Chaos Digest              Vendredi 2 Juillet 1993        Volume 1 : Numero 67
                              ISSN  1244-4901

       Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
       Archiviste: Yves-Marie Crabbe
       Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.67 (2 Juillet 1993)
File 1--40H VMag Number 8 Volume 2 Issue 4 #004-005(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
                linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
                    X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France.  He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893.  Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

        * kragar.eff.org [192.88.144.4] in /pub/cud/chaos
        * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
        * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
        * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
        * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
        * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
        * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
        * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission.  Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications.  Articles are preferred to short responses.  Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Chaos Digest contributors
            assume all responsibility for ensuring that articles
            submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #004-005(1) (reprint)


40Hex Number 8 Volume 2 Issue 4                                      File 004

                 -=PHALCON/SKISM=- Presents CheckAv
                     PD War Collection Program 3
                          By Dark Angel

    Once again, not an incredibly impressive program, but it is still
quite useful.  It PutAv's a serial number, pkzips a test file, with the
pkzip -! option, then unzips it.  It logs the line that has serial
number.  This program requires pkzip, pkunzip, putav and avs.dat from
findav15.

    It is a very crude program, but it was done in quite a hurry, as
I am going away for a while.  Run it in a RAM disk, as it is much
better!

-----------------------------------------------------------------------------
n checkav.com
e 0100  BA F7 02 B4 4A BB 00 10 CD 21 72 34 BA 83 02 E8
e 0110  6C 01 BA 14 03 E8 66 01 B4 0A BA 9A 04 CD 21 BA
e 0120  3C 03 80 3E 9A 04 00 74 76 BB 9C 04 8B D3 A0 9B
e 0130  04 98 03 D8 C6 07 00 B8 00 3D CD 21 BA 5E 03 93
e 0140  72 5D B4 3F B9 3C 00 BA BC 04 CD 21 87 D7 BA 7D
e 0150  03 0B C0 74 4A B8 00 42 33 C9 99 CD 21 FC BA 9F
e 0160  03 B9 3C 00 B0 0D F2 AE 0B C9 74 33 BA D3 03 E8
e 0170  0C 01 4F C6 05 24 BA BC 04 E8 02 01 C6 05 0D 8B
e 0180  D7 81 EA BA 04 89 16 F8 04 B8 00 42 33 C9 CD 21
e 0190  BA D6 02 E8 E8 00 BA 82 04 E8 BA 00 E8 13 00 E8
e 01A0  DC 00 B4 41 BA 8A 04 CD 21 B4 41 BA 8F 04 CD 21
e 01B0  CD 20 B4 3F B9 0D 00 BA EF 03 CD 21 0B C0 74 3A
e 01C0  BA E5 03 E8 B8 00 E8 A2 00 E8 32 00 BE EF 03 BF
e 01D0  09 04 B9 0B 00 F3 A4 BE 03 04 E8 52 00 E8 8B 00
e 01E0  BE 20 04 E8 49 00 E8 82 00 BE 34 04 E8 40 00 E8
e 01F0  79 00 BE 51 04 E8 37 00 EB B8 BA B8 03 C3 53 B4
e 0200  3C BA FE 03 33 C9 CD 21 93 B4 40 8B 0E F8 04 49
e 0210  BA BC 04 CD 21 B4 40 B9 0C 00 BA EF 03 CD 21 B4
e 0220  40 B9 01 00 BA FD 03 CD 21 B4 3E CD 21 5B C3 50
e 0230  53 51 52 1E 06 55 57 89 26 FC 04 8C 16 FA 04 CD
e 0240  2E FA 2E 8E 16 FA 04 2E 8B 26 FC 04 FB 5F 5D 07
e 0250  1F 5A 59 5B 58 C3 53 B8 00 3D CD 21 73 06 B4 3C
e 0260  33 C9 CD 21 93 B4 3E CD 21 5B C3 B4 06 B2 FF CD
e 0270  21 74 0A 3C 1B 75 06 BA D9 02 E9 22 FF C3 B4 09
e 0280  CD 21 C3 43 68 65 63 6B 41 56 20 76 65 72 73 69
e 0290  6F 6E 20 31 2E 30 0D 0A 62 79 20 44 61 72 6B 20
e 02A0  41 6E 67 65 6C 20 6F 66 20 50 48 41 4C 43 4F 4E
e 02B0  2F 53 4B 49 53 4D 0D 0A 50 72 65 73 73 20 45 53
e 02C0  43 20 74 6F 20 61 62 6F 72 74 20 61 74 20 61 6E
e 02D0  79 20 74 69 6D 65 0D 0A 24 45 53 43 61 70 65 20
e 02E0  64 65 74 65 63 74 65 64 2E 20 20 41 62 6F 72 74
e 02F0  69 6E 67 2E 0D 0A 24 45 72 72 6F 72 20 72 65 61
e 0300  6C 6C 6F 63 61 74 69 6E 67 20 6D 65 6D 6F 72 79
e 0310  2E 0D 0A 24 45 6E 74 65 72 20 74 68 65 20 6E 61
e 0320  6D 65 20 6F 66 20 74 68 65 20 66 69 6C 65 20 74
e 0330  6F 20 70 72 6F 63 65 73 73 3A 20 24 0D 0A 4E 6F
e 0340  20 69 6E 70 75 74 20 64 65 74 65 63 74 65 64 2E
e 0350  20 20 41 62 6F 72 74 69 6E 67 21 0D 0A 24 0D 0A
e 0360  46 69 6C 65 20 6E 6F 74 20 66 6F 75 6E 64 2E 20
e 0370  20 41 62 6F 72 74 69 6E 67 2E 0D 0A 24 0D 0A 54
e 0380  68 65 20 66 69 6C 65 20 69 73 20 7A 65 72 6F 20
e 0390  62 79 74 65 73 2E 20 20 44 69 65 21 0D 0A 24 0D
e 03A0  0A 54 68 65 20 66 69 6C 65 20 69 73 20 69 6E 76
e 03B0  61 6C 69 64 2E 0D 0A 24 0D 0A 43 68 65 63 6B 41
e 03C0  56 20 72 75 6E 20 63 6F 6D 70 6C 65 74 65 64 2E
e 03D0  0D 0A 24 0D 0A 0D 0A 54 65 73 74 69 6E 67 20 66
e 03E0  6F 72 3A 20 24 43 68 65 63 6B 69 6E 67 20 23 00
e 03F0  00 00 00 00 00 00 00 00 00 00 00 00 24 1B 74 65
e 0400  73 74 00 1B 65 63 68 6F 20 00 00 00 00 00 00 00
e 0410  00 00 00 00 20 3E 3E 20 72 65 73 75 6C 74 73 0D
e 0420  12 70 75 74 61 76 20 3C 20 74 65 73 74 20 3E 20
e 0430  6E 75 6C 0D 1B 70 6B 7A 69 70 20 2D 21 6F 20 74
e 0440  6F 6D 72 6F 74 20 74 65 73 74 20 3E 20 6E 75 6C
e 0450  0D 2F 70 6B 75 6E 7A 69 70 20 74 6F 6D 72 6F 74
e 0460  20 2D 74 20 7C 20 66 69 6E 64 20 22 41 75 74 68
e 0470  65 6E 74 69 63 22 20 3E 3E 20 72 65 73 75 6C 74
e 0480  73 0D 72 65 73 75 6C 74 73 00 74 65 73 74 00 74
e 0490  6F 6D 72 6F 74 2E 7A 69 70 00 20 1A 1A 1A 1A 1A
rcx
049F
w
q

+++++

40Hex Number 8 Volume 2 Issue 4                                     File 005

           STARSHIP - interesting file-boot virus.
                         Muttik I.G.
                (Internet: MIG@politon.msk.su)


     KEYWORDS

     Virus, DOS, executable file, masterboot record,
     resident in memory, encryption.


     ABSTRACT

STARSHIP virus (file and boot simultaneously) is described. It
infects IBM  PC and  compatibles running  DOS. Virus is called
STARSHIP :  this string can be easily found in the memory dump
of virus.  Virus infects  masterboot record  on  harddisk  and
executable files  files created on floppy drives. The virus is
encrypted. Infected executable files have no descriptor longer
than 2  bytes. Virus  appears to  have no destructive code, it
uses  music  and  video  effects  when  active.  The  abnormal
operation of the infected computers was sometimes detected.


     INTRODUCTION

     History of  computer viruses  is very  short.  The  first
known publications  are dated  with 1984-1985  [1,2]. But  now
situation in this field changes every day - uncountable number
of various  computer viruses  are  known  at  present  in  DOS
operating system.  The variety  of known viruses is fantastic,
but all  of them  falls into  three  known  categories:  file,
boot [3,4] and cluster. Active area of the first virus type is
executable files  and of  the second  type -  boot records  on
harddisks and  diskettes. The  third category is not yet over-
populated, the only representative is bulgarian DIR-II virus.

     Probably the  first virus  which infects  files and  boot
sectors was  Ghost virus  [5]. This  virus was  discovered  by
Fridrik Skulason  at Icelandic University. Ghost virus infects
only COM  files. This virus increases file size by 2351 bytes.
When active  the Ghost replaces boot sector of infected system
with a  boot virus  similar to  Ping Pong, but this boot virus
does  not   have   infection   routine.   The   Ghost   virus,
consequently, may  be considered  as a file virus with unusual
active phase.  After some  time appeared Virus-101, Frodo and,
finally, a  bunch of new viruses was found: Thanksgiving virus
(V-1),  TEQUILA   and  STARSHIP  (these  type  of  viruses  is
sometimes called "multi-partite").

     STARSHIP virus  was found  in  Moscow  in  January  1991.
Probably this virus was written in the USSR.

     The living cycle of STARSHIP virus is the following. When
infected file  is started  it modifies masterboot record (MBR)
on the harddisk and writes virus on the disk. Thereafter, when
computer reboots, virus intercepts interrupt vectors 13h (low-
level disk I/O) and 21h (DOS service). During the reboot virus
is stored in the videomemory at address BB00:0. It is moved to
the core  RAM later, when the first program terminates. Now it
stays resident  and infects any COM/EXE file created on floppy
drives.

     1. GENERAL DESCRIPTION

     Length of STARSHIP virus in memory is 2688 bytes. Size of
code is 2560 bytes, buffers and variables takes the remainder.
On harddisk virus takes 3072 bytes (6 sectors * 512 bytes).

     Virus layout  is shown  in Table.1  and its  memory  dump
(fragmentary) is  presented  in  Figure.1.  (NOTE:  All  dumps
presented is  the article  are partial in order to prevent the
possibility to use for generation of new viruses.)

     No text  messages except  one  string  ">STARSHIP_1<"  of
length 12  (found only in memory) were discovered. This string
can be  found only  in memory, because virus is stored on disk
and in the infected file in encrypted form.

     Normally virus stays resident and the size of used memory
block is  B00h=2816. The beginning of this memory block is the
Program Segment  Prefix (PSP)  of program  that triggered  the
installation of virus in the core RAM. Really virus is started
at offset  80h in  this PSP (consequently, the real virus size
is: B00h-80h=A80h=2688 bytes).

     Virus uses  standard interrupts  13h, 20h,  21h, 27h  and
creates its own interrupts F9h and FCh (see later). When virus
is already  resident (installed  in the core RAM) it uses only
13h and  21h vectors.  Entry points of both interrupt handlers
can be  easily found  (CS:005F and CS:00C5; here CS represents
the code segment where virus resides).

     In the  memory dump of virus one can found the buffer for
the filename  (see ASCIIZ= 'B:\TMP\DROZFILA.COM' at CS:000D in
Fig.1).

     Virus  extensively   uses  its   internal  random  number
generator. The  random number  seed is  taken from  BIOS timer
variable  (0:46Ch).   Random  generator   is  used   for   the
demonstration of  video effect and while creating the infected
file (change  of size  is random  and virus  code is encrypted
using random number). The word "random" may be a real motto of
the described  virus -  it uses  random number  generator very
frequently.

     The part  of virus  memory image  is encrypted  using XOR
function (approximately 60% of total virus size). This section
is decrypted  and used  only while infecting files (section is
marked in  Table.1 with the box). After infection of each file
the XOR  mask is changed, and encryption is performed with the
new mask.  Described procedure  makes  the  encrypted  section
volatile and unreadable. This behavior is not used to hide any
strings in  virus body  (there are  no strings  at all, except
virus  name)  -  maybe  it  is  implemented  only  to  achieve
permanent variance.

     Virus uses  trace capabilities  of processor to determine
the original  BIOS interrupt  13h entry  point.  Virus  issues
int 13h with  trace flag  set and  records the  CS:IP when  CS
becomes greater  or equal  to C800h  (corresponds to  the  ROM
area). However  this method  seems to be non-universal. I have
investigated the  process of  disk infection  and  found  that
rewriting of  MBR sometimes  triggered the  resident antivirus
utilities (program  TSAFE:  Turbo-Anti  Virus  Ver.6.80A  from
CARMEL Software Engineering, Israel).

     While disassembling  the virus  I have found special code
inserts used  to  fool  disassemblers.  In  most  cases  these
inserts uses  non-working calls  and  jumps  pointing  on  the
garbage in  the virus  body. These  inserts are a real problem
for disassemblers  and I  have not  found one  that managed to
correctly separate  code and  data (or  code and garbage). The
intelligent analysis of code is needed, which is not performed
by  all   available  disassemblers  (including  smart  SOURCER
ver. 3.07, by V Communications Inc.).

     I have  carefully examined  the reconstructed  source and
established that STARSHIP virus appears to have no destructive
code.


     2. FILE INFECTION

     Strategy of  file infection  is the  following. Files are
infected while  creation of  EXE/COM file  on A:  or B: disks.
Virus records  file name  in internal buffer (at CS:000D), and
starts infection  routine when  request to  close the file was
issued. This  technique is  similar to the method used by Dark
Avenger virus [3,5,7].

     The idea  to infect only executable file that are created
on floppy  disks explains  why STARSHIP does not intercept int
24h. This  interrupt is  usually catched by viruses to prevent
message - "Write  protect error". But when file is created (!)
on the  floppy disk  it automatically  indicates that the user
has removed (or will remove) the write protect tab.

     Change of infected file size is true random (for the same
file you  can get  many variants  of infection  with different
size growth). Change of size is typically 2616...2648 bytes.

     Virus infects  COMMAND.COM file  when it  is  created  on
floppy disk.  No special  strategy is  used to  infect command
interpreter - it is infected as a simple .COM file.

     When infecting executable (only EXE and COM) files, virus
preserves attribute.  If the file is readonly - this attribute
remains  unchanged  after  infection.  STARSHIP  examines  the
executable file  type by its contents, not by extension (tests
for 5A4Dh  at file  beginning, but  it does  not test  4D5Ah).
Virus does  not infect  short files  - see Table 2. Virus does
not infect  the files  that are  already infected.  Buffer  at
virus end  is used  to read  code beginning  and determine the
presence of  virus (it  seems to  me that virus may frequently
regard uninfected  files as infected, because it performs very
primitive analysis).

     Virus infection  routine uses  the following  interrupts:
int F9h (it points on the original int 21h, as set by DOS) and
int FCh  (points on  original int  13h, as set by BIOS). These
interrupts are used instead of int 21h and 13h. This technique
is probably  used to  prevent triggering  of certain antivirus
utilities. These  utilities often  controls all invokations of
21h and 13h interrupts. The infection routine appends virus to
the end  of executable  file and  adjusts  the  program  entry
point.

     Executable files with COM extension are modified by virus
at first  3 bytes,  which are  replaced with  JMP instruction,
pointing on  the decryptor.  Original 3  bytes from file start
are stored at the very end of the infected file (like the body
of virus these bytes are encrypted with XOR function).

     After modification  of the  EXE  file  header  new  CS:IP
points on  the virus decryptor. SS, SP and MINALLOC fields are
changed. Original  CS, IP,  SS and SP are stored at the end of
the virus  body at  offset A4Fh  (you cannot fetch these bytes
directly - they are encrypted).

     The header  of the  infected EXE  file has  some  special
features. Instruction  pointer always  follows  the  relation:
4<IP<13h. Spacing  between stack  segment and  code segment is
constant: SS-CS=100h  and  stack  pointer  is  always  set  to
SP=800h. Moreover,  STARSHIP does  not infect  EXE files  when
MAXALLOC field  of EXE  header is less than 0FFFFh. Virus does
not infect files with nonzero overlay number.

     Virus code  is added  to the end of file in the encrypted
form.  This  encrypted  code  goes  after  special  decrypting
program (decryptor). The purpose of decryptor is to decode the
virus body.

     Decryptor of  virus body  seems to  be specially designed
not to  have  a  characteristic  bytes  sequence  (descriptor)
longer than  2 bytes  (for example:  XOR BH,BH and MOV BL,6 is
used instead  of MOV BX,0006,  because first commands occupies
2-bytes, but  the last takes 3 bytes). In reality this program
is mixed  with NOPs  and other 1-byte codes, not affecting the
execution of decryptor. The sequence of operators in main code
is fixed,  but spacing  between these  operators is  variable.
Described technique  really eliminates the possibility to find
virus using search based on certain descriptor, because any 2-
byte sequences  are found  on the  disk too frequently. Search
based on  the wildcard  strings must  take into  account  that
spacing between operators in virus code is variable (from 0 to
16 bytes of NOPs and other silly stuff).

     Moreover, the  decryptor  uses  synonyms  for  code:  for
example the XCHG AX,SI command has three (!) different machine
code representations  (0c687h,  0f087h,  96h  means  the  same
processor directive  -  XCHG AX,SI).  As  well  MOV AX,SP  and
MOV BX,AX has  two representations. That fact also complicates
search based on the wildcard strings, producing many different
wildcards for the same virus.

     First  the  decryptor  must  determine  its  position  in
memory, because  all references  in the virus must be relative
to  the   known   point.   STARSHIP   uses   unusual   method,
simultaneously suppressing  the attempts  to  trace  execution
flow of  decryptor with  the use of debugger. Virus issues int
03h (it  usually points  on IRET)  and then  reads the  return
address below (!) the stack pointer SP (LODSW SS:[SI]). If you
use the  debugger, it will immediately destroy all words below
the SP, resulting in the malfunction of the rest of decryptor.
Sometimes instead of int 03h virus uses interrupts 01h/11h/12h
as the dummy calls.

     Decryption of  virus code attached to infected executable
file is done from top addresses to bottom. This sequence makes
tricky setting of breakpoint after the decryption loop because
the last  decrypted byte is just below the loop. Hence, if you
place here  the breakpoint  it will  be  decrypted,  its  code
(0CCh) will  become garbage  and will  be executed  instead of
invokation of breakpoint routine.

     All general  processor registers  are set  to zero  after
decryption process prior to start of infected program. Segment
registers are preserved.

     When  I  used  MS-Windows  or  any  other  graphics  user
interfaces -  infection of  copied files  does not take place.
That is  possibly because  virus uses videomemory as temporary
buffer while  infecting files  and checks the videomode before
infection.

     3. DISK INFECTION

     When decryptor  finished its work it transfers control to
the disk  infection routine. First this code tests DOS version
number (virus works only with versions later than 2.0) and the
presence of video-RAM at BB00:0 (virus physically tests memory
existence at  this address  via MOV/CMP sequence). Second - it
tests if  virus is  already resident  (checks if special virus
memory dispatcher  is present at address 0000:04B0). And third
- STARSHIP determines the original int 13h entry point in BIOS
(it traces  the call of int 13h, function 8; this call is used
to determine  the physical  disk size).  The  fourth  -  virus
infects the masterboot via direct call of BIOS int 13h.

     STARSHIP  modifies   MBR  in   only  3  bytes:  head  and
sector/cylinder of  DOS boot.  Virus  places  its  code  in  6
consecutive sectors at the disk end (it uses physical disk #1,
last head,  last track  and last 6 sectors in the last track).
After modification  of MBR,  boot field  of  active  partition
points on pseudoDOS boot, the first of used 6 sectors. Dump of
pseudoDOS boot  is presented  in Figure  2. First  5 bytes  in
pseudoDOS boot  are equal  to the  original DOS boot beginning
(0EBh, 034h,  090h, 'MS').  The pseudoDOS  boot  contains  the
loader of virus code that is located in next 5 sectors. (Note:
the area at offset 115h..1F9h in pseudoDOS boot is filled with
garbage).

     Counter of  reboots (byte)  is located  at offset 1FCh in
pseudoDOS boot.  This counter is initialized with random value
in range  0...20h. Sometimes  it is initialized with 0FFh - in
this  case  the  counter  is  not  incremented  during  reboot
(probably such  computer cannot  be ill).  The probability  of
this case is approximately 30%.

     At offset  1FDh in pseudoDOS boot the XOR mask (byte) can
be found.  This mask  is used  for  decryption  of  5  sectors
following pseudoDOS boot (these sectors contains virus body).

     Moreover, I  have found  in pseudoDOS  boot the code that
loads and  executes unknown  procedure from  sectors 2...6  on
head 0  and track  0. Code from these sectors is executed only
if its  checksum is  valid. This  space between  MBR and first
partition (it  normally starts  on head 1, track 0) is usually
unused and  filled with zeros. This area is frequently used by
some computer viruses [3] (DiskKiller for example). But I have
not detected any valuable code in these sectors - this unknown
procedure was probably written only to fool the researchers or
for futer virus extension.

     Upon infection virus stores no original MBR copy. It only
saves changes  -  3  bytes  of  original  DOS  boot  head  and
sector/cylinder (stored  under XOR  mask inside  5 sectors  of
virus code). If you want to get these parameters you must read
XOR mask from pseudoDOS boot, decrypt the virus body and fetch
necessary 3 bytes from the appropriate positions.

     There is  another method  to restore original MBR. If you
perform the  request  to  read  MBR  (AX=201h,  CX=1,  DX=80h,
ES:BX=buffer) via  int 13h:  virus will read real MBR, restore
its original  contents and  you will obtain what you want. You
can save  this MBR  copy on  disk, reboot  from uninfected DOS
diskette and  write it  back on  harddrive instead of infected
MBR. This  method works fine and we used it successfully prior
to creation  of removing utility. The only disadvantage of the
described method is that it takes too much time.


     4. REBOOT OF INFECTED COMPUTER

     When computer  reboots the pseudoDOS boot is executed. It
loads virus  code in  videomemory (at  address BB00:0000).  PC
without videomemory  at segment  BB00 are not infected (I have
no computer  with monochrome  display adapter  so the test was
not  really   performed).  Then   it  decrypts   the  code  in
videomemory, intercepts  int 13h  and creates  special  memory
dispatcher at  address 0000:04B0.  The dispatcher structure is
shown in Fig.3a.

     Now all  accesses to  disk are  controlled with the virus
patch on  interrupt 13h. This code filters all accesses to MBR
and last  6 sectors  on disk.  The MBR now looks unchanged and
all writes to last 6 sectors are impossible (error flag is not
returned).   Described    technique   preserves   virus   from
modification, since its code is installed in DOS file area.

     After installation  in videomemory  virus examines if DOS
interrupts (20h, 21h, 27h) are set. This technique seems to be
universal :  I have  tested DOS versions 2.0, 2.11, 3.0, 3.30,
4.0 and  virus successfully  intercepts DOS  interrupts. Virus
hanged during reboot only with MS-DOS version 5.00. Section of
virus implementing  the task  of DOS interception analyses the
validity of  CS in  the vectors table for DOS interrupts (20h,
21h, 27h) to determine if it is safe to intercept DOS vectors.

     DOS interrupt  21h is  intercepted by STARSHIP before any
programs can  do the  same from CONFIG.SYS or AUTOEXEC.BAT. So
any resident  software vaccine  programs  ANTI4US2,  FLOSERUM,
TSAFE or  others, including programs with driver anatomy would
be unable to detect the operation of virus.

     After the  interception of DOS interrupts virus waits for
the termination  of  first  program.  It  test  the  calls  of
interrupts 20h,  27h and  of the DOS functions 0, 31h and 4Ch.
When Exit_to_DOS  request was  issued virus body is moved from
videomemory to  the core memory. If terminated program remains
resident virus  expands its  memory block  (glues to  resident
tail). If  program simply  returns to  DOS (AH=0, AH=4C) virus
substitutes the exit request with the TSR request (AH=31h) and
creates its own memory block. At this moment memory dispatcher
is modified to point on the new interrupt routines in the body
of virus.  From this moment virus stops controlling interrupts
20h and  27h.  It  uses  now  only  13h  and  21h  interrupts.
Dispatcher layout  after the shift of virus to the core RAM is
presented in Fig.3b.

     If the  first loaded program uses graphics - the virus is
erased from  videomemory, but  it can  survive because  it has
special restoring procedure (int B0h, at address 0000:02C0, in
the vectors  table). That  is exotic  -  the  whole  interrupt
service routine is located in the interrupt table (it occupies
approximately 3  paragraphs and  covers  interrupts  B0...BB).
This routine  checks presence  of  virus  in  videomemory  (in
reality only  one word of videomemory is checked) and if virus
image was  destroyed all 5 sectors with virus program are read
to videomemory  and decoded (remember that disk image of virus
is XOR-encrypted).  Computer hangs  only if  graphics is  used
simultaneously with  accesses to DOS, but this situation seems
to  be  exceptional,  because  programs  usually  included  in
AUTOEXEC.BAT rarely use graphics.

     The performing of all these tests on the infected machine
was very  useful and  exciting  when  the  very  first  loaded
program was DEBUG (you must remove or rename AUTOEXEC.BAT; you
can also  place DEBUG  as  the  first  line  of  your  current
AUTOEXEC.BAT). All  virus structures  were easily located. The
most interesting  were attempts  to  erase  virus  image  from
videomemory -  virus immediately  restores its  code. In DEBUG
you can  investigate the  process of virus installation in the
core RAM.  You only  need to trace the request of DOS function
4Ch (terminate) - and you will see how virus code is moved and
how its memory dispatcher is modified.

     After the  installation of virus in the core RAM it waits
for the  creation of any executable files on the floppy drives
A: and  B:. This  is usually done with DOS "copy" command when
destination file is located on floppy disk.


     4. ACTIVE PHASE

     The evil  happens when  reboots counter reaches 80 (while
initial reboot  counter is  in range  0..31). Disease  appears
after few  hours since  reboot and  this delay  depends on the
disk activity.  Virus plays  music  tones  and  drops  colored
points (ASCII=250)  without affecting  of  screen  background.
Each point  and each  tone corresponds  to  one  disk  access.
Frequency of  tones seems  to be  proportional to  the  seccyl
parameter (CX) of int 13h. This musical and visual effect does
not take place in any graphics modes. Colored points appearing
at random  screen positions  does not  affect  pseudographics.
Sometimes dots  are substituted  by spaces.  This video effect
corrupts  the   screen  in   text  mode   resulting   in   the
impossibility of using intensive disk accesses.

     When disks  are inactive  all operates correctly. You can
also use virtual disks or cache without any problems.

     Reboot temporary suspends virus activity.

     But remember  that infected  computer will  reach  active
phase  only  with  approximate  probability  2/3.  In  certain
infected computers triggering of virus is blocked! Behavior of
infected computer  depends on  the initial  value  of  reboots
counter.

------------------------------

End of Chaos Digest #1.67
************************************