Virus Writer Profile: Priest
Written by JPanic
Table Of Contents:
About Priest.
Virus: Satanbug
Virus: Fruitfly
Virus: Payback
Virus: Jackal
Virus: Predator
Virus: Predator 2
Virus: Incubus
Virus: Natas
References
% About Priest %
Priest (aka Little Loc) was a young but talented American virus writer, with a
career spanning 1992 to 1994. Priest's first two viruses, Incubus and Satanbug
were authored under the handle "Little Loc" while in later ones he called
himself "Priest" after joining Phalcon/SKISM. Priest seemed to be a fan of the
infamous virus writer "Dark Avenger" (dav) and studied his viruses, and what
he considered other "real viruses" diligently. Like Dark Avenger, Priest often
included dangerous payloads in his viruses. Priests viruses were sophisticated
for their time, and many did well in the wild. Viruses by Priest include (but
are not limited to): Satanbug, Incubus, Fruitfly, Natas, Payback, Jackal,
Predator. In 1994 Priest was visited by the Secret Service, after a person
known as 'Aristotle', a BBS sysop for NuKE, handed over his personal details.
The fact that Satanbug had infiltrated the Secret Service's network causing a
small epidemic did not help. After these legal problems Priests was offered a
job at Norman Data Defence on finishing high school. This position did not
last for long. Although a skilled and 'elite' virus writer, Priest seemed
friendly approachable, willing to chat with newer and lesser vx'ers and even
help them out with coding problems. [1]
Back to top
% Virus: Satanbug %
'Satanbug' was probably Priest's (Little Loc) most publicised virus due to the
outbreak on the Secret Service's network. Satanbug was a polymorphic memory-
resident fast infecter of MS-DOS .COM and .EXE files, along with COMMAND.COM.
Satanbug was polymorphicly encrypted in both files and memory. Encryption
could have as many as 9 layers. Satanbug was also a retro virus, disabling
'Virus Scan' validation and 'CPAV' (Central Point Anti-Virus) immunisation
when infecting files. When a Satanbug infected file was run, the virus would
decrypt itself and then immediately relocate CS:IP so the virus was aligned at
offset 100h. This avoided the need for 'delta offset' operations through out
the virus. If run from a .COM file, Satanbug would next restore the first 4
bytes of the file that were patched during infection. At this point Satanbug
would check if it was already memory-resident and immediately return control
to the host if so. If Satanbug was not memory-resident, and not running from
an infected COMMAND.COM it would search the environment segment of the host
for 'COMSPEC=' string (COMSPEC variable). If COMSPEC did not equal
'COMMAND.COM' the Satanbug would again return control to the host with out
going memory-resident. When Satanbug goes memory resident it obtains the
segment of the host MCB (Memory Control Block) and then walks the MCB chain
until the last MCB is found. Satanbug reduces the amount of memory allocated
by the MCB, as well as the 16-bit WORD at 0:413h (BIOS Data - Size of
Conventional Memory in Kilobytes) to allocate memory for itself. The virus
then moves itself to the newly allocated memory. Next INT 21h (MS-DOS API) is
hooked in an unusual manner. An internal flag in the virus is cleared to
indicate that the virus is not in the middle of an INT 21h call. This flag is
used to avoid recursive handling of INT 21h calls due to the polymorphic
encryption in memory. The original INT 21h vector is obtained using
INT 21h/AH=35h (get interrupt vector), and a JMP FAR (opcode 0EAh) is built
pointing to the original INT 21h. Another JMP FAR is built pointing to
Satanbugs own INT 21h handler, but the exact offset of this JMP will change
depending on whether Satanbug is currently encrypted in memory or not, and
whether it is in the middle of an INT 21h call. INT 21h/AH=25h
(set interrupt vector) is then used to point INT 21h to this second JMP FAR
(virus INT 21h handler). Memory-residency is now complete, and Satanbug
returns control to the host. When encrypted in memory the polymorphic code
PUSH's (saves) all the registers before decryption and the INT 21h hander
POP's (restores) them back. The INT 21h handler is used to provide the
memory-residency check and to catch files to infect. Satanbug is only
decrypted in memory if one of these INT 21h functions is called
(polymorphic stub checks the value of AH first). Files are infected on
open, extended open, and execute. When infecting a file Satanbug stores
address of the current DTA (Disk Transfer Area), sets the the new DTA
address to the virus heap and calls an INT 21h/AH=4Eh (ASCII FindFirst) on the
filename. The ASII find record created in the new DTA provides Satanbug with
the files name in upper-case, size, attributes and date-stamp The DTA is then
restored to its original address. Satanbug differentiates the type of file
being infected with 3 checks: If the file begins with the 'MZ' header it is
treated as a .EXE file. If the filename is 'COMMAND.COM' it is clearly a
COMMAND.COM infection. Finally if the extension of the file is '.COM' it is
treated as a .COM file. If the file does not match any of these criteria, it
is not infected. If the 'read-only' attribute is set on the victim file,
Satanbug clears the attributes and restores them after infection. Infected
files are marked by adding 100 years to the date-stamp Apart from disabling of
anti-virus immunisation codes, the file infection algorithms are fairly
standard. Satanbug includes the text string:
Satan Bug virus - Little Loc
[1] [2] [3] [4]
Back to top
% Virus: Fruitfly %
In addition to the original Satanbug virus, there was also the 'Fruitfly'
variant. The main difference between Fruitfly and Satanbug was that Fruitfly
was not memory resident, infecting all .com files in the current directory and
directories in the 'PATH' environment variable. Additionally, Fruitfly only
infected MS-DOS .com files, not .exe. Fruitfly also deleted certain anti-virus
database files used for integrity checking: 'VS.VS' and 'CHKLIST.CPS':
ViruScan and CPAV (Central-Point Anti-Virus) respectively. Fruitfly includes
the text strings:
Fruit Fly virus - Little Loc
Hacker4Life
Hackers In ThE Mist
[3] [4]
Back to top
% Virus: Payback %
After Satanbug came 'Payback'. Payback was a full stealth memory-resident
floppy boot sector and MBR infecter written in retaliation for the arrest of
members of the British 'ARCV' virus writing group. On January 27th, Payback
would erase the CMOS, format the first physical hard drive and display a
message. When a disk infected with Payback was run, the virus would setup the
stack and 'DS' (data segment) register. Payback would then allocate 1kb of
memory by decrementing the 16-bit WORD at 0:413h (BIOS size of conventional
memory) and hook INT 13h (BIOS Disk Services) directly in the IVT (interrupt
vector table). Payback then copied itself to this newly allocated memory -
after hooking INT 13h, but this should not be a problem. Once copied over
Payback would continue execution in this new copy and load the original
(uninfected) boot sector back to 0:7C00h (load address of a boot sector) using
INT 13h/AH=02h (Read Sector). The instructions to set registers CX and DX for
this INT 13h calls are modified by the virus on each infection to reflect the
correct location of the original sector on that disk. Payback then hits the
MBR. The MBR is loaded, checked if already infected (offset 10h = 12CDh,
INT 12h instruction of the virus) and checked if bootable (last 16-bit word is
0AA55h). If these conditions are met MBR infection continues. The original MBR
is written to head 0, track 0, sector 2 of the hard drive (unused by MS-DOS)
and address of this sector is stored in the virus (see above). Payback then
conditionally runs its activation routine and control is returned to the
original, 'clean' sector at 0:7C00h. Paybacks INT 13h handler performs two
functions: infecting floppies, and stealth. Both these functions are performed
if a read sector request (INT 13h, AH=02h) is called on head 0, cylinder 0,
sector 1 (boot sector/MBR). In such a case the INT 13h handler begins by
allowing the read of the boot sector to go through and aborts on error. Next
Payback checks if the sector is already infected - WORD at offset +10 = -12CDh,
same check as when infecting the MBR. If the sector is already infected,
stealth action is taken. If the sector is not already infected and is on a
floppy drive the disk is infected. Stealth is achieved through a simple
algorithm: CX and DX registers are saved, Payback takes the location of the
original (uninfected) sector from the previously read virus body, reads the
original sector over the infected sector in memory, restores registers and
returns from the INT 13h handler. When infecting floppies, the original
sector is stored in the last sector of the diskette. This sector is calculated
using the 'NumSectors', 'SectorsPerTrack' and 'NumberOfHeads' fields of the
BPB (BISO Parameter block) and checks are performed for non-standard disks.
The address of this sector is stored in the virus body, and Payback writes
itself to the floppies boot sector. As when infecting the MBR, Payback checks
if the sector is bootable by 0AA55h marker in the last 16-bit WORD of the
sector. On infection Payback displays the message:
That was for ARCV, mother fucker!
Payback! (c) 1993'
[1] [6]
Back to top
% Virus: Jackal %
'Jackal' was Priest's next virus. Jackal was a memory-resident full-stealth
multipartite infect of the MBR and MS-DOS .COM and .EXE files. Jackal
contained some interesting features. When infecting the MBR, Jackal only
modified 3 bytes of the partition table. When loaded from an infected MBR,
Jackal attempted to 'survive' a warm-reboot when 'CTRL+ALT+DEL' was pressed.
Jackal was also a destructive virus, containing 3 separate destructive
payloads. The condition for the first and most destructive payload is the
most interesting: Jackal infected files were able to detect the presence of
'TBCLEAN' (the generic file disinfection utility of ThunderByte Anti-Virus),
and disable its 'controlled environment'. When attempting to TBCLEAN a Jackal
infected file, Jackal would break out of TBCLEAN, lock the keyboard (port 21h,
IRQ Enable Mask), trash the CMOS (ports 70h, 71h), then entirely format all
hard drives reported by the BIOS then freeze the computer with 'CLI, HLT'
series of instructions. The other 2 payloads were executed periodically after
a file was infected. Jackal maintained a counter of files that had been
infected. If this counter value was a multiple of 32 after infecting the last
file Jackal would implement its lesser payload: A random sector is read from
the first hard drive, a random byte is modified in this sector, and the sector
is re-written. This lead to slow, gradual corruption of the data on the hard
drive. The other destructive payload was called if this 'infection counter'
was a multiple of 666h (1638 decimal): A randomly chosen track of the first
hard drive was formatted Both these last 2 payloads were gradual and at times
could go unnoticed. The last 2 payloads were only called if the BIOS INT 40h
(Floppy Disk Services) vector was different from the BIOS INT 13h (Disk
Services) vector. In all 3 payloads the (tunnelled) INT 13h vector is used to
access the hard drive, bypassing anti-virus software. When infecting the MBR
only 3 bytes of the partition table are affected. Jackal reads the MBR and
checks if it is bootable (0AA55h marker in last two bytes). Next it saves the
affected 3 bytes of the partition table: start cylinder/sector and start head
of the first partition. The virus then loads the first sector of this
partition (boot sector) and checks if it is bootable (0AA55h marker) and if
it is not already infected (infection marker). Jackal then re-reads the MBR,
calculates address of a last 7 sectors on the first physical track (using the
'last cylinder/sector' field of the first partition table entry), saves this
sector address, saves 2 bytes at offset 01FEh of the virus and sets them to
0AA55h marker. Jackal then writes itself to the least 7 sectors of the first
track then restores the bytes at offset 01FEh of the virus. Finally the virus
sets the first head, cylinder, track of the first partition of the MBR to the
first sector of virus code and rewrites the MBR. This change of the partition
table means that the first sector of the virus is read instead of the boot
sector of the partition and that first sector loads the rest of the virus.
Since the change to the partition table is hidden by Jackals stealth
abilities, booting off a clean disk or attempting to disinfect the hard drive
with 'FDISK /mbr' or any other utility that replaces the MBR code will leave
the first partition inaccessible. When loading from an infected MBR the Jackal
sets the DS and register then allocates 5kb of memory by reducing 16-bit WORD
at 0:413h (BIOS size of conventional memory). The virus then copies the first
sector (512 bytes) of itself to this newly allocated memory and corrects the
bytes that were patched with the 0AA55h marker. Jackal jumps to this new
copy of its first sector and immediately loads the remaining 6 sectors of the
virus from the end of the first track. If this read fails, the original boot
sector of the partition is loaded and executed. Jackal saves a copy of the
entire IVT (interrupt vector table) in its memory - this is used to fake a
warm reboot. The virus also saves the new value at 0:413h (BIOS size of
conventional memory) for the same reason. Next the virus hooks INT 09h
(Keyboard IRQ) and INT 13h (BIOS Disk Services). The INT 09h handler is used
solely to fake the warm reboot: If ALT+CONTROL+DEL is pressed Jackal takes
special action, otherwise control is released to the original INT 09h handler.
When faking a warm reboot, Jackal resets and enables the Keyboard hardware
controller, restores the saved interrupt vector table, zeros its INT 21h
vector, clears they keyboard flags and sets the value of 0:413h, sets video
mode 03h and default cursor (using INT 10h), re-hooks INT 09h and INT 013h then
finally issues an INT 19h (BIOS boot-strap loader). The INT 13h handler serves
two purposes: hooking INT 21h (MS-DOS API) when loading from the MBR, and
stealthing the MBR. Hooking of INT 21h is achieved by checking the segment of
the INT 21h vector on every INT 13h call. When it is is below 800h, INT 21h
is hooked in the IVT and this check is disabled. Stealth of the MBR is quite a
simple process. After the MBR is read, if the first partition points to the
first sector of the virus (reading in this sector and checking infection
marker), the modified 3 bytes of the partition table are taken from the just
read first sector of the virus and the read MBR is corrected. After hooking
INT 09h and INT 13h, Jackals MBR loader code reads the original boot sector of
the first partition and executes. If this read fails, an INT 18h (Transfer to
ROM BASIC) is issued. When running from an infected file Jackal immediately
saves the 'CS' register and realigns CS:IP so that it is run from offset 0
using a 'RETF' instruction. This eliminates the need for use of a 'delta
offset' register. The virus then sets two switches: one to tell its INT 13h
handler not to check for INT 21h hook, and one to tell the virus to later
tunnel and patch some interrupts. After this a routine is called to detect
and disable 'TBCLEAN' (see above). If 'TBCLEAN' is detected Jackal modifies
its code to run the destructive payload instead of returning to the host when
it is done. Jackal then aves the entire IVT (interrupt vector table) and
retrieves the segment of the first MCB (INT 21h/AH=52h - DOS List of Lists)
and considers any thing below this segment as belonging to DOS when it tunnels
interrupts. After this INT 13h, INT 21h, INT 15h and INT 40h are tunnelled
using INT 01h single-stepping. In case of INT 21h, the MS-DOS handler is saved.
In the case of INT 13h both MS-DOS and BIOS handlers are saved. In the case of
INT 15h and INT 40h the BIOS handlers are saved. Jackals INT 01h handler
emulates PUSHF/POPF/IRET/INT xx/INT3/INTO instructions to hide TF (Trace Flag)
and to stop it from being cleared. The virus then checks if it is already
memory-resident. Jackal does not survive a warm reboot when loaded from a file
infection. Jackal then allocates memory: The virus checks that the hosts MCB
(Memory Control Block) is the last in the chain and is big enough to allow
allocation and then reduces it and 'Top Of Memory' field (offset +02h) of the
host PSP (Program Segment Prefix). Jackal copies itself to this newly allocated
memory and jumps to it, continuing execution. Next Jackal infects the MBR (see
above). The virus hooks INT 13h and INT 21h. Unlike loading from an MBR, file
infections do not hook these interrupts in the Interrupt Vector Table. Instead
the code of the tunnelled INT 13h and INT 21h MS-DOS handlers are patched with
a 5-byte JMP FAR (0EAh) instruction each, pointing to the virus handlers.
Jackal then returns control to the host (or the TBCLEAN payload). The INT 21h
handler of Jackal serves 4 purposes: the memory-residency check, to activate
the payloads (see above), to infect files and to stealth files. Files are
infect on open, extended open, execute and close calls. When infecting on
'close' the virus first duplicates the handle (INT 21h/AH=45h). When infecting
a file, Jackal resets the INT 13h, INT 15h and INT 40h vectors in the IVT to
boot time or tunnelled values to bypass anti-virus software. Jackal also uses
System File Table (SFT) entries to avoid lseek/chmod/date/time calls in an
attempt to reduce code size and by pass anti-virus software too. Finally,
files are opened read-only and then the SFT entry is modified to read/write,
again to bypass anti-virus software. Infected files are marked by adding 100
years to their time-stamp File infection is standard append to the end and
modify the header type, except the virus is aligned on a 16-byte boundary so
the virus can re-align itself to offset 0 when loaded (see above), and the
appropriate amount of padding is put between the end of the virus and the
original file header to be used by the file stealth routines. When infecting
.COM files the Jackal checks for the .COM extension, when infecting .EXE files
Jackal checks for 'MZ' or 'ZM' marker. When infecting .COM files Jackal avoids
files beginning with suspicious code: If the first byte is 0 or NOP, HLT, CMC,
CLC, STC or INT 20h (Terminate) instruction the file is avoided. Additionally
if the file starts with "MOV AH,4Ch" or "MOV AX,4Cxxh" (Terminate Call), or
"MOV AH,09h" or "MOV AX,09xxh" (Print string call) the file is avoided. This
might be to avoid bait files. File stealth is performed on FCB
FindFirst/FindNext calls, ASCII FindFirst/FindNext calls, read, write, lseek,
and get/set date-stamp calls. In the case of FCB/ASCII FindFirst/FindNext
calls, Jackal gets the current Disk Transfer Area (DTA) using INT 21h/AH=2Fh
Jackal and hides the increase in file size and the 100 year marker in the file
date-stamp In the case of read call, if all or part of the file header is
read, Jackal replaces it with the original 'clean' header. If the read extends
pass the end of the original file into the virus body Jackal truncates it at
the end of the virus body. In the case of a write call, the file is
disinfected on disk before the write is done. If an lseek call is issued
relative to the end of an infected file, it is instead done relative to the
end of the original file, before the virus body. In the case of requests to
get the file date-stamp, Jackal hides the 100 year marker. In the case of
requests to set the date-stamp, Jackal ensures the 100 year marker is set if
the file is infected. Jackals INT 21h handler locks out they keyboard (Port
21h - IRQ Enable Mask) and re-enables it on exiting. This means that if an
anti-virus monitor brings up a message, the user cannot respond and must
reboot. When exiting the INT 21h handler, Jackal single-steps (INT 01h) 5
instructions before returning to the next INT 21h handler in the chain. It
is this INT 01h handler that resets the INT 21h JMP FAR patch (if used, see
above). This seems to be an attempt to stop anti-virus software from tunnelling
through its code. During INT 21h calls, Jackal points INT 24h (DOS Fatal Error
Handler' to "MOV AL,3 / IRET" handler. This will return 'Fail' on fatal errors
such as writing to a write-protected floppy, without any error messages.
Jackal includes the text string:
Ja?ck?al
where '?' are extended ASCII characters. This is part of the code to load the
BX/CX/DX registers for the virus residency check. [1] [7] [8] [18]
Back to top
% Virus: Predator %
Upon joining Phalcon/SKISM, Priest published the 'Predator' virus in 40-Hex
Issue 11. Predator was a memory-resident, encrypted, stealth infecter of
MS-DOS .COM files. Predator also contained a dangerous payload. When ever a
'random' number is need for Predators encryption or payload, the 16-bit WORD
at 0:416h (low word of timer ticks) is used. When a Predator infected file is
run, the virus decrypts itself then passes control to the decrypted virus body
which immediately restores the stack pointer (SP register) to its original
value. Predator then issues an INT 21h call to check if it is already memory-
resident. If this is the case, Predator immediately returns control back to
the original host. Otherwise, Predator goes memory resident: Predator checks
if the MCB (Memory Control Block) of the host is the last in the chain. If
it is not then return is controlled to the host. Predator then goes memory
resident by reducing the size of this MCB as well as the 16-BIT WORD at 0:413h
(BIOS size of convention memory) to allocate memory. The virus then copies its
self to this newly allocated memory and jumps to it to continue execution.
Predator then hooks INT 21h (MS-DOS API) and INT 13h (BIOS Disk Services).
INT 21h/AH=35h (Get Interrupt Vector) is used to retrieve original interrupt
values and then INT 21h/AH=25h (Set Interrupt Vector) is used to hook these
interrupts. Predator then sets the 'count down' variable for the payload to
a random value and returns control to the host. The INT 21h handler is used
to infect files and implement stealth routines and provide Predators residency
check. The INT 13h is used solely for Predators destructive payload. The
INT 21h handler infected files on open, extended open and execute calls.
Stealth routines are provided on FCB and ASCII FindFirst/FindNext calls and on
FCB Open call. Stealth is implemented the same way on all of these calls: the
file size is reduced to the original file size, and Predators 'infection
marker' in the date-stamp field is removed. When infecting files Predator
checks for the '.COM' extension (upper-case only) as well as the absence of the
'MZ' marker. Predator is encrypted in all file infections. Infected files are
marked as infected by adding 100 years to their date-stamp The destructive
payload of the INT 13h handler randomly inverts one bit on sector reads. On
INT 13h/AH=02h, Predator performs the read and then subtracts the number of
sectors read from the payloads 'count down' variable. When this variable
becomes less than or equal to zero the payload is implemented: A random 16-bit
WORD in the read buffer is chosen, a random bit in this word is complemented
and the 'count down' variable is reset to a new random value. Predator
includes the text string:
Predator virus (c) Mar. 93 Priest
[9] [10]
Back to top
% Virus: Predator 2 %
Although Predator was relatively simple, it was soon followed by 'Predator 2'.
Predator 2 was a more complex semi-polymorphic stealth multipartite infecter
of MS-DOS .com and .exe files, floppy boot sectors and the MBR. Like many of
Priests viruses, Predator 2 tunnels interrupts 13h and 21h on execution of an
infected file, in an attempt to bypass anti-virus software. On execution of an
infected file Predator 2 hit the MBR then went memory resident. Upon booting
from an infected MBR/boot sector, the virus also went memory resident. Once
resident the virus hooked INT 21h to hit files and INT 13h to hit floppy boot
sectors. These interrupts were also used for Predator 2's stealth routines.
When going resident under MS-DOS, rather than placing a hook in the INT 21h
vector chain, Predator 2 patches the tunnelled INT 21h address with an 0EAh
(JMP FAR) instruction pointing to the virus handler. When infecting files
Predator 2 checks for the file names of several anti-virus programs and does
not infect them. These names are stored backwards in a single string:
"TORPNACSAELCFASVVAPC.VANOCED"- PROT, SCAN, CLEA*, VSAF, CPAV, NAV,
and DECO respectively. Predator 2 includes the text strings:
Predator virus #2 (c) 1993 Priest - Phalcon/Skism
THE PREDATOR
[10] [11] [12]
Back to top
% Virus: Incubus %
Around this time Priest also wrote 'Incubus'. Incubus.a was a memory-resident
infecter of the MBR and floppy disk boot sectors. Rather than replacing the
original boot sector with the virus code and storing the original sector else
where on disk, Incubus copied a small 26-byte 'loader' stub over the original
code of the sector, saved the original 26-bytes of the sector in the virus
body and wrote the full virus else where on the disk. Infected sectors began
with a two byte JMP $+3C (0EBh 3Ch) which passed control to the loader stub
at 0:7C3Eh (boot sectors are loaded at 0:7C00h). The small size and position
of this stub meant that it sat after the BPB (BIOS Parameter Block) on floppy
disks and before the partition table on the MBR. In floppy disk infections
Incubus stored the full virus body in the last sector of the disk. This was
calculated using the 'NumSectors', 'SectorsPerTrack' and 'NumberOfHeads'
fields of the BPB. For MBR infections, Incubus stored the main virus body
in the last sector of the first cylinder of the hard disk (this was unused
under MS-DOS). The last sector of the cylinder was calculated by taking
the last cylinder/sector field (+06h) of the first partition entry (+1BEh)
and then clearing all but the lower 6-bits (sector only). The 26-byte virus
loader setup the machine stack and then loaded the virus from the appropriate
sector to 0:7E00h (immediately after the original boot sector). The majority
of the code used by Incubus before memory-residency is encrypted - in all 202
bytes. This encrypted portion of the code includes a copy of the 26-byte
loader, the original code of the infected boot sector that was patched, the
code to infect the MBR and the code to go memory-resident. Incubus uses 300
bytes of the virus that are not encrypted to calculate the encryption key.
This unencrypted code includes the INT 40h handler, encryption/decryption
routine and the routine to calculate the key, and the routines to patch the
sector with the loader and to calculate the last sector of the floppy. Incubus
also stores a 'random' 16-bit value in this decrypted code taken from 0:46Ch
(BIOS timer ticks) to make the key more random. Before patching a sector with
the loader Incubus compares 17 bytes of the sector with the first 17 bytes of
the loader to check if it is already infected. When Incubus is loaded to
0:7E00h and executed it immediately sets the DS register and decrypts itself.
The virus next restores the original bytes patched with the JMP and the loader
of the boot sector at 0:7C00h. The image of the sector is now its original.
Incubus allocates 1kb of memory for itself by reducing the word at 0:413h
(BIOS size of conventional memory), copies itself to this newly allocated
memory and hooks INT 40h (BIOS Floppy Disk Services). Other strains of Incubus
may hook INT 13h (BIOS Disk Services). Incubus will now jump to the new copy
of the virus at the top of memory and proceed to infect the MBR. The original
MBR code is saved and patched with the JMP/loader and the virus is written to
the last sector of the first cylinder. After infecting the MBR, control is
returned back to the original (restored) boot sector at 0:7C00h. The INT 40h
(or INT 13h) handler is used solely to infect floppy disks. Floppy boot
sectors are infected when a read attempt of exactly one sector is made from
the boot sector (head 0, cylinder 0, sector 1). On infecting a floppy, the
original code is saved in the virus body, the boot sector is patched and
written and the virus is saved in the last sector of the disk. Incubus
includes the (encrypted) text string:
Incubus PRiEST - Phalcon/Skism
[1] [5] [17]
Back to top
% Virus: Natas %
In 1994 Priest published what seemed to be his last virus, 'Natas'. Aside from
publishing the virus source code in 40-Hex Issue 12, Priest also provided his
friends, the U.S. Secret Service, with a copy. Natas was a memory-resident
full-stealth, highly polymorphic, multipartite infecter of MS-DOS .COM and
.EXE files, as well as floppy boot sectors and the MBR. Natas was the third
virus to be both full-stealth and polymorphic at the same time, after 'Tremor'
and 'Neuroquilla' (aka Havoc). Natas contained a highly destructive payload:
With 1/512 chance when run from an infected MBR or when an infected file was
run under 'TBCLEAN' (ThunderByte Anti-virus) Natas would format all hard drives
present, the entire drive one at a time. When a Natas infected disk was
booted, a small loader placed in the boot sector/MBR will run. It will first
issues a 'CALL' instruction to place the loaders 'delta offset' on the stack.
This is because the loader can be at a different position on different disks:
When infecting the boot sector/MBR, Natas follows any JMP SHORT (0EBh) or
JMP NEAR (0E9h) instructions and places the loader at the destination. This
allows the loader to be at the normal start of the sector for MBR infections
and after the BPB (BIOS Parameter Block) for floppy infections. The loader
then allocates 6kb of memory by reducing the word at 40:13h (BIOS size of
conventional memory) and loads 9 sectors containing the real 'virus body'
to this newly allocated memory. Natas then jumps to this new copy of the
virus in memory. If any errors are encountered in the 'loader' code, an
INT 18h (Boot ROM BASIC) is issued. Natas's boot process continues by
storing the original INT 13h, INT 15h, INT 21h and INT 40h vector. INT 13h
(BIOS Disk Services) is used instead of INT 40h (BIOS Floppy Disk Services)
if the byte at 40:75h (BIOS number of hard drives) is non-zero. Next Natas
pops the 'delta offset' of the loader stub off the stack and sets two flags:
INT 13h handler should check for MS-DOS loading, and virus is run from 'boot'
infection. The bytes of the boot sector that were replaced with the virus
loader are decrypted from the virus body and the boot sector is corrected in
memory. Natas then hooks INT 13h and infects the MBR. When infecting the MBR
Natas first reads the original MBR and performs 2 checks: Is the drive already
infected with 'Jackal' (see above) and does the drive have enough sectors per
track to hold store the virus body on the first cylinder after the MBR. This
second check is performed by querying the 'end sector, track' field of the
first Partition entry. If the MBR passes these checks the MBR is checked to
be 'bootable' (0AA55h marker at end of sector), 2 16-bit words in the virus
boot loader code are patched to point to head/cylinder/sector of the virus
body to be stored on the disk (last sectors of the first head/cylinder) and
the original MBR is patched with the virus loader. When patching a boot sector
or MBR with the virus loader Natas follows any JMP instructions at the start
of the sector (see above) saves the bytes to be over written (encrypted in the
main virus body) then copies over a small portion of the original sector with
the loader. After this point of the Natas's boot process, the virus if loaded
from a hard drive formats all hard drives with 1/512 possibility) then returns
control to the original boot sector/MBR. The INT 13h handler of Natas serves 3
purposes: To hook INT 21h during boot-up when MS-DOS loads, to provides stealth
routines and to infect floppies. If checking for MS-DOS is enabled the INT 13h
handler always begins by checking if the segment of INT 21h in the IVT
(interrupt vector table) is equal to or below 800h. If it is and this segment
is writeable INT 21h is hooked: Natas installs its INT 21h handler in the IVT
and disables this INT 21h checking code in future INT 13h calls. Both
infection and stealth are performed on reads from the boot sector/MBR. In
such a case the call is performed to read the sector (exiting on error) and
stealth is performed if the sector is infected, while infection is performed
if the sector is not infected and on a floppy disk. Floppy infection is very
similar to MBR infection (see above) except the full 'virus body' is placed
on the last cylinder of the last track of the disk. This address is calculated
using the BPB (BIOS Parameter Block) of the boot sector. Stealth is performed
by performing the read of the infected sector and then reading the first
sector of the virus body, as pointed to by the virus loader of the infected
sector. This first sector of the virus body contains the encrypted 'original'
bytes that were replaced with the loader and these bytes are decrypted to the
callers read buffer, making the sector appear 'clean'. During stealth and
infection of sectors, the BIOS 'INT 13h' handler is used for hard drives while
the BIOS 'INT 40h' handler is used for floppies. When MS-DOS is present,
the MS-DOS INT 13h handler is hooked rather than the BIOS INT 13h handler, and
instead of hooking INT 13h and INT 21h vectors, the first 5 bytes of these
handlers are patched with a 5-byte JMP FAR (0EAh) to the appropriate
virus handler. When a Natas infected file is run, the virus saves the 'DS'
register on the stack and calculates the infections 'delta offset'. Natas then
checks for and disables 'TBCLEAN' - the generic file disinfection utility of
the ThunderByte Anti-Virus suite. The virus clears TF (trace flag of the
'flags' register) and sees if it is reset after a 'POP SS' instruction. If
TBCLEAN is detected, Natas disables it by disabling interrupts ('CLI'
instruction, changing 'SS' segment register to 0, reading the address of the
TBCLEAN INT 01h (single-stepping) handler with an 'LES' instruction relative
to 'BP' and patching the handler with an 'IRET' (0CFh) instruction. If TBCLEAN
was detected, Natas continues with special action: the virus does not perform
its MS-DOS residency check or inspect the MCB (Memory Control Block). It then
performs the same as the code would without TBCLEAN, but at the end it does
not return control to the host - it goes to routine to format hard drives.
Hence users attempting to clean files with TBCLEAN will experience loss of
data. If TBCLEAN is not detected however, Natas continues going resident.
Natas performs its memory-residency check and checks if the host MCB is the
last in the chain. If either of these cases fail residency is passed on to the
host file. Next Natas allocates memory by reducing the size of the MCB of the
host and also reduces the 'top of memory' field of the host PSP (Program
Segment Prefix) and 16-bit WORD at 0:413h (BIOS size of conventional memory).
Natas copies itself to this newly allocated memory and jumps to it. Natas sets
a flag to indicate it is running from a file (as opposed to a sector) and
with 1/3 probability sets a flag to disable file 'stealth' routines when
'special' programs are running. Natas prepares 2 JMP FAR (0EAh) constructions:
one to jump to virus INT 13h handler, one to jump to virus INT 21h handler
(see above). Next several interrupts are 'tunnelled' using INT 01h single-
stepping. Natas call INT 21h/AH=52h (DOS List Of Lists) to obtain the segment
of the first MCB. Anything below this segment is considered as belonging to
DOS. Natas tunnels for: MS-DOS INT 13h and INT 21h and BIOS INT 13h, INT 15h,
INT 40h handlers. MS-DOS interrupts are saved when code segment is below
segment of the first MCB. BIOS interrupts are saved if the code segment is
between 0C800h and 0F400h. MS-DOS interrupts are used for JMP FAR virus hooks.
BIOS interrupts are used to bypass anti-virus software when infecting files.
The INT 01h handler used by Natas to tunnel, emulates several instructions:
'PUSHF', 'POPF', 'IRET', 'INT xx', 'INT3' and 'INTO'. In the case of these
instructions Natas attempts to hide the 'TF' flag, while keeping it from being
cleared. Natas then patches DOS INT 13h and INT 21h handlers if both have been
found and infects the first hard drives MBR, in the manner described above for
'sector' infections. When infecting the MBR from a file Natas uses the
tunnelled BIOS INT 13h handler. Natas then returns control to the host. The
INT 21h handler of Natas is used for 3 purposes: memory-residency check, file
infection and file stealth. Natas INT 21h hander setup its own stack and set
INT 24h (DOS Critical Error Handler) to 'MOV AL,03h / IRET' to disable error
messages when trying to infect a file on a write-protected floppy. The INT 21h
handler also locked the keyboard by disabling its IRQ (Port 21h - Hardware
Interrupt Enable Mask). This made Natas harder to debug, but also stopped the
user to responding to any memory-resident anti-virus software that might bring
up a warning during virus activity. When infecting files Natas did some
unusual things: The handle to be infected was 'duplicated' first
(INT 21h/AH=45h), INT 21h,13h,15h,40h were to original or tunnelled values to
bypass anti-virus software and restored after infection, and SFT (System File
Entries) were used to reduce code size and bypass anti-virus software. The
routine used to get the SFT of the handle also ensured the file was not a
device and checked if it was already infected. SFT entries were used instead
of lseek, chmod and time/date-stamp calls bypassing some anti-virus monitors.
They were also used in stealth routines. If the drive of the victim file was
deemed 'removal' and 'A:' or 'B:' Natas reads a sector then rewrites it using
INT 13h to check if the disk is write protected. Files are opened 'read only'
then the file mode in the SFT structure is set to 'read/write', also bypassing
some anti-virus software. Infection algorithms are fairly standard with Natas
appending itself to the end of the file with a fixed length polymorphic
decrypter and modifying the files header. Files are marked as infected by
adding 100 years to the date-stamp .COM files are identified by file
extension, while .EXE files are identified by presence of 'MZ' or 'ZM'
marker. Stealth routines are used on FCB/ASCII FindFirst/FindNext calls, lseek,
read, write and set/get date calls. On FindFirst/FindNext calls Natas hides
the increase in file length and the modified dates-tamp field. In the case of
lseek calls, if the seek origin is from the end of file, the seek is performed
relative to the uninfected file end. On read calls Natas truncates reads pass
the end of the original file into the virus, and replaces reads from the
infected file header at the start of the file with the original header. On
writing to an infected file, Natas disinfects it first. Natas takes some
special action for stealth routines depending on the program running. If
'chkdsk' is running Natas disables FCB FindFirst/FindNext calls. This stops
check disk reporting file allocation errors on infected files. With 1/3
probability at install time (see above) Natas disables all stealth routines
when certain programs are running. These programs are: AR* (ARJ), LH* (LHA),
(PK*) PKZIP, *BACK* (BACKUP) and *MODEM*. Natas uses the name of the MCB
associated with the current PSP (INT 21h/AH=62h - get current PSP). When
exiting the INT 21h handler and if installed from a file infection, Natas
single-steps (INT 01h tracing) 5 instructions of code. On the fifth
instruction the 'JMP FAR' INT 21h patch is re-patched. This seems to stop
some programs from tunnelling past its INT 21h handler. The polymorphic engine
of Natas was complex for its time. Natas decryptors were always forward on
16-Bit words and used 3 or 4 registers: 1 or 2 pointer registers, a key
register and a count register. All single or dual-register addressing modes
could be used with 0/8/16-bit displacement. Encryption was in the form of
"ADD/SUB/XOR/ADC/SBB [PTR],KEY", or possibly "ROL/ROR [PTR],CL" if CX is the
count register. The key register is optionally modified with an
"ADD/XOR/OR KEY,IMM16", an ADD made of multiple instructions,
"ROL/ROR KEY,1/CL" (CL if CX is count) or "NOT/NEG KEY". The pointer is always
incremented, the key is always decremented. When incrementing the pointer, one
or both registers maybe incremented when dual-register addressing is used.
Loop types used by Natas are JNE/JNS/JG/JGE with an optional explicit
register test, JE/JS/JLE/JL follow by a JMP NEAR or LOOP/LOOPZ/LOOPNZ if CX is
the count. Natas uses many different methods to load register values,
increment the pointer or decrement the counter, and to test registers values.
Natas is also able to generate many different junk instructions. The engine
differentiates between .COM and .EXE infections and generates the correct
segment override if needed. Natas includes the text string:
Natas
[1] [13] [14] [15] [16]
Back to top
% References: %
[1] A PRIEST DEPLOYS HIS SATANIC MINIONS,
"The Virus Creation Labs: A Journey Into the Underground" (American Eagle,
ISBN 0-929408-09-8).
http://download.adamas.ai/dlbase/Stuff/VX%20Heavens%20Library/static/vdat/llpriest.htm
[2] Source Code.
satanbug.asm
http://www.thehackademy.net/madchat/vxdevl/vxsrc/MS-Dos/
[3] http://virus.wikia.com/wiki/SatanBug
[4] http://www.securelist.com/en/descriptions/old19521
[5] http://www.securelist.com/en/descriptions/old17163
[6] Disassembly.
payback.asm
http://www.thehackademy.net/madchat/vxdevl/vxsrc/MS-Dos/
[7] http://www.virus-database.com/description/1962-jackal.html
[8] http://www.f-secure.com/v-descs/jackal.shtml
[9] Predator Source Code.
40-Hex Issue 11, File 008.
[10] http://www.eset.com/us/threat-center/encyclopedia/threats/predator/
[11] http://www.securelist.com/en/descriptions/old8752
[12] Virus Catalogue Entry: Predator.
http://agn-www.informatik.uni-hamburg.de/catalog/msdos/html/predator.htm
[13] Natas Source Code.
40-Hex Issue 12, File 005.
[14] http://www.f-secure.com/v-descs/natas.shtml
[15] http://virus.wikia.com/wiki/Natas
[16] http://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/NATAS~1.HTM
[17] Reversal of Virus.Boot.Incubus.a by JPanic (Thanks to hh86).
[18] Reversal of Virus.Multi.Jackal.3101 by JPanic.
Back to top