Manualshelf

User`s guide

ManualsBrandsAMSTRAD ManualsComputer equipmentPC-ECD
19202122232425262728
VIRUS BULLETIN ©1991 Virus Bulletin Ltd, 21 The Quadrant, Abingdon Science Park, Oxon, OX14 3YS, England. Tel (+44) 235 555139.
/90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted
by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers.
Page 21
VIRUS BULLETINAugust 1991
Both Migram and Smack contain slavishly copied sections of
the 2100 code which examines the ROM. However, in this
case the writer displays almost total ignorance of exactly what
the code accomplishes and does not make proper use of the
information collected. Similarly, the EXE file infection
routine from the Murphy viruses has also been copied exactly
without obvious awareness of its operation.
Like 2100 and Murphy, Migram and Smack are also resident
viruses and install their own INT 13H, INT 24H and INT 21H
handlers. The code is not encrypted during infection and no
attempt at stealth is made once the code becomes resident and
operative. The Trigger routines might best be described as
‘unusual’, but more of this later.
Installation
In this instance both viruses make use of an ‘are you there?’
call to the system by placing the value 4B4DH in the AX
register and issuing an INT 21H function call. This will return
with the carry flag set if the virus is not resident, or cleared if
it is and the virus will install itself or exit to the host accord-
ingly. The next routine is that copied from 2100 which
examines ROM (and EPROM) areas for a suitable entry point
into the disk BIOS. The actual code fragments which the
viruses look for are:
cmp dl,80h or test dl,80h
jnc ?? jnz ??
int 40h int 40h
if either of these is found in ROM, it is used as an access point
to the disk BIOS.
The code then continues through a series of calculations
designed to install it into high memory without recourse to the
normal TSR function calls. Finally, the host program is
repaired and processing is passed to it.
Operation
The INT 21H intercept routine in these viruses only checks for
LOAD and EXECUTE (4BH) and FILE OPEN (3DH and
6CH) function calls (only calls to open for READ ONLY
access are intercepted). Obviously there is a recognition/
answer routine for the ‘are you there call’ but all of the other
functions are intercepted by the same routine.
In Migram, the interception routine collects the name of the
file being processed and examines it for a .ZIP or .EXE
extension. If neither is found, processing is allowed to return
to normal DOS operation. When either a .ZIP or a .EXE file is
located, it is opened and examined for the presence of the
‘MZ’ header. If the file does not contain this header it must be
a ZIP file and a separate routine is called which searches the
current directory for the first ZIP file and deletes it. This
deletion occurs regardless of the system date or time setting.
When a file is found which contains the ‘MZ’ header (the
rarer alternative ‘ZM’ is not checked for), a check is made of
the system date and if the weekday indicator shows Saturday,
then a trigger routine is called. On days other than Saturday,
an attempt is made to infect the file before processing is
returned to the caller.
With Smack, the interception routine is similar, but the
conditions of ‘acceptance’ are different, as are the resulting
actions. In this virus, COM and EXE files are identified by the
last two letters of the file extension (‘OM’ and ‘XE’). In the
case of ‘OM’ files, a further routine tests for a filename
ending in ‘ND’ and thereby excludes COMMAND.COM and
similarly matching files from any further interference. With
‘XE’ files the situation is a little more involved and checks are
made for names ending with ‘AN’, ‘HA’ and ‘HK’. Attempt-
ing to execute any file which matches these criteria (e.g.
SCAN.EXE or VIRUSCHK.EXE) while the virus is resident
will result in the system attempting to reboot through INT
19H. This is an obvious attempt to avoid detection - the SCAN
program from McAfee Associates being the most widely used
virus scanner in the world.
All other files are examined for the presence of the ‘MZ’
header (again the ‘ZM’ possibility is not considered). If the
header is not found, processing passes to a routine which
checks the system date see whether it is a Saturday - if it is the
file is deleted, otherwise the file is infected. If the ‘MZ’
header is found, a different trigger routine is executed but if
the system date is anything other than a Friday, the file is
infected. On Fridays, a series of infantile messages is dis-
played as follows:
Is today Friday?
The virus then waits for the user to press the ‘Y’ key. If the
user answers ‘Y’ then the virus displays:
Sorry but on Friday I wish not work!!
and exits back to DOS.
If the users answers anything but ‘Y’ to the original question,
the virus displays:
You are untruthful!! For punishment I format your
HD Fat!!
and then proceeds to execute a similar routine to that found
within Migram which is apparently intended to format the first
few tracks of the hard disk. In both viruses this routine
appears to have been written by a complete novice. The
routine attempts to format the first five tracks of drive C: but
fails for several reasons.
We are not in the business of training virus writers or in
giving them marks out of ten (although if Cracker Jack were a
plumber, he would have drowned years ago). The bugs in the
code will therefore not be reported individually.