Gaara | |
---|---|
Type | File virus |
Creator | Lord Yup |
Date Discovered | 19-JUN-2007 |
Place of Origin | Poland |
Source Language | Motorola 68000 Assembly |
Platform | TIOS |
File Type(s) | .89z |
Infection Length | 589 bytes |
Gaara also known as Tigraa is a virus for TIOS, the operating system for Texas Instruments calculators. It is the second known virus for a Texas Instruments calculator and the first to infect binaries as well as be memory resident.
Behavior
Gaara's payload when it appears |
Going Resident
When executed, Gaara checks for the location of the ROM call table. If it finds the call table in the ROM, the virus allocates memory for the table and coipies it to the allocated memory. The virus uses a function to allocate memory at the top of the heap, then another function to de-reference the returned handle to get the memory address, even though there is a single function which can do both. The virus similarly allocates memory for itself to become resident even after the host program terminates.
Infection
Gaara hooks SymFindNext() in the new call table and replaces the original call table pointer with one to the new call table. This function is similar to _findnext() on Unix or FindNextFile() in Windows. It uses the original SymFindNext() to get information about potentially infectible files, particularly if it is archived on protected flash memory, locked, or deleted.
When it finds a suitable file, it then checks for previous infections by searching the entire file for the string "GAA". Gaara then checks if the file is an assembly file. When such a file has been found, it moves the relocation table down in the file to make room for the virus body. Gaara searches the file for the first instance of the instruction sequence "unlk a6/rts". If that sequence is found, Gaara will replace it with a branch to the virus body. If the sequence is not found, it will still infect the file, but the virus can't gain control.
In spite of what the payload text would lead one to believe, it is capable of also infecting files on the TI92+ and Voyage 200 calculators. The TI84 and below use a different processor, so the virus won't work on those.
Payload
Gaara will only run its payload when an infected program is initially run. It checks that one of the system timers has the value 119. The system timer usually updates 1,500 per second, so it may take many tries before the user actually sees the payload. It clears the screen and displays the text "t89.GAARA" at column 55 of the first row before returning control to the host program.
Origin
Gaara was coded by Lord Yup in Poland in June of 2007. It is named after the Naruto character Gaara (我愛羅). Most antivirus products use the name "Tigraa", a reference to both the Texas Instrument platform it runs on as well as the author's desired name. It is the second known virus for the TIOS operating system, the first being Ovid. Some researchers noted the virus looked like the work of someone who was learning the Motorola 68000 assembler programming, actually a common motivation to write viruses. Several other people claim to have made and spread viruses for calculators as early as the 1990s, but provide no sources and these claims are often comments on the stories of viruses like Gaara and Ovid.
Sources
Peter Ferrie. "Lions and Tigraas". Symantec Security Response, USA. 01-JUL-2007
VSAntivirus, "Tigraa.A. Virus para calculadora gráfica TI-89". 19-JUN-2007