Attention Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************


  Report from Jim Bates - The Virus Information Service - November

  1990


  === Attention Virus ===


  Examples of virus code continue to come in to UK researchers in

  ever-increasing numbers.  Fortunately however, the number of new

  techniques used by the virus writers is diminishing and the task of

  detecting generic virus activity is thereby becoming somewhat

  easier.  Most of the simpler parasitic virus types can be fairly

  easily classified and their capabilities are already well-known and

  adequately catered for within existing detection software.

  Occasionally we see something new or unusual which may require some

  minor modification to existing detection/prevention techniques and

  this is where detailed disassembling of the particular virus

  involved becomes so valuable.


  An example of this was found recently in a virus known to be at

  large in Russia.  It was sent to us under the name of "ATTENTION"

  although disassembly of the sample revealed that the name was

  actually a part of the infected host program.  However, we'll

  continue to refer to it by this name to avoid more confusion over

  virus aliases.  The virus is a small one (infective length is 377

  bytes) and the major part of the code is unremarkable.  There is no

  trigger routine (although there may be some additional strain placed

  on the floppy drive motor), the code simply replicates amongst files

  with an extension ending in "OM" (this obviously includes all COM

  files) where the length is between 786 and 64921 bytes inclusive.

  Infection is invoked during the DOS LOAD/EXECUTE function (4BH),

  appending the virus code to the file and modifying the original host

  jump (having first saved the original values).  During infection,

  file attributes are modified and then reset so that READ ONLY and

  HIDDEN files are equally vulnerable.  The original file date is not

  maintained and infected files will show the date of infection when a

  DIR listing is done to the screen.


  The interesting section of the code occurs within a Critical Error

  handling routine which the virus installs to the INT 24H vector.  No

  attempt is made to check or link to the existing handler, and the

  new handler address is re-installed during each LOAD/EXECUTE

  request.  Within this handler routine, after the flags and major

  registers have been saved on the stack, a retry count of three is

  set up and the code then goes into a timing delay loop before

  addressing the floppy disk controller directly through its port.

  The data mask is set to No Reset, Enable INT and DMA access and turn

  the drive motor off.  Then there is another timing delay loop before

  the port is accessed again but this time with the Motor On bit set

  in the data mask.  This sequence is executed three times (via the

  retry count) and the routine finally restores the registers and

  returns with a value of three in the AL register.  No immediate

  damage or corruption is caused by this routine, although it is

  possible that continued ON/OFF switching in this way might cause

  excessive stress to the drive motor.


  One of the areas which are awkward to monitor within an ordinary PC

  environment is that associated with direct port access and this

  virus is the first we have seen which uses it (albeit for unclear

  reasons).  Further developments along these lines are expected but

  fortunately, the knowledgable section of the anti-virus fraternity

  is already forewarned and such techniques have been well

  anticipated.


  VIS Classification - CcAR377A


  The information contained in this report is the direct result of

  disassembling and analysing a specimen of the virus code.  I take

  great pains to ensure the accuracy of these analyses but I cannot

  accept responsibility for any loss or damage suffered as a result of

  any errors or omissions.  If any errors of fact are noted, please

  let me know at :-


The Virus Information Service,

Treble Clef House,

64, Welford Road,

WIGSTON MAGNA,

Leicester  LE8 1SL


  or call +44 (0)533 883490


  Jim Bates


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more