Virus.DOS.ArjVirus

Class Virus
Platform DOS
Description

Technical Details


It’s a dangerous not-memory resident virus. It searches for the archive
files and infects them. Fortunately, it searches only for the format of
archivators. The archive files for infection should be in ARJ standard
only. These file-archives are the result of the ARJ.EXE compressor’s work.


ARJ.EXE is an archiver program which allows to compress and store one
or more files (including subdirectories) in one or several archives (in
slang – arjive) files in compressed format. This software is copyrighted
(c) 1990-1993 by Robert K Jung.


This virus, which is a worm more than a standard DOS virus, is 5000 bytes
of length. It updates these files by its (virus) copy. On execution, this
infector searches for the files with ARJ extension by using “*.arj” mask
(the files with ARJ extension are created by the ARJ.EXE utility and
contain the compressed files). It searches for ARJ files in the current and
all the parent directories.


If the ARJ archive file is found, the virus creates a temporary file with
a random selected name and COM extension. This name consist of four
letters from ‘A’ t0 ‘V’; the ‘V’ limitation is because this virus uses
the 0Fh limit for letter number, the 15th (0Fh) letter is ‘V’. The result
names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes
itself (5000 bytes) into this COM file, and for hiding it appends to the
file the garbage bytes of random selected length. The virus checks that the
length of that garbage should not exceed the maximum length of executable
COM file. The length of the result worm files are more than 5000 bytes. The
5000 bytes is the length of worm’s body which is stored in file on any
infection.


Then the virus inserts that file into the archive which was found. It does it by
the easiest way – the virus forces the ARJ.EXE utility to make it. One of
ARJ.EXE switches is “a” character, it forces to add the file(s) in ARJ
archive file. And the virus uses this option, it executes the ARJ.EXE with
“a” character by using the standard C function. The string which is
executed looks as:


c:command.com /c arj a .com

where is the name with extension of ARJ archive which was found,
is the four bytes of length random selected name described
above. The “/c” switch causes COMMAND.COM to execute the pointed program
(ARJ.EXE) and immediately exit.


On execution of this command the archiver ARJ.EXE compresses and adds
the worm into the archive file which was found. Then the virus deletes the
temporary file and searches for the next ARJ file. If there are no archive
files in the current directory, the virus jumps to the parent one. If the
current directory is the disk root directory, the virus returns to DOS.


One of the features of this infector is duplicate infection. On execution
of the archive the virus does not check the file for its presence, and how can
it do this? To check the archive inside is not an easy task, and I see
that the author of this virus did not set it (duplicate infection) as an
object. He realized the new idea by the easiest way, not more.


The virus generates random names of the worm files.
Sometimes it can generate the name which is present in ARJ file which is
for infection. As the result, that file will be overwritten by the virus
and the contents of that file will be lost. Of course, the probability of
execution of worm file grows in that case.


For hiding its spreading the virus hooks INT 10h – the video interrupt. It
sets it to IRET instruction which disables the standard output to the
screen. This feature hides the virus, but if on virus activity errors
occur, the ARJ.EXE program or DOS will display the error message
(for example, “Write protect error writing drive A:”) and wait for the
answer. But the virus disables the output, and the user will see the blank
screen only. It looks as the computer hangs up. By the way, the virtual
DOS machine under MS-Windows switches for full screen text mode on write
protect error, and it’s impossible to switch to another task.
Last note: this virus contains the short internal text string:


*.arj .. 0000.com /c arj a c:command.com