Blah.337
Details
Blah.3379
These are dangerous memory resident stealth multipartite viruses. They hook INT 13h, 21h and write themselves into MBR of hard drive and into beginning of .BAT-files. They contain the internal text string:
Blah virus (DA/PS)
On the hard drive, the virus occupies three sectors starting from MBR of hard drive, the fourth sector contains original MBR. On infection of BAT-files the virus encodes itself with some BIN-to-ASCII algorithm, and writes the result and several DOS command strings into the BAT-files beginning (texts between ‘[' and ']‘ are comments):
@echo [ binary data ] >?.com
@echo [ binary data ] >>?.com
@echo [ text data ] >>?.com
@echo [ text data ] >>?.com
[ repeated all ]
@echo [ text data ] >>?.com
@if %0. == . ?
@?
@del ?.com
@if %0. == . autoexec
@%0
The binary data contains the ASCII-to-BIN decoder, the text data contains the main virus body is converted to ASCII text strings (a’la UUencode/XXencode).
On execution of such BAT-file the virus creates the file ?.COM , then writes decoder and ASCII data into there, and executes that file. Being executed the virus (from the ?.COM file) decodes itself from ASCII text into binary code, installs itself memory resident, hooks INT 13h, 21h and returns the control back to infected BAT-file. The rest of codes of BAT-file deletes ?.COM file, and then executes the host BAT-file again. The already installed virus stealth routine does not allow the virus BAT-code to be executed twice, and the original code of infected BAT-file receives the control.
The virus pays special attention to AUTOEXEC.BAT file because it is special BAT-file: on first execution of AUTOEXEC.BAT (on DOS loading) the command “%0″ does not return the file name, on any other execution of BAT files “%0″ command contains the name of the host file.
While execution of decoded body of the virus it check the system memory with “Are you here?” call (INT 21h, AH=62h, DX=F904h), and passes the control to the installation routine. That routine cut the block of the system memory by decreasing of the system memory size (the word at address 0000:0413h), copies the virus into that memory block, hooks INT 13h and INT 21h, and passes the control to MBR infection code.
That code reads MBR of hard drive, checks the virus ID-stamps (the word 6540h at the offset 010Ah), checks the partition table, and overwrites the first four sectors of hard drive with the virus code, the last (fourth) sectors contains the code of original MBR. After infection of the hard drive MBR the virus returns the control to host BAT-file.
On loading from infected MBR the virus calls installation routine that is practically the same as on loading from infected file. The virus decreases the size of system memory, copies itself into there, hooks INT 13h and returns the control to original MBR code. On INT 13h calls it checks INT 21h handler’s address, and if it points to DOS addresses the virus hooks INT 21h.
The INT 21h virus handler intercepts five DOS functions:
AH/AX (hex) function
——— ——–
11,12 FindFirst/Next FCB (DIR command)
3D00 Open file
3F Read from file
62 Get PSP
On FindFirst/Next calls the virus “decreases” the length of infected BAT-files, to separate the infected and not infected files the virus uses virus ID stamp in the file time and date stamp - the infected files have 62 seconds stamp.
On Get PSP calls with DX=F904h (the virus “Are you here?” call) it disables the virus INT 13h and 21h handlers, and returns. I see no reason for that call because the virus code cannot be executed twice - the INT 13h/21h stealth routines redirect the accessing to original bodies of BAT-files and MBR.
On Open File calls the virus hooks INT 24h to prevent the DOS error message on writing to write-protected disks, checks the file extension for “BAT”, opens that file using the undocumented System File Table, check is the file already infected, and infects it.
On Read from File calls the virus checks is the file infected, and substitutes the infected files with their original (not infected) forms. That code it the virus stealth routine.
While checking is the file already infected (on Open File and Read from File calls) the virus reads the file header and compares the first 108 (6Ch) bytes with the virus code.
During infection the virus moves the file body down for 3385 bytes, and writes into the file beginning the 3385 bytes of virus code: ASCII-to-BIN decoder, the converted to ASCII virus code, and the additional DOS command as it is written above.
INT 13h virus handler intercepts two functions only: Read and Write (AH=2,3), and on accessing to hard drive only. On both calls the virus infects MBR (if it is not infected yet) and performs the stealth routine.
Related Posts