|
|
Shifter.98 Viruses Information
| Name: |
Shifter.98 |
| Category: |
Viruses |
| Description:
|
Details
Shifter.983
This virus infects .OBJ files prepared to be compiled to COM files. The virus inserts itself into OBJ files so, that after linking to COM executable file the result contains the virus at the beginning of the file. When that file is executed, the virus receives the control, hooks INT 21h and installs itself memory resident.
The virus intercepts three INT 21h functions: FEADh for "Are you here?" call, DEADh for host program restoring and 3Eh (Close) for file infection. On file closing the virus checks the file name extension (by using undocumented System File Tables). If the extension is OBJ, the virus starts to infection.
The virus reads the three first bytes of each object records of the file, from the first record to the last one. These three bytes contain the record type and length. The virus checks the record type, and if it is Module End Record (type 8Ah), External Names Definition Record (type 8Ch) Logical Data Record (type A0h or A2h), the virus infection procedure calls corresponding routine. In another case the virus seeks to next record.
In case of Data Record (type A0h or A2h) the virus alters the data offset of it - the virus adds its length in COM files (983 bytes) to that offset. Then the virus calculates new checksum of the record and alters the checksum field as well as data offset field of the object record. As the result all the data record have new data offsets after infection, all binary data of these records will be placed 983 bytes down on linking. So the virus forces the linker to shift the contents of COM file down for 983 bytes and releases the space in the file beginning for virus code.
"Shifter" gives particular attention to the first Data Record of the OBJ file. If data offset of it is equal to 0100h (it's normal to OBJ which is to be linked in COM file), the virus continues infection. If that offset is not 0100h (i.e. that OBJ looks like object file of some executable one which is not of COM format), the virus does not infect that OBJ file and returns control to host INT 21h handler.
By the way, the data offset of first data record of infected OBJ files is 04D7h (it is 0100h+983, offset 0100h plus virus length in COM files). It is not equal to 0100h and the virus does not infect such files. As the result OBJ files are not infected twice by "Shifter".
If the type of next record is 8Ah (Module End Record), the virus reads this record into its internal buffer and writes new Data Record instead of original Module End Record. This new Data Record contains the virus body with data offset 0100h, so on linking that record will be placed at the file beginning. Of course, the virus calculates checksum of this record and stores it at the record end. Then the virus writes original Module End Record at the OBJ file end.
If on infection the type of next record is 8Ch (External Names Definition Record), the virus checks the system timer (the word at the address 0000:046C). If two low bits of that word are zero ones, the virus calls trigger routine. That routine shifts the screen and displays the message:
Shifting Objective .OBJ Virus (c) 1993 by Stormbringer
Kudos for The Nightmare for his ideas and coolness.
Greets go out to Phalcon/Skism, Urnst Kouch, Mark Ludwig, NuKE,
and everyone else in the community.
Then the virus waits for a keystroke and returns control to infection routine.
"Shifter" increases the files on different values on infection. The code of virus in linked COM file is 983 bytes, and the infected executable file grows on 983 bytes if it is linked from infected OBJ file instead of clear one. But the OBJ files grow on 990 bytes on infection. It is because the virus writes into OBJ not only its binary data (983 bytes), but the fields of record type, length, segment index, data offset and checksum (1+2+1+2+1=7 bytes).
"Shifter" infects the files which will be compiled to files of COM format. But the OBJ file has no flag that indicates the format of destination executable file. In some cases the virus infects OBJ files which can be compiled into multi-segment EXE files only. The first Data Record of EXE file can contain 0100h in data offset field as well as OBJ of COM file contains it. On execution of such EXE the system will hang up.
The other versions of this virus ("Shifter.758,760") do not manifest themselves, they contain the text strings:
Shifting Objective Virus 3.0 (c) 1994 Stormbringer [Phalcon/Skism]
Kudos go to The Nightmare! |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Worm.SQL.Spida.
APME.Demo.62
Terminator.349
Serbu famil
Linux.Satyr.
Dre.75
NoFrills Famil
Rasek.149
Coup.2052.
Deicide.35
|
|
