Class
Virus
Platform
DOS

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: DOS

No platform description

Description

Technical Details

It's a dangerous not-memory resident virus. It searches for the archive files and infects them. Fortunately, it searches only for the format of archivators. The archive files for infection should be in ARJ standard only. These file-archives are the result of the ARJ.EXE compressor's work.

ARJ.EXE is an archiver program which allows to compress and store one or more files (including subdirectories) in one or several archives (in slang - arjive) files in compressed format. This software is copyrighted (c) 1990-1993 by Robert K Jung.

This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution, this infector searches for the files with ARJ extension by using "*.arj" mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories.

If the ARJ archive file is found, the virus creates a temporary file with a random selected name and COM extension. This name consist of four letters from 'A' t0 'V'; the 'V' limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is 'V'. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length. The virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes. The 5000 bytes is the length of worm's body which is stored in file on any infection.

Then the virus inserts that file into the archive which was found. It does it by the easiest way - the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is "a" character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with "a" character by using the standard C function. The string which is executed looks as:

c:command.com /c arj a  .com
where is the name with extension of ARJ archive which was found, is the four bytes of length random selected name described above. The "/c" switch causes COMMAND.COM to execute the pointed program (ARJ.EXE) and immediately exit.

On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file which was found. Then the virus deletes the temporary file and searches for the next ARJ file. If there are no archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS.

One of the features of this infector is duplicate infection. On execution of the archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not an easy task, and I see that the author of this virus did not set it (duplicate infection) as an object. He realized the new idea by the easiest way, not more.

The virus generates random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. Of course, the probability of execution of worm file grows in that case.

For hiding its spreading the virus hooks INT 10h - the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hides the virus, but if on virus activity errors occur, the ARJ.EXE program or DOS will display the error message (for example, "Write protect error writing drive A:") and wait for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and it's impossible to switch to another task. Last note: this virus contains the short internal text string:

*.arj .. 0000.com /c arj a c:command.com

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.