Class
Virus
Platform
DOS

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: DOS

No platform description

Description

Technical Details

This is a memory resident parasitic polymorphic virus. It hooks INT 1, 21h and writes itself to the end of EXE and to the beginning of COM files.

This virus uses extra-complex way of on-the-fly encryption - at any moment when virus code is executed, the only one instruction presents in not encrypted form - all other virus code is encrypted. The virus does that by using tricks with INT 1 tracing mode. When virus code receives control, it hooks INT 1 and after execution of any virus' instruction (except several special opcodes - see "Intel 80x86 User Guide") INT 1 is invoked. The virus hooks this call, decrypts code below of current instruction and encrypts code above.

prev instruction     - encrypted
current instruction  - clean
next instruction     - encrypted
After executing "current instruction" the virus takes control by INT 1 hook, encrypts "current instruction" and decrypts "next instruction". As a result, at any moment either all virus code is encrypted, or just one instruction presents in clean. Moreover, the virus encrypts/decrypts not exactly the code of previous/next instruction, but some bytes/words at several offsets from address of current instruction. As a result the virus' instructions flow looks like a moving "spot" with a "clean" instruction in the middle of spot, partly encrypted code in the rest of spot, and completely encrypted code outside of spot.

There are three blocks of code that cannot be encrypted in such way - they are INT 1 handler (en/decryptor), start code in infected files and INT 21h handler in virus TSR copy. Both start code in files and INT 21h handler hook INT 1 when receive control, switch to tracing mode and pass control to main routines - installation routine in files and main INT 21h handler's code in virus TSR copy.

The INT 1 hooking routine and, of course, INT 1 handler itself are not encrypted, they are just polymorphic - the virus uses quite strong polymorphic engine to generate code of INT 1 hooker at entry point in infected files, as well as for its INT 1 and 21h handlers.

Virus code in infected file:

Entry:  +-------------+
|INT 1 hooker | - polymorphic
|- - - - - - -|
|INT 1 handler| - polymorphic
|- - - - - - -|
|Main virus   | - encrypted by INT 1
|code: TSR    |
|installator, |
|e.t.c.       |
+-------------+
Virus code in memory:
INT 21h +-------------+
entry:  |INT 1 hooker | - polymorphic
|- - - - - - -|
|INT 1 handler| - polymorphic
|- - - - - - -|
|Main virus   | - encrypted by INT 1
|code: INT 21h|
|handler,     |
|e.t.c.       |
+-------------+
As a result all "entries" to virus code (start address in infected files, INT 1 handler and INT 21h handler's start code) are polymorphic, and main virus code is encrypted - that is quite strong task for anti-virus researchers to elaborate detection procedures for such kind of virus.

Polymorphic Engine

The difference between ordinary polymorphic engines and "DarkParanoid"'s engine is the fact that in this virus there is no decryption loop in polymorphic code - it just hooks INT 1 and starts tracing the main code. This code in different infected files may appear in different form - while generating this code the virus randomly selects the registers, commands, data access modes and so on.

Similar for INT 1 handler that contains on-the-fly encryption/decryption routine. This code in different files is also different - more than ten encryption functions are randomly selected from the set: ADD, SUB, XOR, NEG, NOT, ROR, ROL, as well as byte and word access. Also random registers are used, and offset of INT 1 handler is randomly selected within some limits.

Installation and INT 21h Handler

The "DarkParanoid" virus is memory resident, so when infected file is executed, the virus installs itself into the system memory. To do that it hooks INT 1 to activate its on-the-fly en/decryption routine, allocates a block of system memory in conventional DOS memory or in Upper Memory Blocks, if there is necessary amount of free memory (about 7.5K). The virus then copies its code to there, hooks INT 21h and returns control to the host program.

While installing memory resident the virus also runs its polymorphic engine to generate decryption routines to use them while infecting files. The virus does not calls this engine anymore, and as a result being installed the virus will drop the same polymorphic code to files up to the next rebooting and reinstalling. That may fool a user and virus researchers - the virus tries to make them sure that this is just some encrypted virus but not polymorphic, so that is possible to detect it just by single hex pattern.

The INT 21h virus handler intercepts FileOpen/Create calls (AH/AX=3Ch, 5Bh 6C00h), FileClose call (AH=3Eh) and Get Allocation Strategy (AX=5800h).

The last function (Get Allocation Strategy) is used as "Are You Here?" call. This call is performed by the virus while installing memory resident. Before this call the virus puts in the CX register the current year number plus current month and day numbers (Get Current Date by INT 21h with AH=2Ah, then CX=CX+DX, then INT 21h call with AX=5800h).

The memory resident virus copy intercepts it, gets current date and year and compares their addition with the CX register. If they are equal, the virus TSR copy does not return control back to active virus copy, but passes it to the host program by itself. It seems to be quite effective anti-debugging trick - if the virus is already memory resident, such ordinary call as GetAllocationStrategy does not return back to debugger.

When a file is opened, the virus compares its name extension with "COM" and "EXE", and in case of these extensions saves file's handle to infect it when file will being closed. As a result, only executable files get infection, when they are opened (for example, when they are scanned for viruses by an anti-virus program, or saved to backup), or copied.

Before infecting a file the virus checks the file name and does not infect several anti-virus programs and utilities - it does not infect files with names that begin with letters AV, SC, CL, GU, NO, FV, TO, TB (AVP, AVG, SCAN, CLEAN, GUARD, TBAV, e.t.c.)

The virus writes its code to the end of EXE files and modifies necessary fields in EXE file header. In case of COM file the virus writes its code to the beginning of the file and saves original file beginning to the end of the file.

While infecting the virus increases file's size by variable number - it writes to file 5297 bytes of actual virus code (encrypted) as well as random selected number (up to 1001 bytes) of data from random selected address in the system memory. The virus also aligns EXE files length to the paragraph (16 bytes) before infection, and does not infect COM files with length above than 60K. To separate COM and EXE files the virus checks file header (MZ/ZM EXE stamp).

To separate infected and not infected file the virus uses standard trick with file's time&date stamp - after infecting a file the virus sets its time stamp to 2 seconds, and checks this value before infection.

Trigger Routine

The trigger routine is executed by the virus depending on its random counter - while infecting each file the virus with probability 1/4000 displays the text "DaRK PARaNOiD" to the middle of screen, then noises by PC speaker and shakes the screen by using VGA card features.

The virus also contains the text inside of code of its polymorphic engine:

ENGINE OF ETERNAL ENCRYPTION

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.