User`s guide
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
Page 15
VIRUS BULLETINAugust 1991
Interrupt vector Interrupt vector
The GP1 virus was tried under NetWare 3.11, where it
replicated without problems, unlike the standard Jerusalem
virus which refuses to replicate under the same circumstances.
After becoming memory-resident the virus infects other files,
extending them by 1546 bytes.
There were no other visible side-effects.
HIDING MECHANISMS
Viruses often place obstacles in the path of anyone trying to
find them or eradicate them. Two mechanisms are commonly
used: interrupt interception and encryption of the virus
program itself.
Interrupt interception in particular has special implications on
any network, due to the difficulty in establishing a ‘clean’,
virus-free work environment.
Interrupt Interception
The virus redirects the interrupt vectors in such a way that
operating system service calls are redirected to the virus code
first. For example, the virus can examine every request made
to DOS for reading disk information. If the sectors requested
are those used by the virus, their contents are falsified before
further processing of the request. (See Figure 3.)
This is the tactic used by the Brain virus, which intercepts any
call to read the disk bootstrap sector and substitutes the
original contents in place of the virus-infected actual contents.
Encryption
Certain viruses encrypt their own contents in order to foil
attempts to find the virus by disassembly or by searching for a
characteristic pattern. Since the encrypted part of the virus can
be made different for each infected program, a simple pattern
check can not discover its presence; the only search possibility
is on that portion of code which performs the decryption.
Likewise, disassembling such a virus using standard tools is
likely to be a convoluted process. The virus must first decrypt
its own contents before executing. This is the tactic used by
the Cascade virus, which performs rudimentary self-encryp-
tion using a very simple exclusive-OR operation. The decryp-
tion routine of this virus remains static thus enabling the
extraction of a search pattern. (See Figure 4.) However, some
viruses such as 1260 modify the decryption routine itself, so
that it is impossible to extract a conventional hexadecimal
search pattern. Although encryption complicates the develop-
ment of detection software it does not impose any specific
additional burdens on network security.
IMPLICATIONS OF HIDING MECHANISMS ON
NETWARE 3.11
The main problem of dealing with stealth viruses on any
network is the difficulty in establishing a positively ‘clean’
work environment from which the cleanup can be attempted
(see p.16, ‘Secure Accessing of NetWare 3.11’).
Interrupt interception represents a particular problem when
dealing with an infected network. Viruses such as 4K hide
DOS
DOS
➣
Application
Application
Virus
➣
➣
➣
➣
Figure 3 - Interrupt routing before and after infection