Attention Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************


  Report from Jim Bates - The Virus Information Service - November

  1990


  === Attention Virus ===


  Examples of virus code continue to come in to UK researchers in

  ever-increasing numbers.  Fortunately however, the number of new

  techniques used by the virus writers is diminishing and the task of

  detecting generic virus activity is thereby becoming somewhat

  easier.  Most of the simpler parasitic virus types can be fairly

  easily classified and their capabilities are already well-known and

  adequately catered for within existing detection software.

  Occasionally we see something new or unusual which may require some

  minor modification to existing detection/prevention techniques and

  this is where detailed disassembling of the particular virus

  involved becomes so valuable.


  An example of this was found recently in a virus known to be at

  large in Russia.  It was sent to us under the name of "ATTENTION"

  although disassembly of the sample revealed that the name was

  actually a part of the infected host program.  However, we'll

  continue to refer to it by this name to avoid more confusion over

  virus aliases.  The virus is a small one (infective length is 377

  bytes) and the major part of the code is unremarkable.  There is no

  trigger routine (although there may be some additional strain placed

  on the floppy drive motor), the code simply replicates amongst files

  with an extension ending in "OM" (this obviously includes all COM

  files) where the length is between 786 and 64921 bytes inclusive.

  Infection is invoked during the DOS LOAD/EXECUTE function (4BH),

  appending the virus code to the file and modifying the original host

  jump (having first saved the original values).  During infection,

  file attributes are modified and then reset so that READ ONLY and

  HIDDEN files are equally vulnerable.  The original file date is not

  maintained and infected files will show the date of infection when a

  DIR listing is done to the screen.


  The interesting section of the code occurs within a Critical Error

  handling routine which the virus installs to the INT 24H vector.  No

  attempt is made to check or link to the existing handler, and the

  new handler address is re-installed during each LOAD/EXECUTE

  request.  Within this handler routine, after the flags and major

  registers have been saved on the stack, a retry count of three is

  set up and the code then goes into a timing delay loop before

  addressing the floppy disk controller directly through its port.

  The data mask is set to No Reset, Enable INT and DMA access and turn

  the drive motor off.  Then there is another timing delay loop before

  the port is accessed again but this time with the Motor On bit set

  in the data mask.  This sequence is executed three times (via the

  retry count) and the routine finally restores the registers and

  returns with a value of three in the AL register.  No immediate

  damage or corruption is caused by this routine, although it is

  possible that continued ON/OFF switching in this way might cause

  excessive stress to the drive motor.


  One of the areas which are awkward to monitor within an ordinary PC

  environment is that associated with direct port access and this

  virus is the first we have seen which uses it (albeit for unclear

  reasons).  Further developments along these lines are expected but

  fortunately, the knowledgable section of the anti-virus fraternity

  is already forewarned and such techniques have been well

  anticipated.


  VIS Classification - CcAR377A


  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live fro...
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all...
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs. ...
Read more