Kaspersky Threats

Class

Platform

Description

Technical Details

It’s a dangerous not-memory resident virus. It searches for the archive
files and infects them. Fortunately, it searches only for the format of
archivators. The archive files for infection should be in ARJ standard
only. These file-archives are the result of the ARJ.EXE compressor’s work.

ARJ.EXE is an archiver program which allows to compress and store one
or more files (including subdirectories) in one or several archives (in
slang – arjive) files in compressed format. This software is copyrighted
(c) 1990-1993 by Robert K Jung.

This virus, which is a worm more than a standard DOS virus, is 5000 bytes
of length. It updates these files by its (virus) copy. On execution, this
infector searches for the files with ARJ extension by using “*.arj” mask
(the files with ARJ extension are created by the ARJ.EXE utility and
contain the compressed files). It searches for ARJ files in the current and
all the parent directories.

If the ARJ archive file is found, the virus creates a temporary file with
a random selected name and COM extension. This name consist of four
letters from ‘A’ t0 ‘V’; the ‘V’ limitation is because this virus uses
the 0Fh limit for letter number, the 15th (0Fh) letter is ‘V’. The result
names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes
itself (5000 bytes) into this COM file, and for hiding it appends to the
file the garbage bytes of random selected length. The virus checks that the
length of that garbage should not exceed the maximum length of executable
COM file. The length of the result worm files are more than 5000 bytes. The
5000 bytes is the length of worm’s body which is stored in file on any
infection.

Then the virus inserts that file into the archive which was found. It does it by
the easiest way – the virus forces the ARJ.EXE utility to make it. One of
ARJ.EXE switches is “a” character, it forces to add the file(s) in ARJ
archive file. And the virus uses this option, it executes the ARJ.EXE with
“a” character by using the standard C function. The string which is
executed looks as:



c:command.com /c arj a  .com

where is the name with extension of ARJ archive which was found,
is the four bytes of length random selected name described
above. The “/c” switch causes COMMAND.COM to execute the pointed program
(ARJ.EXE) and immediately exit.

On execution of this command the archiver ARJ.EXE compresses and adds
the worm into the archive file which was found. Then the virus deletes the
temporary file and searches for the next ARJ file. If there are no archive
files in the current directory, the virus jumps to the parent one. If the
current directory is the disk root directory, the virus returns to DOS.

One of the features of this infector is duplicate infection. On execution
of the archive the virus does not check the file for its presence, and how can
it do this? To check the archive inside is not an easy task, and I see
that the author of this virus did not set it (duplicate infection) as an
object. He realized the new idea by the easiest way, not more.

The virus generates random names of the worm files.
Sometimes it can generate the name which is present in ARJ file which is
for infection. As the result, that file will be overwritten by the virus
and the contents of that file will be lost. Of course, the probability of
execution of worm file grows in that case.

For hiding its spreading the virus hooks INT 10h – the video interrupt. It
sets it to IRET instruction which disables the standard output to the
screen. This feature hides the virus, but if on virus activity errors
occur, the ARJ.EXE program or DOS will display the error message
(for example, “Write protect error writing drive A:”) and wait for the
answer. But the virus disables the output, and the user will see the blank
screen only. It looks as the computer hangs up. By the way, the virtual
DOS machine under MS-Windows switches for full screen text mode on write
protect error, and it’s impossible to switch to another task.
Last note: this virus contains the short internal text string:



*.arj .. 0000.com /c arj a c:command.com

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	DOS
Description	Technical Details It’s a dangerous not-memory resident virus. It searches for the archive files and infects them. Fortunately, it searches only for the format of archivators. The archive files for infection should be in ARJ standard only. These file-archives are the result of the ARJ.EXE compressor’s work. ARJ.EXE is an archiver program which allows to compress and store one or more files (including subdirectories) in one or several archives (in slang – arjive) files in compressed format. This software is copyrighted (c) 1990-1993 by Robert K Jung. This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution, this infector searches for the files with ARJ extension by using “.arj” mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories. If the ARJ archive file is found, the virus creates a temporary file with a random selected name and COM extension. This name consist of four letters from ‘A’ t0 ‘V’; the ‘V’ limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is ‘V’. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length. The virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes. The 5000 bytes is the length of worm’s body which is stored in file on any infection. Then the virus inserts that file into the archive which was found. It does it by the easiest way – the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is “a” character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with “a” character by using the standard C function. The string which is executed looks as: c:command.com /c arj a .com where is the name with extension of ARJ archive which was found, is the four bytes of length random selected name described above. The “/c” switch causes COMMAND.COM to execute the pointed program (ARJ.EXE) and immediately exit. On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file which was found. Then the virus deletes the temporary file and searches for the next ARJ file. If there are no archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS. One of the features of this infector is duplicate infection. On execution of the archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not an easy task, and I see that the author of this virus did not set it (duplicate infection) as an object. He realized the new idea by the easiest way, not more. The virus generates random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. Of course, the probability of execution of worm file grows in that case. For hiding its spreading the virus hooks INT 10h – the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hides the virus, but if on virus activity errors occur, the ARJ.EXE program or DOS will display the error message (for example, “Write protect error writing drive A:”) and wait for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and it’s impossible to switch to another task. Last note: this virus contains the short internal text string: .arj .. 0000.com /c arj a c:command.com
	Find out the statistics of the threats spreading in your region

Virus.DOS.ArjVirus

Technical Details