actions which allow it to keep its surviving cycle alive: normal copies create virus droppers which get loaded in every boot, and these droppers at their time create new droppers, which, as well, make sure to keep the virus memory resident, even when Windows is started. However, having no stealthing mechanism at all makes it easier to detect viral activity... a new counterpoint :)
Last but not least, remains to say that the virus has two different activations which trigger their own payload depending on the system date. The first of these activations takes place on every march 8th, the date in which over 700 gibraltarians went back to the Rock after having been threatened by the spanish government. The virus payload which gets triggered on this day trojanizes every GIF file processed by means of find first and find next calls, overwriting these images, with the Gibraltar flag (two horizontal frames, white + red, with a design of Calpe Castle between them). This may cause, for instance, your Internet browser dis-playing a lot of Gibraltar flags instead of GIF files which may be part of a given website.
The other activation takes place every september 10th, trying to commemorate year 1967, when gibraltarians were submitted to a referendum, in which they had to decide whether they wanted to be dependent of the UK, or of Spain, having won the former. In this date, infected SYS files do hang the computer once they have displayed the following message:
(A)bort, (R)etry, (I)gnore?
I decided to call this virus "Gibraltar Monkey" after the typical tailless monkeys which live free in Apes' Den, one of the most significative places in Gibraltar. Every tourist who goes to Apes' Den can't avoid to be told about a tale, related with these monkeys, a tale which has a lot to do with the behavior of this virus. Don't hesitate to pay a good visit to this place if you have the chance, which will turn as well into an oportunity of understanding the forementioned relationship between this virus and the famous tale.