| Description:
|
Details
MAD.1288
These are very dangerous memory resident parasitic viruses, with the major versions--2631, 3544, 3732, and Morose.5131--being polymorphic.
MAD.1288
This virus hooks INT 21h, and writes itself to the end of EXE files that are executed or opened. Under debugger, it erases the hard-drive MBR. Upon execution of each 33th file, it overwrites a randomly selected disk sector with the following text:
THE MYTH [C]Black Angel : Next time ,Use a condom all
MAD.2631,2748
These viruses hook INT 9, 1Ch, and 21h, and write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the following files:
*EB.* *ST.* *EW.*
The viruses have several bugs, and often halt a computer. On the 13th of any month, or if the text strings (see below) are corrupted, the viruses erase the CMOS and the hard drive sectors. Upon each 1000th keystroke, the viruses erase a randomly selected disk sector. If there are no keys pressed during 1 and half of minutes, the viruses display the following message:
+---------------------------------------------+
| W a r n i n g ! |
+---------------------------------------------+
| Your machine is infected by MAD I virus |
| -= Written & Copyright by Black Angel =- |
| from Moscow |
| For cure call DR.WEB (812) 296-3096 |
| Good-Bye!!! |
+---------------------------------------------+
The viruses also contain the text strings:
"MAD.2631": BETATHE MAD I virus (c)Black Angel
"MAD.2748": THE MAD version 1.2 virus (c)Black Angel
MAD.3544,4340
These viruses hook INT 13h and 21h, and encrypt the major part of their TSR code and decrypt/encrypt it "on-the-fly" as needed. To do this, the virus copies two parts of its INT 21h handler to Interrupt Vectors Table and DOS data at the addresses 0000:0200 and 0060:0000, then sets the INT 21h address to 0060:0000. When that code gains control, it decrypts the main virus TSR part by using the decryption routine placed at 0000:0200, and jumps to the virus code.
By hooking INT 21h, the virus writes itself to the end of COM end EXE files that are created (intercepts CreateFile DOS call, stores a file's handle, and then infects the file on CloseFile DOS call). On the 13th of any month, the virus infects COM files by "MiniMad.279" parasitic virus (see below).
Upon execution of any file, the virus, depending on its counter, puts the string "MAD" on the keyboard buffer. Upon execution of a WIN*.* file, the virus disables the mouse driver and displays:
WINDOWS MUST DIE!
By hooking INT 13h, the virus intercepts writing to the hard drive MBR and encrypts the data buffer (i.e., newly created MBR). While reading the encrypted MBR, the virus decrypts it in the data buffer.
The virus uses anti-debugging tricks. Under debugger, the virus erases the hard drive sectors. The virus also contains the strings:
"MAD.3544":
MAD 1.5a Copyright by Black Angel 03-08-96 : a New Beginning
"MAD.4340":
BUILD40
MAD 1.7 (C)opyright by Black Angel(from Moscow!) 29-09-96 : Next version...
MiniMad.279
This virus is dropped by "MAD.3544". When an infected file takes control, the virus searches for COM files and writes itself to the end of the file. The virus infects only the files that begin with JMP NEAR (E9h xxxxh) instruction, and modifies the following offset (xxxxh) with an offset of the virus code. Before closing a file, the virus stores the original offset (xxxxh) to the file date stamp, and erases it in the virus code.
As a result, there is no original file data in the virus code. To return control to the host program, the virus obtains the file date stamp, and uses it as the original offset.
It contains the text string:
The MiniMad version 1.0 beta*.com
MAD.3732
This virus hooks INT 21h, and writes itself to the end of COM files that are executed or opened. Under a debugger, it formats the disk sectors. It contains the following texts:
The MAD version 1.4(beta) for TME (C)Black Angel 1996
TME 0.0 (c)Black Angel 14/05/96
MAD.4268,5054
These viruses hook INT 8, 13h, and 21h, and infect COM and EXE files that are created and then closed; i.e., they infect only newly created executables so as to avoid detection by CRC integrity checkers. As well as several minor versions do, these viruses encrypt their TSR code and place an "on-the-fly" encryption/decryption routine to the Interrupt Vectors Table.
If the host file name contains the symbols EB, NF, VP, VT, ST or EW, the "MAD.5054" virus corrupts this name in the Environment area. As a result, the virus avoids the anti-virus self-checking procedure - the programs cannot locate their files on disk, and check them for viruses.
When an infected file runs, the virus also checks the command line. If the command line contains the "/!" ("MAD.5054") or "/?" ("MAD.4268") parameter, the virus stuffs "MAD" into the keyboard buffer.
By hooking INT 13h, the virus encrypts and decrypts "on-the-fly" boot sectors of floppy disks that are accessed - these disks then may be accessed only under an infected system. By hooking INT 8, the virus calculates and checks CRC sums for the INT 21h handler's code. If CRC is wrong, the virus halts the system.
In some cases, "MAD.4268" displays the following message:
Your version of MAD outdate.Upgrade?
The virus then waits for a keystroke. When there is a 'Y' keystroke, the virus displays the following message, and erases the hard-drive MBR:
Please Wait! Cured Your system...
The virus then displays the following message in Russian, and overwrites the C:AUTOEXEC.BAT file with the commands:
@echo Press Y for continue cured....
@echo off
c:dosformat.com c: >null
echo on
On November 7th, the "MAD.5054" virus erases the CMOS, the hard drive sectors and displays the following message:
Seventh November - black day of a calendar...
This virus also corrupts RAR archives - while saving to the disk, the virus replaces RAR's ID label "Rar!" with "Mad!" at the header of the archives. While reading corrupted archives, the virus places the original "Rar!" label there. As a result, these archives may be accessed under an infected system only.
The viruses also contain the strings:
"MAD.4268"
MAD 1.6 Copyright by Black Angel 24-09-96 :
...continue conversation...
Mutation Engine for Mad [MEM 1.0]
"MAD.5054":
Small Random Decoder for Mad [SRDM 0.0 beta]
EBNFVPVTSTEW
[MAD 1.8] (C)opy(R)ight by Black Angel from DesTroY Gr0uP : It BEGAN...!
Mutation Engine for Mad [MEM 1.1]
Mad.Morose
While installing a memory resident, this virus copies a part (231 bytes) of its INT 21h handler to DOS data area at the address 0054:0000, hooks INT 21h (sets INT 21h address to 0054:0000), writes its own complete code to the hard drive (unused sectors on track 0) and returns to the host program. As a result, the in-memory virus occupies only 231 bytes, and is invisible on the memory map. As needed (while infecting files), the virus reads its whole code from these hard drive sectors to the system memory.
The virus hooks only one DOS function - Get DOS Version (AH=30h). On such calls, the virus obtains the name of the active program, and infects it - the virus writes itself to the middle of COM files and to the end of EXE files. It does not infect the following files: *EB, *ST, *86, *NF, *VP, and *AN.
While infecting COM files, the virus corrupts them - it replaces INT 21h calls with INT CCh calls files. To allow these files operate, the virus sets INT CCh to INT 21h while installing. As a result, the corrupted files work under an infected system only, and halt the system under a clean system (after disinfection).
In January, this virus infects COM files in another way - it generates the executable code of a silly non-memory resident COM infector, and writes it to the end of the file. Upon each infection, the virus generates different COM viruses of varying lengths. To do this, the virus uses its polymorphic engine. As a result, this virus drops varying COM viruses while infecting each file. These COM viruses do not mutate their codes.
Under debugger, this virus erases the hard-drive MBR. On December 31st, it erases the CMOS and displays the following message:
I am DEAD M0R0SE
The virus also contains the texts:
>>> The MaDesTr0yeR <<<
aka [DEAD M0R0SE]
version BETA TEST
Distribution & Copyright by Black Angel 1996
>Destroy Gr0up is down...!!!<
>HàÆô ê Hàü-ïÄ DESTROY GR0UP!<
EBST86NFVPAN
MiniMad 2.0 BETA! [c]Black Angelay |
