|
|
Strang Viruses Information
| Name: |
Strang |
| Category: |
Viruses |
| Description:
|
Details
Strange
The "Strange" virus is a memory resident floppy boot sector and hard drive master boot record infector. It occupies four sectors of disk (the three first sectors - the virus body, the last sector - the original floppy boot or hard drive MBR sector). The virus writes itself into the hard drive sectors with the numbers from 17th till 20th of the first disk track, on floppies it saves itself into the last four disk sectors.
On loading from infected sectors the virus works as a standard boot infector: it copies itself into the high addresses of system memory, decreases the word at address 0000:0413. But then it hooks INT 08h instead of standard "boot-virus' interrupt" INT 13h and waits for the INT 2Ah putting (it waits for the value of double word at address 0000:00A8h is not equal to zero). It comes on while DOS installation. Then the virus restores the original address of INT 08h handler, hooks INT 21h and checks the LOAD AND EXECUTE command (AH=4Bh).
On loading COMMAND.COM files (it checks *ND.??? file name) the STRANGE virus increases the length of the last memory block, moves itself body into the area that 'added' to that memory block, restores the original INT 21h address and hooks INT 09h and INT 13h. In majority of cases the block of DOS memory which increased contains the system drivers. It happens when the virus copies itself on loading the first copy of COMMAND.COM. In several other cases the virus skips the first copy loading and moves itself when COMMAND.COM is loaded again (under one of DOS shell utilities for example).
The memory area with high addresses which was occupied by virus is released: the word at address 0000:0413h is decreased on three. If it's impossible to move the virus body into the new place the virus manifests itself - it displays the message
Hmmall Strange drivers you have, very strange... ;-)
On calling the INT 13h the virus checks the trace procedure. For detection the tracing the virus disables the hardware interrupts by CLI instruction, pushes into the stack register AX, popes it back and compares the contents of the stack with the value of AX register. If these values are not equal, the virus returns "disk write-protect" error.
The virus hooks INT 09h (keyboard) also and duplicate the pressing on random selected key. In addition on writing the disk sectors through INT 13h if the first two bytes of sector for save are 'MZ' (EXE-file first sector) the virus changes them to 'ZM' bytes.
Besides the INT 09h and INT 13h which are used as standard virus' interrupts (the disk infection and effects) this virus hooks one of two hardware interrupts - either INT 0Dh or INT 76h. These interrupts correspond to hardware interrupt requests (IRQ) of computer. The interrupt INT 0Dh corresponds to IRQ5 on PC/XT fixed disk controller, INT 76h corresponds to IRQ14 on PC/AT fixed disk. On accessing to hard drive the computer' hardware generates the IRQ signal (IRQ5 on PC/XT class computers or IRQ14 on PC/AT). Then the main processor calls the interrupt routine as a result of hardware interrupt request.
The virus must intercept the interrupt with true number (INT 0Dh on XT or INT 76h on AT). For that the virus must to find out the type of main processor of the computer where the virus works now. The virus determines the type of processor by using five assembler instructions:
MOV AX,2
MOV CL,41h
SHR AX,CL ; shift right
TEST AX,1 ; is the AX equal to 1 ?
JZ xt_class_computer
If the value of AX register is equal to 1 then it's AT-class computer and the virus hooks INT 76h, if not - XT-class and the virus intercepts INT 0Dh. It's interesting - is that method of processor type detection documented?
By using interrupts INT 0Dh and INT 76h the STRANGE virus organizes the new type of stealth mechanism on hard drive. The virus constantly retains in operating memory the original (not infected) MBR sector and on XT computers on reading infected MBR sector this virus substitutes the not infected one. On AT machines it forces the disk controller to read the sector which contains not infected sector.
On PC/XT computers on calling INT 0Dh the virus reads from port 6 the address of the disk buffer, then it checks the sector for its own body presence and if the sector is infected the virus copies the code of original MBR into the disk buffer.
On PC/AT class computers on INT 76h call STRANGE reads the numbers of cylinder, sector and head from the ports 1F3h, 1F4h, 1F5h and 1F6h. If these numbers are conformed to MBR sector, the virus write into these ports the address of the sector that contains the original MBR.
If you'll try to trace the INT 13h (by the way - the STRANGE virus blocks the tracing - see above) on MBR sector reading then the trace routine goes through the code to ROM BIOS, the registers' values are not changed, but the data buffer contains the original MBR but not the virus. You can set the INT 13h handler straight to original ROM BIOS address, but it makes no difference - this virus stays invisible!
It's not difficult to remove virus from infected disk if the system memory is clear. The original MBR is saved into the hard disk sector at address 0/0/11h (cylinder/head/sector), and the floppy-disks can be cleaned by DOS command SYS A: or SYS B: or by writing the standard not infected boot sector into the first sector of diskette.
But if the TSR part of the virus presents it's needed to disinfect the system memory before the sector restoring. It's made either by computer re-booting from clear system floppy or by disinfection of system memory.
It's better to use the INT 13h tracing to find out the address of system memory where the virus placed, because the virus can copy itself not only into the drivers area but into the end of one of memory blocks also. We seen once that this virus places itself into the 'tail' of NC.EXE (Norton Commander shell utility). Then it needs to disinfect the INT 0Dh, INT 13h and INT 76h - three interrupt handlers! And only now we can be sure that "Strange" stays not-stealth. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Bace.33
Cookie.65
Michfile.123
Tourist.187
Worm.P2P.Relmony.
Arriba.159
Win32.Magi
Carbuncle.62
BlackFlash.81
GT-Spoof.113
|
|
