|
|
PeterI Viruses Information
| Name: |
PeterI |
| Category: |
Viruses |
| Description:
|
Details
PeterII
This is a ordinary memory resident stealth infector which hits floppy boot sectors and hard drive MBR sector. It occupies six sectors (0C00h or 3072 bytes) - five sectors of the virus body and one sector which contains the original sector which is replaced by the virus.
On loading from infected disk it installs itself into the system memory. On installation the virus decreases the size of system memory (the word at the address [0000:0413]) on four (i.e. 4K), reads the rest of its body (four sectors) from the disk from where the virus is loaded and copies itself in the memory at the constant address 9F00:0000. So the virus cut out four kilobytes of the system memory for its code and data.
Then the virus checks the system date, it's interesting for virus the current date and month only. For getting these values the virus uses the CMOS data storage: the virus outputs the address value into PORT 70h and reads the contents of the addressed cell from PORT 71h. If the current date is February, 27th the virus calls the trigger routine. That routine is described below.
Not depending on system date and the results of trigger manifestation the virus reads the INT 13h (disk access) value, saves it in its body and sets the new value of this interrupt to the virus body. If the virus is loaded from floppy-disk it infects the hard drive also. The installation is finished and the virus reads the original sector (Boot sector or MBR) and passes the control to it, then the program of that sector loads and run operation system.
But in some cases the virus hands up earlier than the DOS is loaded. It's because on installation virus doesn't check the previous itself copy in the memory. This situation can appear if you try to load computer from not-DOS but infected floppy. The virus installs itself in the memory and pass the control to the original sector of the infected disk. The boot-program which is written into that sectors searches for DOS files, doesn't find them and displays the message like "Non-System disk, replace and press any key". Then the user replaces the floppy as the computer asks and reboots it. But the next disk is infected also - and the second copy of the virus overwrites the previous copy, and as the result the computer hangs up.
The master boot record is infected during virus loading. The virus reads the original sector and checks the virus ID byte - if the byte of sector at the offset 01FDh is equal to BBh the virus doesn't infect it. If not, the virus saves this sector on the hard drive at the address 6/0/0 (sector/head/cylinder) and writes itself body into the first physical sector of hard drive and into four next sectors. So the hard drives gets infection.
By hooking INT 13h the virus realizes the stealth mechanism for the infected hard drive: on reading or writing to/from the sectors which are occupied by the virus body this infector substitutes the registers values so as the disk is not infected: the reading/writing to/from infected MBR sector is passed to 6th sector (where the original MBR is saved), the access to other sectors is passed to sector number 8 (usually the contents of that sector is equal to contents of the sectors 2-7, these sectors contains the zero bytes only).
If the access is directed to floppy disk the virus tries to infect it. In the first place the virus reads the boot sector of the floppy disk and checks the ID byte, this is the byte at the address 01FDh (the same address as in case of hard drive), but the value of this byte is equal to 11h if the disk is infected.
The virus checks then another byte of boot sector - the byte at the address 0018h. It is one of the system data bytes of the MS-DOS boot sectors, it contains the number of the sectors which are placed in one cylinder (track) on the physical disk. The virus infects the floppy if the value of that byte is equal to 15 (i.e. if it is 1.2Mb 5"1/4 floppy disk).
If that pair of bytes answers the demands of the virus, it prepare the floppy to infection: the 80th cylinder of floppy is formatted as ordinary floppy cylinder. It's needed to comment that the standard 1.2 Mb floppy contains 80 cylinders which are accessed by DOS and are numerated from 0 till 79, it's not possible to read/write 80th cylinder of standard floppy by using DOS possibility only. But it's possible to format more than 80 sectors on floppy (if the floppy disk controller can do it). In that case the floppy disk can contains several sectors which are ready to use by INT 13h and are not accessed by DOS - several extra sectors.
These extra sectors are in use when the virus saves its body on the floppy: it saves the original boot sector into the last sector of standard root directory - at the absolute address 14/1/0 (sector/head/cylinder, it's equal to 28th logical sector of 1.2 Mb floppy), then it overwrites the boot sector by its own loader which is the same as infected hard drive loader (except the value of ID byte) and saves the rest (four sectors) into the just formatted cylinder. The floppy disk is infected now.
On February, 27th, as it described above, the virus calls the trigger routine. This routine decrypts and types the message:
Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in Hardisk!!!
WAIT for 1 MINUTES,pleaseall
Then the virus encrypts all the sectors of hard drives disk: all the words are XORed with the value 7878h. As the result all the executable, data and other files are unassessable! If you reset the computer in that moment they will be lost. It's easy re-format the hard drive and restore information from back-up (if you have this) than decrypt all the encrypted sectors. If you want to save your information you should wait and read next messages of the virus:
Ok.If you give the right answer to the following questions,I will save
your HD:
A. Who has sung the song called "I`ll be there" ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all (1-4):
C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson 2.Phil Collins (featuring Genesis)
3.Madonna 4.Whitney Houston (1-4):
The user should give three correct answers, in this case the virus decrypts and restores the hard drive sectors and types:
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
If any of answers are wrong, the virus displays:
Sorry!Go to Hell.Clousy man!
and you'll receive empty hard drive.
It's fortunate that the virus sets no time limits - you can call your friends which are specialists in rock-music and ask the correct answers, you can call system programmer which can analyze the code of this virus and tell you the numbers which should be entered.
And this is the answer for "three questions of sphinx": four, four and two. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
KbrBug.89
I-Worm.Mar
Ichthum.102
Appelscha.216
4on.134
Invisible.
I-Worm.Kadr
Constructor.Macro.Word97.CPC
Macro.Word.Hade
Win32.Undertake
|
|
