Retaliator
Retaliator
Type File virus
Creator Mark Ludwig
Date Discovered 1992
Place of Origin Show Low, Arizona, USA
Source Language Assembly
Platform DOS
File Type(s) .exe
Infection Length 1,535 bytes

Retaliator is a retaliating virus coded by Mark Ludwig. Its full source code was published in the Giant Black Book of Computer Viruses.

Behavior

When executed, the Retaliator virus decrypts its code and announces its presence by printing to the screen "RETALIATOR has executed!". It then checks to make sure it is on the C: drive and will go dormant if it finds itself on any other drive. It then checks to see if there is any antivirus running in memory, specifically looking for Central Point VSAFE and Flu Shot 1.84. If it finds one, it runs its payload routine. It also checks to see if the file it was executed from is still infected, indicating a possible disinfection by antivirus, and similarly runs the payload. If there is no suitible exe file to infect, it simply exits. Otherwise, it finds an .exe in the current directory and infects it. Retaliator keeps a record of the most recent file infected on Cylinder 0, Head 0, Sector 2 on the C: drive which will be used to determine whether the system has been disinfected during the next infection.

Payload

The payload is displaying the message "RETALIATOR has detected resident Anti-viral software. TRASHING HARD DISK!" upon finding any evidence of antiviral sotware in memory or file disinfection. In reality, it doesn't actually do anything malicious, instead just reading the hard drive really fast to simulate disk activity.

Variants

A variant listed as version 1.01 in the source code was modified to attack systems with McAfee VSCAN. It was created for a demo on a Japanese news show.

Other

  • Retaliator.956
  • Retaliator.1529
  • Retaliator.1535
  • Retaliator.1537
  • Retaliator.1559

Origin

Retaliator was coded by Mark Ludwig in Assembly in Arizona. It appeared in the Giant Black Book of Computer Viruses as a demonstration of a retaliating virus. The virus does not appear to have gone wild. In the chapter on retaliating viruses, Ludwig discussed several possibilities for a virus that retaliates or otherwise defends itself from antivirus software. Retaliation methods discussed inclided simply going silent until the antivirus was turned off, logic bombs, and even uninstalling the antivirus. He even discussed the possibility of using certain integrity checkers against themselves given they have a number of vulnerabilities. For example, when integrity information is deleted, the integrity checker just restores it often to include the infected files as being safe. As a demonstration though, Ludwig only had the virus simulate disk activity.

Other Facts

The coder of Encroacher cited Retaliator as an inspiration for that virus. It is also quite similar to Ludwig's Intruder virus. There was also a retaliating virus by the name of Cornucopia that Ludwig mentions dealing with integrity checkers.

Sources

Mark Ludwig. The Giant Black Book Of Computer Viruses, Second Edition, Chapter 7 Infecting EXE Files. American Eagle Publications, Show Low, Arizona. 1998 pp. 467-485 ISBN: 0-929408-23-3

Included Source Codes:

RETAL.ASM

RETAL2.ASM

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License