Virus.DOS.DarkParanoid

Class Virus
Platform DOS
Description

Technical Details


This is a memory resident parasitic polymorphic virus. It hooks INT 1, 21h
and writes itself to the end of EXE and to the beginning of COM files.


This virus uses extra-complex way of on-the-fly encryption – at any moment
when virus code is executed, the only one instruction presents in not
encrypted form – all other virus code is encrypted. The virus does that by
using tricks with INT 1 tracing mode. When virus code receives control, it
hooks INT 1 and after execution of any virus’ instruction (except several
special opcodes – see “Intel 80×86 User Guide”) INT 1 is invoked. The virus
hooks this call, decrypts code below of current instruction and encrypts
code above.


prev instruction – encrypted
current instruction – clean
next instruction – encrypted

After executing “current instruction” the virus takes control by INT 1
hook, encrypts “current instruction” and decrypts “next instruction”. As a
result, at any moment either all virus code is encrypted, or just one
instruction presents in clean. Moreover, the virus encrypts/decrypts not
exactly the code of previous/next instruction, but some bytes/words at
several offsets from address of current instruction. As a result the virus’
instructions flow looks like a moving “spot” with a “clean” instruction in
the middle of spot, partly encrypted code in the rest of spot, and
completely encrypted code outside of spot.


There are three blocks of code that cannot be encrypted in such way – they
are INT 1 handler (en/decryptor), start code in infected files and INT 21h
handler in virus TSR copy. Both start code in files and INT 21h handler
hook INT 1 when receive control, switch to tracing mode and pass control to
main routines – installation routine in files and main INT 21h handler’s
code in virus TSR copy.


The INT 1 hooking routine and, of course, INT 1 handler itself are not
encrypted, they are just polymorphic – the virus uses quite strong
polymorphic engine to generate code of INT 1 hooker at entry point in
infected files, as well as for its INT 1 and 21h handlers.


Virus code in infected file:


Entry: +————-+
|INT 1 hooker | – polymorphic
|- – – – – – -|
|INT 1 handler| – polymorphic
|- – – – – – -|
|Main virus | – encrypted by INT 1
|code: TSR |
|installator, |
|e.t.c. |
+————-+

Virus code in memory:

INT 21h +————-+
entry: |INT 1 hooker | – polymorphic
|- – – – – – -|
|INT 1 handler| – polymorphic
|- – – – – – -|
|Main virus | – encrypted by INT 1
|code: INT 21h|
|handler, |
|e.t.c. |
+————-+

As a result all “entries” to virus code (start address in infected files,
INT 1 handler and INT 21h handler’s start code) are polymorphic, and main
virus code is encrypted – that is quite strong task for anti-virus
researchers to elaborate detection procedures for such kind of virus.

Polymorphic Engine


The difference between ordinary polymorphic engines and “DarkParanoid”‘s
engine is the fact that in this virus there is no decryption loop in
polymorphic code – it just hooks INT 1 and starts tracing the main code.
This code in different infected files may appear in different form – while
generating this code the virus randomly selects the registers, commands,
data access modes and so on.


Similar for INT 1 handler that contains on-the-fly encryption/decryption
routine. This code in different files is also different – more than ten
encryption functions are randomly selected from the set: ADD, SUB, XOR,
NEG, NOT, ROR, ROL, as well as byte and word access. Also random registers
are used, and offset of INT 1 handler is randomly selected within some
limits.

Installation and INT 21h Handler


The “DarkParanoid” virus is memory resident, so when infected file is
executed, the virus installs itself into the system memory. To do that it
hooks INT 1 to activate its on-the-fly en/decryption routine, allocates a
block of system memory in conventional DOS memory or in Upper Memory
Blocks, if there is necessary amount of free memory (about 7.5K). The
virus then copies its code to there, hooks INT 21h and returns control to
the host program.


While installing memory resident the virus also runs its polymorphic engine
to generate decryption routines to use them while infecting files. The
virus does not calls this engine anymore, and as a result being installed
the virus will drop the same polymorphic code to files up to the next
rebooting and reinstalling. That may fool a user and virus researchers –
the virus tries to make them sure that this is just some encrypted virus
but not polymorphic, so that is possible to detect it just by single hex
pattern.


The INT 21h virus handler intercepts FileOpen/Create calls (AH/AX=3Ch, 5Bh
6C00h), FileClose call (AH=3Eh) and Get Allocation Strategy (AX=5800h).


The last function (Get Allocation Strategy) is used as “Are You Here?”
call. This call is performed by the virus while installing memory resident.
Before this call the virus puts in the CX register the current year number
plus current month and day numbers (Get Current Date by INT 21h with
AH=2Ah, then CX=CX+DX, then INT 21h call with AX=5800h).


The memory resident virus copy intercepts it, gets current date and year
and compares their addition with the CX register. If they are equal, the
virus TSR copy does not return control back to active virus copy, but
passes it to the host program by itself. It seems to be quite effective
anti-debugging trick – if the virus is already memory resident, such
ordinary call as GetAllocationStrategy does not return back to debugger.


When a file is opened, the virus compares its name extension with “COM” and
“EXE”, and in case of these extensions saves file’s handle to infect it
when file will being closed. As a result, only executable files get
infection, when they are opened (for example, when they are scanned for
viruses by an anti-virus program, or saved to backup), or copied.


Before infecting a file the virus checks the file name and does not infect
several anti-virus programs and utilities – it does not infect files with
names that begin with letters AV, SC, CL, GU, NO, FV, TO, TB (AVP, AVG,
SCAN, CLEAN, GUARD, TBAV, e.t.c.)


The virus writes its code to the end of EXE files and modifies necessary
fields in EXE file header. In case of COM file the virus writes its code to
the beginning of the file and saves original file beginning to the end of
the file.


While infecting the virus increases file’s size by variable number – it
writes to file 5297 bytes of actual virus code (encrypted) as well as
random selected number (up to 1001 bytes) of data from random selected
address in the system memory. The virus also aligns EXE files length to the
paragraph (16 bytes) before infection, and does not infect COM files with
length above than 60K. To separate COM and EXE files the virus checks file
header (MZ/ZM EXE stamp).


To separate infected and not infected file the virus uses standard trick
with file’s time&date stamp – after infecting a file the virus sets its
time stamp to 2 seconds, and checks this value before infection.

Trigger Routine


The trigger routine is executed by the virus depending on its random
counter – while infecting each file the virus with probability 1/4000
displays the text “DaRK PARaNOiD” to the middle of screen, then noises by
PC speaker and shakes the screen by using VGA card features.


The virus also contains the text inside of code of its polymorphic engine:


ENGINE OF ETERNAL ENCRYPTION