![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Following the small number of common viruses which contribute to the greater part of reported 'real world' infections comes a long trail of lesser protagonists in the virus battle. Though hugely overshadowed by such names as New Zealand 2, Cascade and Jerusalem, reports of all manner of viruses are increasing and specimens which numerically represent only a few percent of total reported infections are still taking hold and causing problems.
One contender that is moving up the ranks of those jostling for a place behind the 'leaders' and currently being reported out in the field is the Caterpillar virus (aka 1575) This is now overhauling the likes of Italian and Plastique, and on a par with Joshi, Dark Avenger and Nomenklatura.
Some viruses specifically avoid infecting COMMAND.COM despite the fact that this file is one of the first to be executed, which logically should increase the potential for any virus to propagate.
It has been suggested that the virus writers' general aversion to the COMMAND.COM file is because its infection is altogether too obvious to the user resulting in the early detection of the virus. However, the widespread Cascade virus infects COMMAND.COM with no apparent risk of such premature discovery, so the perceived risk of infecting this file may be over-estimated by the virus writers.
The Caterpillar virus specifically looks for C:\COMMAND.COM on every invocation (the string is encrypted within the code) and actually targets this file for infection -- this may explain why the virus has become relatively widespread in a short space of time.
Caterpillar infects both COM and EXE files. It goes memory-resident by manipulating DOS arena pointers (though it doesn't lower the BIOS Available Memory information) and traps the DOS FCB find-file functions -- thus infecting files when the DIR command is used to examine disk contents. This additional disk activity ought to alert users, at least when using diskettes, but makes this virus highly infective if it is not noticed.
Only files in the inspected directory are infected, and a bug in the interrupt routine causes the virus to miss all files that have the full eight characters in their base name. [On the machine used to compose this article such files comprise about 8 percent of the number of executables on the hard disk. Ed.] The DOS critical error handler is trapped, so users will not see failed attempts to write to a protected diskette. Infected EXE files have a tendency not to run correctly due to corruption by the virus.
The trigger routine of this virus occurs when a file which has been infected for over two months is run, COMMAND.COM is already infected (or doesn't exist in the root directory), and there is another copy of the virus already resident in memory.
In the idiosyncratic manner which we have come to expect from virus authors, the user is subsequently greeted with an animated green caterpillar crawling down the screen, munching through characters and turning the text yellow in its wake.
If uninterrupted, this display lasts some three minutes. Any input which causes the screen to scroll up results in the caterpillar jumping back and continuing from its new position. It cannot be scrolled off the top of the screen and only stops when it finishes its journey.
Technically, the programming is a curious melting pot: neat, legible code interspersed with long-winded meandering, trivial errors and some arcane structuring (or lack thereof). Instead of a simple JMP linking the virus code to the start of a COM program, 12 bytes of instructions are used to set up the code segment for the virus.
The next piece of code manipulates the program stack in highly dubious ways and jumps all over the shop but eventually achieves absolutely nothing. Its only function seems to be to foil an automatic debugger -- this particular section cannot easily be traced as it uses a part of the Interrupt Table as its stack. Another possibility is that it is related to a launch or dropper program which is not carried with the virus.
Even before becoming resident in memory, the virus checks for the existence of an uninfected C:\COMMAND.COM and infects it. A data string of 'C:\COMMAND.COM' might arouse suspicion so this string is 'encrypted' (to use the term very loosely) by the addition of 32 (decimal) to each character. Infected files are marked by having the last two bytes as hexadecimal 0C, 0A.
If the virus finds that another copy of itself is already installed in high memory (by searching for the 0CH and 0AH bytes file signature), it checks its own date of infection to ascertain whether it is more than two months old. If it is, the BIOS timer tick (interrupt 1CH) is trapped and the already-installed copy services these interrupts to produce the animated caterpillar. Note that if C:\COMMAND.COM has just been infected the caterpillar display will not initiate.
On going resident, interrupt 21H (the DOS function executor) is trapped to intercept functions 1AH (set DTA address), 11H (FCB find-first) and 12H (FCB find-next). From that point on, all results from a file find are examined after letting DOS go ahead with the operation. Returned filenames are parsed and examined for .COM and .EXE extensions, except, as noted above, this parse routine fails for 8-character base names. The surrounding code confirms that this is not a deliberate 'sparse infection' ploy. The first suitable executable is opened in read/write mode and updated with the virus code, with the current month being planted in the new virus.
Naturally, the virus prefers to let DOS initially process the find functions. As the virus has already trapped these itself, it needs to bypass its own interception to let DOS do the job; the usual way is by a FAR CALL to the old address, but this author chose the tack of providing a 'pass-thru' code. Interrupt 21H is still used within the handler -- a potential recursive death -- but the only two calls it needs to make don't use the processor's AL register and it places a hex 57 in AL to avoid tying itself in knots. Its own intercept routine catches this signature and passes the request to DOS.
The Caterpillar virus has an infective length in COM and EXE files of between 1575 and 1591 bytes, and may be detected by the following hexadecimal pattern:
Caterpillar 0E1F A12B 018E D087 ECBE 3C01 BF00 00B9 1000 FCF2 A4E9 DEFE
Caterpillar is not encrypted and makes no attempt to hide itself in memory or on disk, not even hiding the increase in file size.
Infected program files should be deleted and replaced with clean write-protected copies of the master software.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Green_Caterpillar.1575 / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |