Virus Database

USTC.7680

Description USTC.7680

It is a very dangerous memory resident multipartite polymorphic virus. The virus infects the MBR of the hard drive and writes itself to the end of COM and EXE files. It is encrypted not only in files and MBR, but in the system memory also. Most of virus routines are encrypted, the virus decrypts them in case of need, executes and then encrypts.
While infecting the MBR the virus saves the original MBR sector to 16th sector on the first disk track and writes its main code from the MBR sector till 15th sector of first track. While infecting files the virus writes several blocks of junk code to the middle of file. It does it similar to "OneHalf" multipartite virus, but "USTC" virus' polymorphic engine is more complex. In that junk code the virus also uses anti-debugging tricks.
When an infected file is executed, the virus decrypts its code, infects the MBR if the hard drive, hooks INT 13h, 21h and stays memory resident. On loading from infected MBR the virus hooks INT 8, 13h, waits for some time (until DOS is installing itself) and then releases INT 8 and hooks INT 21h.
By hooking INT 13h the virus realizes its stealth routine that hides virus code on the first track. By hooking INT 21h the virus intercepts files that are copied or modified and infects them, i.e. the virus does infect new files or when file's data/code are changed. As a result the virus fools anti-virus CRC-checkers. The virus has a bug - it does not checks file name extension, but internal file format only, and infects not only COM and EXE but also data files.
Depending on its internal counter the virus pauses booting from infected MBR and waits for "CAPSL" input. The virus contains the text string:
3.0 1996.10 USTC

Check other viruses! Be aware! Use Antiviral Software

BAT.Winstart.296

Description BAT.Winstart.296

This virus is named after the WINSTART.BAT file where the body of the virus is placed. That BAT file contains four text lines followed by binary data:
@ECHO OFF
:s%r#
COPY %0.BAT C:Q.COM>NUL
C:Q
[ binary data ]

On execution of that file the virus copies itself (the BAT file) into the COM dropper, and executes it. That dropper is placed at the root directory of C: drive with the name Q.COM. Being executed it installs itself into the High Memory Area, hooks INT 2Fh, and creates the WINSTART.BAT files on floppy drives, and copies the virus body into newly created BAT file.
Execution of BAT-file
The installation routine of WINSTART virus contains the common ideas with the first memory resident BAT virus named BATMAN. As well as BATMAN the WINSTART virus being executed receives control as the batch file. It transforms itself into COM format by the commands are listed in its text part:
command action
------- ------
@ECHO OFF disable the echoing
:s%r# this is the label, it is not executed in batch
COPY %0.BAT C:Q.COM>NUL copy the host file to C:Q.COM
C:Q run newly created C:Q.COM

The next line contains the binary data bytes that are begin with 1Ah byte. That byte indicates "end-of-file", and as the result the binary code line will not be executed in batch mode.
Execution of COM-file
The Q.COM file is the copy of source BAT one, but while execution it receives the control as COM file. The text strings are executed by processor as "do-nothing" command such as:
INC AX ; '@'
INC BP ; 'E'
INC BX ; 'C'
DEC AX ; 'H'
DEC DI ; 'O'
AND [BX+SI],AH ; ' '

That dummy code is terminated with "label" string (second line in BAT file). The processor executes that part of virus as the instructions:
JNC Install ; 's%'
JC Install ; 'r#'

These instructions pass the control to binary part of the virus, and that part installs the memory resident portion of WINSTART.
Installation into the system memory
First, the virus performs "Are you here?" call INT 2Fh with AX=B700h. The memory resident portion of the virus returns FFh value in AL register. That call is absolutely the same as performed by DOS utility APPEND on installation, and they may confuse each other. It shows the best way to protect oneself against that virus - it is necessary to install APPEND utility only.
If there is no WINSTART virus copy in the system memory the virus allocates the block of High Memory Area (HMA) with INT 2Fh function AX=4A02h. The request is for 173 bytes only, and such small hole is enough for virus to install itself into the memory. It copies the part (168 bytes) of its code into allocated block, and stores the INT 2Fh address into there (total 168+4=172 bytes). The code is copied contains the virus INT 2Fh handler and infection routine only, the installation routine is not placed into the virus TSR part. The address of interrupt 2Fh vector is taken from the not documented DOS area (that address is new for me, I've never seen it before!). That address is used by DOS 6.0+ when DOS internal INT 2Fh routines pass the control from one part of code to another one.
Then the virus performs the last part of installation routine, that code is executed ever if there is no HMA memory and the virus has not installed itself into the memory. It renames the C:Q.COM file with the name C:WINSTART.BAT, and then deletes the C:Q.COM file. There is the reason for such deleting - if WINSTART.BAT file already exist, the rename command fails, and Q.COM file is not deleted while renaming. After deleting the virus sets the attributes of C:WINSTART.BAT to "read-only", and terminates itself with INT 20h call.
The result of installation routine is follow: the virus hooks INT 2Fh, keeps its INT 2Fh handler in HMA block, and leaves C:WINSTART.BAT file with the copy of the virus.
INT 2Fh Handler
The virus intercepts two INT 2Fh functions. The first one is "Are you here?" call (or APPEND installation check) AX=B700h, in that case the virus immediately returns FFh value in AL register.
The second call is internal Installation Check AX=AE00h function of COMMAND.COM processor. The last call is performed on execution of new COMMAND.COM copy (on execution of any DOS application from some file shell such as XTREE or NortonCommander for example). In that case the virus passes the control to infection routine.
The infection routine drops the copy of the virus on the current drive under two conditions only:
the current drive is A: or B:
it has 50% or less of free disk space (i.e. there are some files that occupy 50% or more of that disk, and new file may be "hidden" between other file names while DIR command)
In that case the virus hooks INT 24h to prevent the DOS error message while writing to write-protected disks, creates new WINSTART.BAT file on the current (A: or B:) drive, and copies the C:WINSTART.BAT into there. While copying the virus uses INT 18h address in Interrupt Table (addresses 0000:0060-0063) as read-write buffer. That interrupt is not used during the DOS session on any IBM-PC machine (that trick allows the virus to save four bytes of memory is occupied!), but may have the troubles on not IBM-PC clones.
After copying the virus sets for destination file the file date and time stamp the same as source file has, closes the files and returns the control to original INT 2Fh address. The infection has been done.

BAT.Zeke.324

Description BAT.Zeke.324

It is a harmless nonmemory resident companion virus named after its internal variable "zeke". It searches for EXE files, renames them to *.DSS and creates companion BAT files. DOS will load and execute batch virus instead of original EXE file.

Home