| Description:
|
Details
Ugly family
These are very dangerous memory resident polymorphic and stealth multipartite viruses. They infect COM and EXE files as well as the MBR of the hard drive and boot sectors of floppy disks. ("Ugly.6047,6048" fail to infect floppy disks). The viruses are encrypted in files and the MBR, they do not encrypt themselves in boot sector on floppy disks.
While infecting a file the viruses write themselves to the end of the file. While infecting a disk the viruses overwrite its first sector (boot or MBR), the original sector and virus code are saved on the last disk sectors. In case of floppy disk the virus formats an extra track.
When an infected file is executed or the system is loading from infected floppy disk, the virus infects the MBR of the hard drive and return control to the host program/boot sector. While writing data to the hard drive the virus uses direct calls to HD ports.
While loading from infected disk the virus allocates a block of system memory by decreasing the size of memory (the word at address 0000:0413), hooks INT 1Ch, waits for DOS loading process, hooks INT 8, 16h, 17h, 20h, 21h, 25h, 26h, 27h and completes its installation by restoring the size of system memory (the word at 0000:0413). As a result the virus leaves its TSR code in separated block of DOS memory. The virus then infects the files and floppy disks that are accessed. Depending on its counter (INT 8) the virus also searches for COM and EXE files in current directory and infects them.
They check the file names and do not infect the files: COMMAND.COM, GDI.EXE, DOSX.EXE, WIN386.EXE, KRNL286.EXE, KRNL386.EXE, USER.EXE, WSWAP.EXE, CHKDSK.EXE.
Depending on their internal counters and under a debugger the viruses erase the CMOS and the hard drive sectors.
The viruses use a complex algorithm allowing the virus to stay memory resident after cold reboot and loading from a clean DOS floppy disk. On installation the virus stores the CMOS memory that keeps the information about floppy drives and sets that info to zero (i.e. the virus emulates situation when no floppy drives are installed). On accessing to disks the virus temporary restores the CMOS and then erases these fields again. On any (cold or warm) reboot the system checks the CMOS, does not detect the floppy disks and passes the control to the MBR of hard drive. As a result the virus in the MBR receives the control, installs itself into the memory and then passes the control to the floppy disk loader. As a result the virus stays memory resident after loading from a clean write-protected disk. |
