|
|
Frizer.98 Viruses Information
| Name: |
Frizer.98 |
| Category: |
Viruses |
| Description:
|
Details
Frizer.987
It is a harmless nonmemory resident parasitic virus. It searches for .COM files, then moves the file header to the end of the file and writes blocks of its code to the top and to the end of the file. The virus contains the text string:
[ Spreader beta2 by FRiZER ]
The virus has unusual structure and algorithm of infection. First of all, the virus has two blocks of code. First block (that is placed to the top of file while infection) contains entry code, INT 1 and INT 3 handler and instructions table (see below). The second block of virus code (that is placed at the end of infected files) contains instructions that are used when the virus searches for file and infects them, i.e. second block is the virus infection routine.
The main feature of this virus is the way that the virus uses to run its infection routine. The assembler instruction that are placed there are not in usual order (first find file, then open it, then read data e.t.c.), but in some semi-compressed form: many necessary instructions do not present there, they do not present there if the same instruction already used in virus code.
For example, the virus uses INT 21h DOS call to allocate blocks of memory. When the virus should call other DOS functions, the necessary INT 21h calls are not in the virus code - they are missed, and the virus code looks like this:
MOV AH,48h ; allocate a block of memory
INT 21h ; DOS call
all
MOV AH,1Ah ; set DTA
MOV DX,DI ; no DOS call
MOV AH,4Eh ; find first file
MOV CX,0020h
JNC ... ; no DOS call
To run this strange code the virus uses instructions table from the first block of its code. This table contains sequence of pointers to instructions that should be executed. To run above code the virus has list of pointers like this one:
pointer to MOV AH,48h
pointer to INT 21h
...
pointer to MOV AH,1Ah
pointer to MOV DX,DI
pointer to INT 21h ; points to the same INT 21h as above
pointer to MOV AH,4Eh
pointer to MOV CX,0020h
pointer to INT 21h ; points to the same INT 21h as above
pointer to JNC ...
To run its infection routine the virus gets pointer by pointer and passes the control to corresponding instructions. To execute exactly one instruction the virus uses INT 1/3 debugging tricks.
As a result the infection code contains only one copy of each instruction (but there are few exceptions), if the virus needs to execute an instruction that was already used, it just passes control to the same pointer. So the virus does not need to keep its instruction twice (by the way that makes its code quite difficult to understand) - it just uses the same pointers in its table.
Moreover, the virus does not store in its second block of code instructions that present in host file. While infecting a file the virus scans its body for instructions that may be found in its infection routine and uses pointers to the original file code instead of its own one (so while infection a file its length might grow by less value that the virus length)
As a result the virus uses code from infected programs - it simply sets to there pointers in instructions table and does not store these instructions in its second block of code. So the virus not just infects files, but "integrates" its code with code of infected programs. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Wonde
HNY.69
Wadim Famil
Lseek.146
Morgana.162
Ka.86
Imi.1536.
LostHorizons.70
I-Worm.Lovgate.
Quark.160
|
|
