(from Padgett Peterson) Int_10 Virus Recently a new virus was discovered that shows some disturbing advances in "stealth". It does not appear to be deliberately malicious (its "payload" is a graphic snowfall on the screen at midnight or six hours following boot in December) but can cause disk corruption. A floppy boot sector and hard disk MBR infector, the virus seems specifically directed at "generic"/"heuristic" scanners and my early stuff. This virus goes resident in 1k at the TOM and actually removes itself from the fixed disk during boot. While it eventually hooks interrupt 13h, this is not during the BIOS load, being accomplished through DOS instead. Once fully resident, "stealth" is used to hide the return of the virus to the MBR. While two variants have been found so far, both may be detected via the following string in the MBR (if booted from floppy), a floppy DBR, or in the last 1k area at the TOM if resident in RAM; 88 85 93 02 41 41 D3 E0 80 7D 0B 00 75 Warmly, Padgett ps DiskSecure II detects and removes it 8*). -------------------------------------------------------------- Additional Notes on Int_10. (by Tim Martin) 1. When the Snow pattern comes onto the screen, the keyboard is no longer responded to, so any work in progress at that time, that has not been saved to disk, will be lost. 2. The virus is two sectors long. On diskettes, one sector of the virus body is hidden at the end of the root directory, along with the hidden copy of the original boot sector. This reduces the number of files that can be in the root directory by 32. If 80 or more files are in the root directory on a 360k or 720k diskette, or 192 or more on high density diskettes, the directory will be corrupted. 3. Int_10 is not polymorphic, but it does encode the saved copy of the MBR or boot sector, by XORing each byte with the value of the CX register, which decreases from 200h to 1h as the sector is encoded. On hard disks, this sector is hidden in sector 12 (Ch), and the second part of the virus body is in sector 13 (Dh). 4. After a few disk accesses, the virus increases the Top of Memory pointer (at 40:13h) by 1, so that the presence of the virus might not be evident through a MEM or CHKDSK command. 5. I have seen the Int_10 virus cause some device drivers to lock up. Specifically, the PC/NFS software on my computer locks up if my computer is infected with Int_10. However the virus doesn't seem to interfere with Novell networks. I haven't yet figured out the cause of this lockup, but it might have to do with the Int_10 interception, or the virus' step of linking itself into the DOS Int 13h call. 6. Int_10 temporarily removes itself from the hard disk, during the boot process, then re-installs itself when DOS is loaded. This means that an infected computer might be cleaned by shutting the computer off during the boot process, between the running of the Master Boot Record and the loading of DOS. It's a tricky timing, though. 7. The Int_10 virus fiddles slightly with two bytes in the copy of the partition table found in the virus body. The DOS 5.0+ command "FDISK /MBR" will remove the virus from a hard disk, but the partition table data left behind are not quite correct in most cases. The errors are not expected to cause problems, though, under normal conditions. But, when it comes to DOS, as Bruce Cockburn put it, "the trouble with normal is it always gets worse." 8. Technically, Virus Taxonomists might want to note that the two variants are called Stoned.Empire.Int_10.A and Stoned.Empire.Int_10.B, according to CARO naming standards. ----------------------------------------------------------------- Tim Martin * Reluctant to find he's Spatial Information Systems * stuck in the nineties University of Alberta * again. martin@ulysses.sis.ualberta.ca * - Moxy Fruvous ------------------------------------------------------------------