Markiz.197
Details
Markiz.1972
This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)
This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+—————+ +—————+
?all ? ?… ?
?—————? ?—————?
?call to INT 21h? ?decryption loop?
?—————? ?JMP Virus ?—
?… ? ?—————? ?
?… ? ?… ? ?
+—————+ ?—————?<–
?virus ?
? ?
+—————+
To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to “infection mode”, and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file’s code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the “infection mode,” the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.
Related Posts