40Hex Number 8 Volume 2 Issue 4 File 005 STARSHIP - interesting file-boot virus. Muttik I.G. (Internet: MIG@politon.msk.su) KEYWORDS Virus, DOS, executable file, masterboot record, resident in memory, encryption. ABSTRACT STARSHIP virus (file and boot simultaneously) is described. It infects IBM PC and compatibles running DOS. Virus is called STARSHIP : this string can be easily found in the memory dump of virus. Virus infects masterboot record on harddisk and executable files files created on floppy drives. The virus is encrypted. Infected executable files have no descriptor longer than 2 bytes. Virus appears to have no destructive code, it uses music and video effects when active. The abnormal operation of the infected computers was sometimes detected. INTRODUCTION History of computer viruses is very short. The first known publications are dated with 1984-1985 [1,2]. But now situation in this field changes every day - uncountable number of various computer viruses are known at present in DOS operating system. The variety of known viruses is fantastic, but all of them falls into three known categories: file, boot [3,4] and cluster. Active area of the first virus type is executable files and of the second type - boot records on harddisks and diskettes. The third category is not yet over- populated, the only representative is bulgarian DIR-II virus. Probably the first virus which infects files and boot sectors was Ghost virus [5]. This virus was discovered by Fridrik Skulason at Icelandic University. Ghost virus infects only COM files. This virus increases file size by 2351 bytes. When active the Ghost replaces boot sector of infected system with a boot virus similar to Ping Pong, but this boot virus does not have infection routine. The Ghost virus, consequently, may be considered as a file virus with unusual active phase. After some time appeared Virus-101, Frodo and, finally, a bunch of new viruses was found: Thanksgiving virus (V-1), TEQUILA and STARSHIP (these type of viruses is sometimes called "multi-partite"). STARSHIP virus was found in Moscow in January 1991. Probably this virus was written in the USSR. The living cycle of STARSHIP virus is the following. When infected file is started it modifies masterboot record (MBR) on the harddisk and writes virus on the disk. Thereafter, when computer reboots, virus intercepts interrupt vectors 13h (low- level disk I/O) and 21h (DOS service). During the reboot virus is stored in the videomemory at address BB00:0. It is moved to the core RAM later, when the first program terminates. Now it stays resident and infects any COM/EXE file created on floppy drives. 1. GENERAL DESCRIPTION Length of STARSHIP virus in memory is 2688 bytes. Size of code is 2560 bytes, buffers and variables takes the remainder. On harddisk virus takes 3072 bytes (6 sectors * 512 bytes). Virus layout is shown in Table.1 and its memory dump (fragmentary) is presented in Figure.1. (NOTE: All dumps presented is the article are partial in order to prevent the possibility to use for generation of new viruses.) No text messages except one string ">STARSHIP_1<" of length 12 (found only in memory) were discovered. This string can be found only in memory, because virus is stored on disk and in the infected file in encrypted form. Normally virus stays resident and the size of used memory block is B00h=2816. The beginning of this memory block is the Program Segment Prefix (PSP) of program that triggered the installation of virus in the core RAM. Really virus is started at offset 80h in this PSP (consequently, the real virus size is: B00h-80h=A80h=2688 bytes). Virus uses standard interrupts 13h, 20h, 21h, 27h and creates its own interrupts F9h and FCh (see later). When virus is already resident (installed in the core RAM) it uses only 13h and 21h vectors. Entry points of both interrupt handlers can be easily found (CS:005F and CS:00C5; here CS represents the code segment where virus resides). In the memory dump of virus one can found the buffer for the filename (see ASCIIZ= 'B:\TMP\DROZFILA.COM' at CS:000D in Fig.1). Virus extensively uses its internal random number generator. The random number seed is taken from BIOS timer variable (0:46Ch). Random generator is used for the demonstration of video effect and while creating the infected file (change of size is random and virus code is encrypted using random number). The word "random" may be a real motto of the described virus - it uses random number generator very frequently. The part of virus memory image is encrypted using XOR function (approximately 60% of total virus size). This section is decrypted and used only while infecting files (section is marked in Table.1 with the box). After infection of each file the XOR mask is changed, and encryption is performed with the new mask. Described procedure makes the encrypted section volatile and unreadable. This behavior is not used to hide any strings in virus body (there are no strings at all, except virus name) - maybe it is implemented only to achieve permanent variance. Virus uses trace capabilities of processor to determine the original BIOS interrupt 13h entry point. Virus issues int 13h with trace flag set and records the CS:IP when CS becomes greater or equal to C800h (corresponds to the ROM area). However this method seems to be non-universal. I have investigated the process of disk infection and found that rewriting of MBR sometimes triggered the resident antivirus utilities (program TSAFE: Turbo-Anti Virus Ver.6.80A from CARMEL Software Engineering, Israel). While disassembling the virus I have found special code inserts used to fool disassemblers. In most cases these inserts uses non-working calls and jumps pointing on the garbage in the virus body. These inserts are a real problem for disassemblers and I have not found one that managed to correctly separate code and data (or code and garbage). The intelligent analysis of code is needed, which is not performed by all available disassemblers (including smart SOURCER ver. 3.07, by V Communications Inc.). I have carefully examined the reconstructed source and established that STARSHIP virus appears to have no destructive code. 2. FILE INFECTION Strategy of file infection is the following. Files are infected while creation of EXE/COM file on A: or B: disks. Virus records file name in internal buffer (at CS:000D), and starts infection routine when request to close the file was issued. This technique is similar to the method used by Dark Avenger virus [3,5,7]. The idea to infect only executable file that are created on floppy disks explains why STARSHIP does not intercept int 24h. This interrupt is usually catched by viruses to prevent message - "Write protect error". But when file is created (!) on the floppy disk it automatically indicates that the user has removed (or will remove) the write protect tab. Change of infected file size is true random (for the same file you can get many variants of infection with different size growth). Change of size is typically 2616...2648 bytes. Virus infects COMMAND.COM file when it is created on floppy disk. No special strategy is used to infect command interpreter - it is infected as a simple .COM file. When infecting executable (only EXE and COM) files, virus preserves attribute. If the file is readonly - this attribute remains unchanged after infection. STARSHIP examines the executable file type by its contents, not by extension (tests for 5A4Dh at file beginning, but it does not test 4D5Ah). Virus does not infect short files - see Table 2. Virus does not infect the files that are already infected. Buffer at virus end is used to read code beginning and determine the presence of virus (it seems to me that virus may frequently regard uninfected files as infected, because it performs very primitive analysis). Virus infection routine uses the following interrupts: int F9h (it points on the original int 21h, as set by DOS) and int FCh (points on original int 13h, as set by BIOS). These interrupts are used instead of int 21h and 13h. This technique is probably used to prevent triggering of certain antivirus utilities. These utilities often controls all invokations of 21h and 13h interrupts. The infection routine appends virus to the end of executable file and adjusts the program entry point. Executable files with COM extension are modified by virus at first 3 bytes, which are replaced with JMP instruction, pointing on the decryptor. Original 3 bytes from file start are stored at the very end of the infected file (like the body of virus these bytes are encrypted with XOR function). After modification of the EXE file header new CS:IP points on the virus decryptor. SS, SP and MINALLOC fields are changed. Original CS, IP, SS and SP are stored at the end of the virus body at offset A4Fh (you cannot fetch these bytes directly - they are encrypted). The header of the infected EXE file has some special features. Instruction pointer always follows the relation: 4STARSHIP_1<. 18FB:0060 FA 80 75 41 83 F9 01 75-3F 0A F6 75 38 80 FC 02 ..uA...u?..u8... 18FB:0070 75 29 1E 50 E8 13 03 58-9C FF 1E B8 04 1F 72 18 u).P...X......r. 18FB:0080 50 56 72 16 B8 01 00 BE-BE 01 26 89 40 02 B0 01 PVr.......&.@... 18FB:0090 26 88 40 01 5E 58 F8 FB-EB 7C 3C 80 FC 03 74 F6 &.@.^X...|<...t. 18FB:00A0 80 FC 05 74 F1 E9 3E 01-80 FE 08 75 F8 51 02 C8 ...t..>....u.Q.. 18FB:00B0 80 F9 CC 59 72 EF 80 FD-FE 72 EA 80 FC 02 74 D6 ...Yr....r....t. 18FB:00C0 75 D9 FF F1 E8 9C 2E 80-3E 4F 00 00 75 18 50 1E u.......>O..u.P. 18FB:00D0 8C C8 2D 09 00 E8 A9 02-A1 3C 00 48 E8 A2 02 2E ..-......<.H.... 18FB:00E0 F6 16 4F 00 1F 58 80 FC-3C 75 31 2E 83 3E 0B 00 ..O..X.... 18FB:00F0 00 75 6E E8 6E 00 75 69-9D E8 CC 00 72 18 50 51 .un.n.ui....r.PQ ================================================================== Figure 2. Dump of pseudoDOS boot sector (thin line denotes random garbage). 0000 EB 34 90 4D 53 BF 05 00-CD 13 73 09 32 E4 CD 13 .4.MS.....s.2... 0010 4F 75 F5 CD 18 C3 B9 01-00 E8 E9 FF 80 3E 00 7E Ou...........>.~ 0020 EB 75 10 A0 02 7E BB 00-7E E8 97 00 0A E4 74 03 .u...~..~.....t. 0030 80 EF 02 06 53 CB FA 33-C0 8E D0 BC 00 7C 8B F4 ....S..3.....|.. 0040 8E C0 8E D8 FB FC BF 00-06 B9 00 01 F3 A5 EA 53 ...............S 0050 06 00 00 B9 37 00 BE D6-06 BF C0 02 F3 A4 BF B0 ....7........... 0060 04 B9 08 00 F3 A4 1E C5-06 4C 00 AB 8C D8 AB 1F .........L...... 0070 FE 06 FC 7D A1 FC 7D B9-CC FE BB 00 7C BA 80 08 ...}..}.....|... 0080 0A C0 74 08 50 B8 01 03-E8 7A FF 58 41 89 0E DB ..t.P....z.XA... 0090 02 88 36 DF 02 06 BB 00-BB 8E C3 88 26 E7 02 CD ..6.........&... 00A0 B0 26 A2 63 01 26 8C 1E-C2 00 07 FA C7 06 4C 00 .&.c.&........L. 00B0 B0 04 8C 1E 4E 00 FB BB-00 7C B8 06 02 BA 80 00 ....N....|...... 00C0 E9 53 FF 53 51 B9 0A 0A-32 E4 26 30 07 26 02 27 .S.SQ...2.&0.&.' 00D0 43 E2 F7 59 5B C3 C4 02-00 00 50 06 53 B8 00 BB C..Y[.....P.S... 00E0 8E C0 BB 50 00 26 80 3F-E9 74 1E 52 51 B8 05 02 ...P.&.?.t.RQ... 00F0 B9 00 00 BA 80 00 9C 2E-FF 1E B8 04 B0 00 B9 0A ................ 0100 0A 26 30 07 43 E2 FA 59-5A 5B 07 58 CF CD B0 9A .&0.C..YZ[.X.... +--------------------------------+ 0110 5F 00 00 BB EA|1E 0E 1F-8E C0 33 FF 50 FC 32 C0| _.........3.P.2. +--------------------+ | |0120 B9 50 00 F3 AA E8 F6 F7-8B F7 B9 0A 0A F3 A4 E8| .P.............. |0130 98 F9 58 FA A3 B5 04 A3-C1 04 B8 90 90 A3 B0 04| ..X............. |0140 A3 BC 04 C7 06 BF 04 C5-00 B8 EB 05 A3 C8 04 B8| ................ |0150 EB F4 A3 D4 04 BF CA 04-BE DB 04 06 1E 07 A5 A5| ................ |0160 A4 FB A3 D9 04 A3 C8 02-C7 06 E0 02 CD 13 C7 06| ................ |0170 E2 02 EB 0D FE 06 D9 02-CD B0 B9 37 00 BF C0 02| ...........7.... |0180 1E 07 8C D8 F3 AA 07 1F-C3 B4 62 E8 7A F7 C3 90| ..........b.z... |0190 90 90 90 90 90 90 90 90-90 90 A4 4B 4C EA A6 8C| ...........KL... |01A0 BE 23 54 F4 BC E8 B8 6B-5B F1 B2 EC B2 81 5E F6| .#T....k[.....^. |01B0 88 D0 8C BC 64 CC 8E CC-86 69 6A C2 84 C8 80 6F| ....d....ij....o |01C0 FA 2B C0 8E D0 8E C0 8E-D8 B8 00 7C 8B E0 FB 8B| .+.........|.... |01D0 F0 BF 00 7E FC B9 00 01-F3 A5 E9 00 02 B9 10 00| ...~............ |01E0 8B 36 85 7E F6 04 80 75-08 83 EE 10 E2 F6 EB 37| .6.~...u.......7 | +-----------------+ |01F0 90 BF BE 07 57 B9 08 00-F3 A5|74 91 05 AD 55 AA ....W.....t...U. +-----------------------------------+ ================================================================== Figure 3. Dispatcher code located at absolute address 0:4B0. a) virus code located in videomemory 0000:04B0 CD B0 INT B0 <== int 13h 0000:04B2 9A 5F 00 00 BB CALL BB00:005F 0000:04B7 EA 3D A3 00 F0 JMP F000:A33D 0000:04BC CD B0 INT B0 <== int 21h 0000:04BE 9A D6 03 00 BB CALL BB00:03D6 0000:04C3 EA 60 14 73 02 JMP 0273:1460 0000:04C8 CD B0 INT B0 <== int 20h 0000:04CA 9A DD 03 00 BB CALL BB00:03DD 0000:04CF EA 3F 14 73 02 JMP 0273:143F 0000:04D4 CD B0 INT B0 <== int 27h 0000:04D6 9A 93 03 00 BB CALL BB00:0393 0000:04DB EA 66 63 73 02 JMP 0273:6366 b) after removing of code from videomemory (segment CS=18FB is where virus resides) 0000:04B0 90 NOP <== int 13h 0000:04B1 90 NOP 0000:04B2 9A 5F 00 6D 19 CALL 18FB:005F 0000:04B7 EA 3D A3 00 F0 JMP F000:A33D 0000:04BC 90 NOP <== int 21h 0000:04BD 90 NOP 0000:04BE 9A C5 00 6D 19 CALL 18FB:00C5 0000:04C3 EA 3D A3 00 F0 JMP 0273:1460 0000:04C8 EB 05 JMP 4CF <== int 20h 0000:04CA EA 3F 14 73 02 JMP 0273:143F 0000:04CF EA 66 63 73 02 JMP 0273:6366 0000:04D4 EB F4 JMP 4CA <== int 27h =============================================================== All corrections and remarks will be greatly appreciated. Send information directly via E-mail address (MIG@politon.msk.su) or in comp.virus group of USENET (I am monitoring it permanently). F .rs mbyt- tF .rs mbyt- tF . (What is this? -Ed.) +++++