Virus.DOS.Vacsina

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:

• file viruses
• boot sector viruses
• macro viruses
• script viruses

Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: DOS

No platform description

Description

Technical Details

The "Vacsina" (not "VACCINA") and "Yankee" family comprises more than 40 non-memory resident, benign parasitic viruses. Each of them bears in its body a label consisting of three bytes: F4h, 7Ah, NNh. The third byte, NNh, is considered as a number of the virus in the family (number of the virus version), and hereafter will be met in the names of viruses ("Vacsina.NN" and "Yankee.NN"). After activation, the viruses of this family write the bytes 7Fh, 39h, and NNh into the memory at the addresses 0000:00C5, 0000:00C6, 0000:00C7. Viruses of the family are distinguished for recovering files infected by previous versions of the viruses of that family and reinfecting them. The viruses "Vacsina.NN" contain the word "VACSINA" in their bodies.

The viruses infect COM and EXE files that are executed (viruses of versions up to 26h) or loaded into the memory (viruses of versions 26h and above). The viruses infect COM files in a standard way: the viruses of versions up to 9th check the first byte in a COM file being infected. If this byte is not equal to E9h (JMP), the file will not be infected. The viruses of higher versions infect .COM files independently on their first byte. Apart from this, the "VACSINA" viruses increase the length of the infected file up to a paragraph. Versions 2Ah and above append 4 additional bytes to the file after it has been infected.

The viruses of earlier versions (up to 23h) infect EXE files in a special manner - the files are transformed to the COM file format. For this purpose, the file is appended with a small fragment of the virus code (132 bytes) that adjusts the addresses according to the address table upon loading the file into the memory for execution; the first three bytes of the file (JMP to the fragment) are also altered. The 132 bytes appended to the file do not spread the virus. Their function is only to adjust the program addresses upon its execution. The file processed in this way will be executed by the operating system, and will be infected by many viruses as a COM file. As such, an EXE file is run, control is transferred to the address relocation fragment, which checks the address table in the file header, and corrects the loaded program. Then control is transferred to the start address noted in the file header.

The viruses hook the interrupt vector 21h. Some members of the "Yankee" family hook INT 1, 3, 9, and 1Ch.

The viruses make sound effects: as a file is infected by a "VACSINA" virus, a sound signal (BELL) is made; the "Yankee" viruses, depending on some preconditions (when pressing ALT-Ctrl-Del simultaneously or at 5:00 p.m.), play the "Yankee Doodle Dandy" melody. Under some conditions, the "Vacsina.06" virus deciphers and displays the string: "Az sum vasta lelja."

There are several "piquancies" in these viruses: versions 18h and above determine the initial value of the 21h interrupt vector (address of the interrupt handler in DOS), and upon incorporating into files, cause an interrupt on that value. In this way, the viruses bypass memory-resident antiviral monitors. To determinate the address of the interrupt handler, the following algorithm is used:

• set the 01h interrupt (entry at tracing; this interrupt is called in debugging mode after performing every instruction by the processor) to the subroutine determining the true value of the interrupt vector;
• turn on the tracing mode;
• call a "harmless" interrupt of the function 21h (from the standpoint of memory-resident anti-viruses).

Upon executing a "harmless" function of INT 21h, instructions of all programs, which have altered the interrupt vector 21h, are executed in sequential order, then the operating system commands handling this interrupt are performed. After every executed command, control is transferred over to the virus subroutine, which determines the initial value of the interrupt vector. It checks the address of the last executed command, and if this address points to the memory area belonging to the operating system, it turns the debugging mode off, and treats the address of this command as the initial value of the 21h interrupt vector.

00000  � ...            �
+----------------�
�Operating       �
+------------------>�system          �
�                   +----------------�
�                   �COMMAND.COM     �
�           INT 21h +----------------�
+-------------------�User            �------- Programs, having modified
+------------------>�program         �   �    interrupt vector 21h
�                   +----------------�   �
�                   � ...            �   �
�           INT 21h +----------------�   �
+-------------------�User            �---+
+------------------>�program         �
�                   +----------------�
�                   � ...            �
�                   +----------------�
�                   �Virus           �
�           INT 21h �   -------------�
+-------------------�Command calling �
� interrupt 21h  �
^  �             �   -------------�
�  +------------>�Program for     �
�                �determination of�
+----------------�vector          �
+----------------�
FFFFF  � ...            �

Versions 21h and above hook debugger actions, and, on the condition that the body of the virus is debugged, stop the debugging process. During an attempt to dump an infected file under the debugger, the file "cures itself".

Version 21h and above encode themselves by linear block code, and keep checking bytes in their body. Periodically, the viruses check themselves for the presence of modifications, and correct them if possible.

Versions 2Ch and above deactivate the memory-resident part of the "PingPong" virus. Versions 2Eh and above take some counter measures against the "Cascade" viruses.

Modifications of "VACSINA" and "Yankee"

The "VACSINA" and "Yankee" viruses are rather "popular": apart from several dozen "original" viruses, their mutations, in some cases rather expertly copied from the original, have started to crop up. Thus, in Irkutsk (Russia), the virus ("Yankee.1905"), challenging the right to be referred to as "Yankee.53", has been found. But not withstanding its number (53h), it uses only one "piquancy" - traces INT 21h.

"Yankee.1049,1150,1202" - are harmless memory-resident file viruses. They infect COM and EXE files when they are executed (INT 21h, "Yankee.1049" - ax=4B00h, "Yankee.1202,1150" - ah= 4Bh). The viruses alter the first 32 bytes of a file, and attach themselves to its end, and in many respects, coincide with the "Yankee" viruses. The 21h vector is used.

"Yankee.3045" contains the text strings: "LOGIN.EXE SUPERVISOR. HESLO.".

"Yankee.Flip.2167": depending on the system date, it hooks INT 8, 9, and 10h, and "flips" the screen.

Yankee.2189

"Yankee" family. This virus is encrypted, sometimes it rolls the symbols '/', '', '-', '|'.

Yankee.Estonia.1716

"Yankee" family. It infects COM and EXE files, with the exception of COMMAND.COM, that are executed. It appends 4 control bytes to COM files. On Monday at 2:00 p.m., it decrypts and displays, to the center of the screen, the following message: "Independent Estonia presents", then plays a tune and reboots the computer.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com