| Description:
|
Details
Idiot.2032
These are dangerous memory resident parasitic viruses. "Idiot.2592" is encrypted. They contains the string:
=/= IDIOT VULTURE =//=
When an infected file is executed and the viruses take control, they hook INT 21h and stay memory resident. Before returning to the host program they infect the files: C:DOSFDISK.EXE, C:DOSUNDELETE.EXE, C:DOSMEM.EXE, C:DOSEXPAND.EXE.
The viruses then infect files that are executed, opened or accessed with Get/Set File Attribute DOS call. While infecting a file the viruses insert themselves into the middle of the file by using quite complex way. First, the viruses check the number of relocated addresses in EXE module. If there are less than four such addresses, the viruses return from infection routine. Otherwise they select several these addresses that are placed in JMP FAR and CALL FAR assembler instructions and patch the file so, that after loading to the memory these FAR calls and jumps will point to the virus code. To return back to original subroutines and locations the viruses store their addresses.
The viruses then fix relocation offsets and several other in EXE header, move the EXE module down by "virus length" bytes, and insert their code between EXE header and original EXE module.
Before infection Infected file
+----------+ +----------+
|EXE header| |EXE header|
+----------+ +----------+<<--+-+
|all | |Virus | | |
|FAR CALL | internal +----------+ | |
|... | prog's |... | | |
|FAR JMP | calls and |FAR CALL | --+ | patched calls and jumps
|... | jmps |... | |
| | |FAR JMP | ----+
+----------+ |... |
| |
+----------+
As a result, the virus code is placed in the middle of file, and entry address (initial CS:IP in EXE header) points to original code - the virus has no entry point, and its code is "linked" with code of file. The virus takes control only if some patched command is executed, i.e. "infected" program's branch takes control. As a result, there are possible infections when the virus does not receive control, if infected program is executed in default mode (default-run branches are not patched) - it will activate only if the program is run with command switches that cause jump to patched instructions.
This complex way of infection is not bug-free, and the virus often corrupts the files while infecting them. |
