Sorry, my English is not very good...
Now I'm presenting for attention of respected DOS users my second and, I hope, not last virus (the first virus was named "Antipas.1101"). This virus
is 2200 bytes long and is named "$tart". If it will be widespread and, as result, get into the bases of some antiviruses, I ask for name it "$tart.2200" or, in the last resort, "Start.2200". I wrote this virus for my personal purposes (see effects below), but I hope it will be useful for someone else. I'm not a distributor of this virus, so I don't bear any responsibility for the injury to the software, caused by virus. The writing of the virus was finished 18.11.1998 at 20:00. Autor - DJ Sadovnikov. And now I tell you about the virus explicitly (for whose whom laziness to look the source text).
- The general information: virus requires the 286+ processor. The check of presence of required processor isn't made in cause of practically complete absence of machines with CPU 86/186. The usage of 286-instructions allows to optimize a code considerably. DOS version 3.x-6.x required. The check of DOS version is made in cause of incorrectly virus's operation under Windows, because Windows doesn't support SFT (for whose who doesn't know: Windows returns DOS version 7.x). Other operational system weren't tested.
- Resident, takes up about 4500 bytes of memory. Staying resident via correction of MCB-segment of program-carrier. There is a little bug here: as a result of MCB correction cease to work some programs packed by EXEPACK (but not all). I don't know why does it take place - honourly speaking, it's lazy to look into.
- The virus infects EXE files. Doesn't touch overlays. The type of the file is determined by the extension first, and then - by the first two bytes (MZ) in case of this is maybe COM-file renamed into EXE. The increase of lenghth of the infected file is 2200 bytes. While infecting file, virus corrects both CS:IP and SS:SP. Virus infects files at the executing and opening. While infecting, uses STF. I apologize for virus doesn't infect COM-files. The point is that COM-files are disappearing, besides the procedure of it's infecting will highly increase the virus's cumbersomely. Although, MZ-EXE files will disappearing soon too. It's time for me to move on to NE-EXE and PE-EXE infecting.
- The virus is twice encrypted. The first procedure of encryption is ordinary XOR. The key changes from file to file. The second procedure - XOR and SUB/ADD. The key changes from byte to byte according to easy law. The antidebugging technology is used, based on the registration of the decrypting procedure as an interupt Int1/Int3. The overlapping code is used too, which complicates a research of virus after disassembling a little.
- Stealth. At the catalog reading corrects lengths of the infected files. This method doesn't work at the performance of DIR command in cause of using FCB by DIR. At the opening of a file the virus treats it, at the closing - infects it again. At the executing of some archivers (see source) and CHKDSK program virus disables it's stealth mechanism until the next file will be executed. I hope you understand why does it necessary.
- The virus determines the real Int21h handler's address via tracing. It will not work if somebody made the splicing (inserting a jump to itseft at the beginning of the handler), or the antitrace protection is presented. When the virus is in memory already, at the attempting of tracing of Int21h handler it displays the message (see source) and halts the system.
- The Int24h (disk write-protect) stub is presented, but it doesn't correctly work, and the cause is unknown for me.
- The 18th of May (my birthday) virus displays the text (see source) at the top of screen and drops the chars with a sound effect. When virus infects 500th file (not on the concrete computer, and in general), it displays a message (see source) and waits for key pressed.
- When the follow string (? ????ом ??????? ) appears at the screen:
* "Show virus info" -- displays copyright message (see source)
* "Crack HDD" -- erases MBR using ports, so BIOS's "Virus Warning" will not help even.
* "Erase CMOS" -- erases CMOS.
* "Reboot system" -- reboots computer.
- At the virus's beginning the string "Packed file is corrupt$" is presented. It can confuse somebody who takes into his head to look over the infected program at the healthy computer.
DJ Sadovnikov (firstname.lastname@example.org), 18.11.1998 virus
[!] Memory allocation is made very incorrectly.
[!] At the returning to program-carrier SS has a wrong value.
[+] The installation of Int24h handler is made incorrectly.
[+] Attemption of read/write to standart devices is possible.
[*] The procedure of search for strings at the screen has a mistake.
DJ Sadovnikov (email@example.com), 12.04.2000