home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- TENBYTE 1554 VIRUS, aka VALERT etc
- ==================================
-
- (Originally thought to be 1559 bytes: Files can grow up to 1569
- bytes)
-
-
- Date: 16 Feb 90 19:51:00 +0700
- From: Vesselin Bontchev (Bulgarian anti-virus researcher)
- Subject: The 1559 virus (PC)
-
- Recently, the subscribers of VALERT-L received an uuencoded file
- which (as the sender said) was infected with a new virus. Of
- course, sending an infected file to a public (and non-moderated)
- forum is a big mistake, but I won't emphasize this here.
-
- Personally, I received at least 3 more messages, which warned me
- that I *have* to delete this file and not to uudecode it. However,
- since I'm an antivirus researcher, I couldn't resist to the
- temptation and "test" the virus --- of course in a "safe"
- environment.
-
- It turned out that the environment was too safe... I worked on a
- computer with physically disabled hard disk. I booted from a
- floppy, containing only the operating system (PC-DOS 3.30), the
- infected file, MAPMEM (a public-domain utility) and ANTI4US --- an
- interrupt monitoring program --- much like FluShot+ but with much
- worse interface.
-
- I started the interrupt monitor and executed the infected file. Then
- I executed MAPMEM. I wanted to (1) see if the virus can be "seen" in
- memory with this utility and (2) confirm that the infected file is
- "infective" i.e., contains really a virus. Of course, MAPMEM
- didn't saw the beast.
-
- Then I cold-rebooted from a new clear and write-protected diskette
- and inspected the MAPMEM.COM file. Well, it wasn't infected at all!
- I decided that I have received a damaged file and sent a message to
- the author to send me a new file, consisting only of NOPs, infected
- with the virus. He did so.
-
- Further investigations showed that:
-
- - If I load ANTI4US and then run an infected program, the damn
- thing does not spread --- it ever does not try to infect
- files.
-
- - However, if I first run an infected program and then
- ANTI4US, the beast tries to spread (which is detected by
- ANTI4US) --- and of course infects ANTI4US.
-
- At that point I was convinced that it is really a virus. Now I'm
- trying to disassemble it and to write an antidote. Here is what I
- know for the moment (without any warrant!):
-
- - The virus is memory resident. It installs itself in the
- memory at address 9800:0000. I couldn't find where (and if)
- it checks for the memory size.
-
- - The virus is 1554 bytes long, but may add more bytes (up to
- 1569 I think) to the infected files.
-
- - Files are infected when they are executed (*not* when
- copied).
-
- - Both *.COM and *.EXE files can be infected.
-
- - COMMAND.COM can be infected --- if it is executed.
-
- - Files are infected only once.
-
- - The ReadOnly attribute won't help (you already guessed
- this :-) ).
-
- - The virus has its own critical error handler. Therefore an
- attempt to infect a file on a write-protected diskette won't
- display the usual "Abort, Retry, Ignore? " message.
-
- - The size of the infected files is such that always (SIZE mod
- 16 == 2).
-
- - Only *.COM files greater than 1000 bytes will be infected. I
- couldn't find if there is a limit for the *.EXE ones.
-
- - The first 32 bytes of the *.COM files are overwritten. The
- original 32 bytes can be found at offset [14,15]*16+1015
- from the beginning of the file. Here [14,15] means the
- contents of the word at offset 14 (decimal) from the
- beginning of the file. I'm still trying to find how the
- virus infects *.EXE files.
-
- DAMAGE:
-
- - The virus intercepts the WRITE function call (AH == 40h) of
- INT 21h. If the month of the current date is 9 or greater,
- and if the write is on file handle > 4 (i.e., it is a "true"
- file, not stdin/out/err/aux/prn), then the address of the
- memory chunk which has to be written, is increased by 0Ah.
- This leads to garbage being written.
-
- I haven't finished my work with this virus, but it's getting late
- and I have to leave. Therefore, I decided to post what I know.
- Please, if anyone knows more about this virus, send info to the
- forum too.
-
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++