Ravage (aka Dodgy) background by muRPhy
---------------------------------------


RP represents a family of viruses beginning with RP.A(RP.17Dec) 512bytes.
At the beginning only RP (a friend of mine- we attended the same
highschool )
managed to buy a PC.
    We had before ZX-Spectrum(Sinclaire).
    Buying a PC, in no time he caught one virus.His experience with Z80
(ya know cracking games under Sinclair..) made him to easily understand
assembly of x86).Later some docs and disassembly of that virus helped
him very much.
    He begun to write his own vir (RP.17Dec),which spreaded very
much in our country.At that time there were no romanian MBR infectors
and programs like SCAN,TBAV or F-prot received the virus only after
a long time (RAV or AVX were not released yet).And was the only MBR
full (read/write) stealth infector which showed not 639k,but 640k even it
was in memory.
    Thats why on 17 Dec many romanian PC users were surprised
by the fact that in that day their systems stopped running.
    RP.17Dec had as a payload only overwriting of the MBR with garbage.
Of course, few users know that could easily restore their systems with
the original MBR from sect 14.So they proceed to format and lost
data.
    In the mean time RAV was released and was the first romanian AV
able to detect/remove this version.
    RP continued to release (and teach me how to) new versions.(RP.May,
RP.June- versions with payloads corrupting CMOS password or corrupting
data written on HDD).They were much better and no AV could detect them.
(one of the new ideas from RP version 4 was to bypass BIOS protection by
pushing an Y in keyboard buffer..)
I bought my own PC and started to disassembly mostly romanian COM and EXE
infectors and one BSV infector: Multi Ani)
    Soon I understood better how to defend myself.
Cominfector.1054,AA55(Porcupine),Ramthief(Antiscan814),Earle.1244,Bug557,
Lenin480,BadSectors1.2,Hi.460,892,895,Hypervisor1440,Alexander1843,1951,2104
Dracula.827 were some of them.
    Many boot sectors viruses like
Bloody,Bupt,Cruel,JackR,Michelangelo,AntiEXE,Parity,
Stoned were in the wild or at least there were commented dissasemblies
available.
    From the version 4 or 5 of RP I begun to study MBR infectors better and
started some new ideas modifying the replicator routine from RP versions.
    My laboratory versions were designed especially against TBAV heuristics
and RAV also.
    From version 7 of RP I shared my experience with RP and decided to
create a common version which had 1024 bytes.
    The problem was that TBAV showed flags DOt -(Disk write access.
overwrite/move a prog in memory,and trigerred event.)
    I developed new code which bypassed any flag for a MBR infector
thus made possible to release a version which quickly spreaded because
of the trust of many people in TBAV heuristics and other programs.
    They were convinced that their system is clean,but in fact it wasn't.
    The new version was a so called "fast boot infector".
    It was sufficient to let a infected disk in drive and to boot the system
to infect it; before the user pressed a key at No system or disk error the
virus jumped on the MBR of HDD.
    I solved a problem with that "Y" in keyboard buffer.The problem
was on a system which had no protection in BIOS.The system
displays two or three times the message with No system thus
could warn the user that something weird happened.
    I developed a new version with capabilities to bypass
32 bit access warning of win3.11.and win95.The new version
no more hooked int 12/int13, but int 13/int 1c scanning low memory
for a part of the string "COMSPEC=" and then restoring 640k of RAM and
hooking int 2f to be able to determine the init/exit of windows enhanced
mode.
    Later I found that QEMM warns the user about int 1c and I changed to int
8.
I introduced a counter for infected systems and hooked also int 40.
For a complete compatibility with win95 i had to include code that
determines the directory of win95 no matter where it was installed
looking for variable winbootdir on the environment.
    Then the virus was able to delete system\iosubsys\hsflop.pdr
no matter in which directory was installed win95.
    I thought that if I can hook int 2f, why not hook also int 21..?
1024 bytes were enough for a new handler for int 21,so
by a XOR AH,4B I could easily detect if there was run RAV(Romanian
AntiVirus) and then set a variable byte in CMOS counting 26 times
the running of this AV.
    In the mean time the code was designed (optimized) for antiheuristic
detection.The code is not encrypted ,only slightly changed to prevent
any known heuristic (TBAV,RAV and others).
    The version was (is?), as far as I know, the best MBR infector ever
seen.
The wide-spreaded version proves this.
    The code(not very special, as you'll see) shows how easily can be
defeated any AV.
    Also, this is a very destructive virus which counts three months after
the date of infection
and then thrashes sectors on HDD.(thus being relatively quickly discovered
by AV-men)
One could easily change this code to defeat again any known AV.
