FAUST Virus (aka SPYER & CHAOS

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Report from Jim Bates - The Virus Information Service - 19th January

  1991


  === FAUST Virus (aka SPYER & CHAOS) ===


  This virus was reported by a user as at large in the UK during

  January 1991.  It apparently arrived attached to software imported

  from Hong Kong although there is a very slight possibility that

  infection occurred after importation.


  FAUST is a resident, parasitic virus which appends to executable

  files but does not infect COMMAND.COM.  The infection process may

  possibly affect other file types if they are subject to the DOS LOAD

  & EXECUTE function request.  There are two trigger routines, both of

  which are date activated on the 13th of any month, as well as a

  signature change during and after 25th December (any year).


  The primary trigger routine writes random garbage to a random

  position on the disk and this virus must therefore be classified as

  requiring immediate and total disinfection of any infected system if

  there is a risk that the primary trigger has been executed.



  OPERATION


  There are two distinct entry points to this virus, depending upon

  whether the host file is a COM or EXE type.  The both entry points

  begin by issuing an "are you there?"  call to DOS by placing a value

  of 0E7H into the AH register and requesting an INT 21H.  If the

  virus is resident, the interrupt request will return with a value of

  7Bh in the AH register.  In this case, with COM files the original

  three bytes at the beginning of the program are repaired and program

  execution is returned to the start of the host program.  With EXE

  files an immediate jump is implemented to the CS:IP setting

  contained within the original program header.  If the virus is not

  resident, the processing at both entry points will relocate the

  virus code to offset zero of the code segment and then jump to the

  virus code proper.


  Once into the virus code proper, processing continues as follows for

  both types of infection:-


  A new stack is set up and a call is made to function 4AH of the DOS

  INT 21H to allocate around 1700 bytes of memory.  No check is made

  to see if the memory was allocated successfully.  A call is then

  made to obtain the system date and this is tested to see if a) it is

  earlier than 25th December, or b) it is the 13th of the month.  If

  the date is 25th December or later, a signature used by the virus to

  recognise it's own presence within a file is modified.  This

  modification occurs each time the virus is installed and will result

  in multiple infections of target files.  Once January is reached and

  files have been infected with the latest signature version, they

  will not be re-infected until the process is repeated at the next

  25th December.  No other changes are made to the virus code and it

  is not known why this particular process has been incorporated.  The

  recognition string reported below will identify all versions of the

  virus code since it does not include this signature.  If the date is

  the 13th of the month, the virus installs three separate interrupt

  handlers - for INT 09h (Keyboard services), INT 13H (Disk I/O

  services) and INT 21H (DOS Functions).  A temporary INT 24H

  (Critical Error) handler is also used within the INT 21H handler.

  If the date is NOT the 13th of the month, the INT 09H and INT 13H

  are NOT installed.  Since these are concerned with the trigger

  routines this means that damage or interruption will not occur but

  file infection (via the INT 21H interception routines) will still

  take place.  The operation of each interrupt handler is as follows

  :-


  INT 09H  (installed 13th only) This is a simple interception routine

  which increments a counter within the virus code at every keystroke,

  and then tests its value.  When the counter reaches 100 the video

  mode is set to 80 * 25 text (mode 2) and a short message is

  collected, decrypted and displayed before processing enters an

  infinite loop and the machine "hangs".  The message is, "Chaos!!!

  Another Masterpiece of Faust...".  This is where the identifying

  name of "FAUST" has been extracted from.


  INT 13H (installed 13th only) This handler invokes the primary

  trigger routine at every fifth disk access (ANY call to INT 13H)

  request.  The counting process starts by incrementing a counter and

  testing for a value of 5.  If the test fails processing continues

  unmolested, otherwise the trigger routine is executed.  Counting

  does NOT start at zero but will vary according to the current month

  value recorded (and encoded) from the initial system date request.

  Thus for the months of January through to July (inclusive) and

  December, the initial count will start above 5 and will allow

  between 247 and 256 disk accesses before triggering.  During August

  to November (inclusive) only 2 to 5 accesses are counted before

  triggering.  The trigger routine itself holds the original INT 13H

  request and issues a Write instruction having first generated a

  random track/sector address.  The instruction is to write 9 sectors

  taken from the caller's buffer area and the write process is always

  to head zero.  No change is made to the drive specifier provided by

  the calling routine and this means that all local disks (fixed and

  floppy) are at risk.


  INT 21H (installed every time) This handler provides the infection

  routines and also the response to the "are you there?"  call issued

  during initial execution.  Apart from this function, the only other

  function intercepted is 4B00h (LOAD & EXECUTE).  When this request

  is received, the virus first verifies that the amount of free space

  on the disk will allow the addition of virus code.  Then the

  extension portion of the target filename is checked in an unusual

  way:  counting back from the end of the filename, if the second

  letter is the same as the tenth letter (as in COMMAND.COM where the

  O's match) then infection is aborted.  Then the file attributes are

  collected, stored and reset to allow write permission.  Next, the

  first and last letters of the three letter extension are checked

  against each other.  If they are the same then the virus sets a flag

  to indicate an EXE type file.  This method obviously causes problems

  if a SYS file is processed with this function.  Target files are

  checked for previous infection by examining the word at offset 41

  decimal from the end of the file.  It is this word value which is

  incremented by four at every installation during and after 25th

  December.  Thus the infection check will fail and files will gain

  multiple infections.  In our sample, the value of this word was

  1234H which may indicate that this version had NOT "mutated" in this

  way.


  The infection method is the (by now) fairly standard process of

  appending virus code to the file and modifying the initial program

  bytes (or header for EXE type files) to route processing through the

  virus code.  The only major difference with this virus is that when

  an EXE type file is first loaded, the virus is installed and before

  being made resident (using DOS Function 31H), the original file is

  loaded and executed using the DOS 4B00H function.  For EXE files

  which require large amounts of memory, this will result in Out of

  Memory errors at first execution.


  The general coding of this virus is extremely primitive and seems to

  have been written by a newcomer to assembler programming.  The usual

  infantile message persuades me to advise the programmer NOT to give

  up his day job (presumably he is employed as a deranged vagrant).

  Despite the Hong Kong connection reported above, the use of the word

  "Chaos" in the message may indicate a connection with that odious

  group known to propagate virus code from Germany and other places in

  Europe.  Alternatively, it could simply be an attempt at plagiarism.

  Interrupt handlers are installed using DOS functions 35H and 25H and

  the whole code is made TSR with function 31H.  No encryption (apart

  from the message) is used and the code is easy to detect and defend

  against.  However, the nature of the primary trigger routine is such

  as to make vigilance necessary since, like the Nomenklatura virus,

  the very presence of the virus code may indicate corrupted data

  which can not be quantified or repaired.


  Virus Information

  The virus is called FAUST, it is a resident virus which infects

  executable files via intercepted Load & Execute function calls.

  Infective length is 1184 bytes and a reliable recognition string is

  as follows :-


         B87A 0050 06B8 FD00 5026 C706 FD00 F3A4


  this will be found at offset 44H (68 decimal) from the start of the

  virus code.  I do not normally recommend disinfection of parasitic

  viruses, but if valuable code becomes infected, and no backups are

  available, COM files can be repaired by replacing the first three

  bytes of the file with the second three bytes within the virus code

  (offsets 3, 4 and 5).  EXE type files are repairable since the virus

  does not destructively overwrite any program code.  However, the

  disinfection process is somewhat involved and not recommended

  without accurate reference to a full disassembly of the virus code.


  VIS Classification - CEARXD1184A


  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more