| Description:
|
Details
Markus.5415
It is a very dangerous memory resident stealth polymorphic multipartite virus. When an infected file is executed, the virus decrypts itself by using a trick with the program stack, cuts the block of the system memory (including UMB), copies itself to there, hooks INT 8, 13h, 1Ch, 21h and infects the MBR of the hard drive. Then the virus returns the control to the host program.
While infecting MBR the virus writes the original MBR and its code (total 12 sectors) starting from the second sector of the track 0 and overwrites 29h bytes of the MBR with the virus loader. The virus also erases the Partition Table in the infected MBR, and as a result the infected MBR cannot be recovered by FDISK/MBR command.
While loading from infected MBR the virus decreases the size of the system memory (the word at the address 0000:0413) by 6, reads its code from the hard drive track 0 and jumps to there. Then the virus hooks INT 8, 13h, 1Ch and passes the control to the code of the original MBR. While executing or closing any file the virus restores the size of the system memory, and as a result the virus cuts the block of the system memory for its TSR code.
By hooking INT 1Ch the virus hooks INT 21h while loading from infected MBR. INT 13h handler contains a stealth routine that does not allow to read/write from/to infected MBR.
INT 21 handler contains infection and stealth routines. The virus hooks 15 DOS functions. While accessing to an infected file (except execution and closing) the virus calls the stealth routine. While executing or closing an infected EXE file the virus writes itself to the end of the file. The virus does not infect several anti-virus utilities and disables its stealth routine during execution of several disk checking utilities. The list of these programs is as follows:
CHKDSK SCANDISK DISKFIX
TNTSCAN CPAV MSAV SCAN IBMAVD IBMAVDQ IBMAVSP IBMAVSH VWATCH VSAFE
On each 10th INT 8 call (timer tick) the virus checks its code to prevent hacking. The virus calculates the CRC sum of its code, and if the result is not equal to the original value, the virus resets INT 21h handler to another handler, and on first INT 21h call the virus displays the message:
## (Copyleft) DD.MM.YY by MarkusMueller/GERMANY ## (V1.03)
<<<<< Eeehhjj, Du genetischer Abfall !!! >>>>>
Na, haben wir denn gerade einen Fehler gemacht ?
Vorab möchte ich mich kurz vorstellen:
Mein Name ist Ebola,
ich wohne auf Deiner FESTplatte, arbeite zur Zeit auf Deinem
Rechner, ernähre mich von Deinem Datensalat, habe Angst meine
Arbeit und meine Wohnung zu verlieren
und ich weiß bescheid.
Dummerweise will mich mein Vermieter loswerden, er hat wohl
gerade irgend ein `Schädlingsbekämpfungsmittel` eingesetzt.
Ich werde nun wohl besser verschwinden.
Ach, übrigens: Viel Spaß bei der Renovierung meiner Wohnung !
the
crazy program from
MM
Und Tschüß, (bis demnächstall)
Then the virus erases the CMOS, delays and slowly turns the screen off by using the VGA functions and reboots the computer. The virus manifests itself by the same effect under a debugger.
The virus also manifests itself by other effects. INT 13h and INT 1Ch virus handlers calls a routine that "shakes" the screen. While infecting a system the virus stores the date and one month after periodically simulates read/write disk error. On May, 20th while loading from infected MBR the virus displays the message:
+---------------------+
TYPE Happy Birthday Markus ¦ ¦
+---------------------+
waits for "Happy Birthday Markus" input, and then displays:
Thank you very much for the congratulations.
On November, 11th the virus displays the message:
Runtime error 032 at 0040:0074
(A)brechnen, (W)iederholen, (I)gnorieren?
and if 'a' key is entered, the virus erases the CMOS.
The virus also contains the text string:
** Ebola is present **
Text added: Jun-27-1996 |
