83 lines
4.6 KiB
Plaintext
83 lines
4.6 KiB
Plaintext
The Blah virus is a memory-resident, stealth, multipartite partition table/
|
|
batch file virus. What follows is the raw source file. After the source file
|
|
is a batch file infected with Blah which demonstrates the workings of the
|
|
virus. To install the virus, simply run this batch file. Or you can assemble
|
|
the source, run the output file, and then execute a batch file. Be cautious
|
|
when running this virus, however, since it immediately infects the partition
|
|
table and your hard drive will become unavailable should you boot from
|
|
diskette. You have been warned!
|
|
|
|
The Blah virus
|
|
The world's only stealth, multipartite PT/BAT infector
|
|
Written by Dark Angel at the end of 1994
|
|
|
|
This virus is "mostly stealth" and "mostly harmless". It infects the
|
|
partition table on hd0 as well as batch files.
|
|
|
|
To install the virus, simply assemble this source to a COM file and run the
|
|
output. The virus will then reside on the partition table of the first hard
|
|
drive of the computer.
|
|
|
|
The partition table portion of the virus loads itself into the slack space
|
|
between the partition table and the first disk partition. The virus assumes
|
|
the first disk partition is the one closest to the partition table, which is
|
|
reasonable. It only infects the partition table on the first physical hard
|
|
drive, since that will always be loaded anyway. The original partition table
|
|
is stored following the virus code in the aforementioned slack space.
|
|
|
|
Since the partition table infector does not copy the partition table itself
|
|
into its code, several effects result. First, the system will not recognise
|
|
the hard drive if it is booted from a floppy. This can be considered a useful
|
|
side-effect, since it prevents disinfection via a clean boot. Additionally,
|
|
when modifying the virus, one must take care to keep the word 0AA55 at offset
|
|
01FE in the file, or else the BIOS will not recognise the partition table as
|
|
a valid one.
|
|
|
|
If you edit a batch file while the virus is in memory, the batch file will
|
|
become infected by the virus, but will load into memory as if it were
|
|
uninfected. When you save the file, it will remain uninfected. However, once
|
|
you run the batch file, it will again become infected.
|
|
|
|
This virus adds 3004 bytes to batch files. However, this file will assemble
|
|
to 1148 bytes, since an encoded form of this file is written to batch files.
|
|
|
|
The virus prepends its own code to the batch files that it infects. This
|
|
code consists of lines which 1. create an executable file 2. run this
|
|
executable file 3. delete the executable file and 4. reruns the batch file.
|
|
The code which creates the executable file is simply a bunch of ECHO
|
|
statements which are redirected into a file. These characters, when run,
|
|
will run the code you see below. The bytes following the ECHO consist of
|
|
code which reassembles and runs the code below and the data of the virus,
|
|
which is encoded in a special printable text-only format. The virus removes
|
|
this file after it has executed it in order to cover its traces. Finally,
|
|
the virus runs the batch file again. This is to allow the stealth to work
|
|
properly. The stealth works by bumping up all read requests on infected
|
|
files by an amount equal to the size of the virus prepended text. The stealth
|
|
is designed to not take effect until after the third file open it sees.
|
|
Since DOS opens batch files each time it needs to execute the next command,
|
|
this is the equivalent of waiting until after two statements have executed.
|
|
This leaves enough time to remove the temporary file and reexecute the batch
|
|
file. Now the stealth kicks in and DOS doesn't even see the virus code in
|
|
the batch file.
|
|
|
|
The virus hides the filelength increase on directory searches (in .BAT files
|
|
only, of course). It also hides itself from reads (with handle calls only).
|
|
It infects when a .BAT file is opened. It stamps files with a 62 second mark,
|
|
but that is for the findfirst/findnext routine only. The checks for previous
|
|
infection do not make any assumptions based on the file creation time.
|
|
|
|
The virus also prevents overwriting of itself in the partition table. It also
|
|
redirects attempts to view absolute sector 0. However, it does not try to
|
|
stop reads to other parts of the disk that are infected, i.e. the sectors
|
|
immediately following the first.
|
|
|
|
The source code to the decoder (the raw text is included in the virus) can
|
|
be found at the end.
|
|
|
|
Anyway, this virus was written mostly because I felt like doing something
|
|
lame. I think I succeeded, with only a modest effort.
|
|
|
|
Dark Angel, Phalcon/Skism, 31 December 1994
|
|
|
|
Happy New Year's!
|