![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Quandary is an in-the-wild boot sector infector. It infects floppy and hard disks and employs a modest encryption system to help avoid detection. If a diskette infected with this virus is in the floppy drive when a PC is booted, the infected boot sector is loaded into memory at offset 7C00h in segment 0 and run.
The first eight bytes of virus code set up the entry registers before calling an encryption/decryption routine. This decrypts 34 bytes of virus code using a simple XOR algorithm, a method of encryption which is often used, as it is reversible. If it is called once it will encrypt the target bytes, and when called a second time, the bytes revert to their original values.
Control passes to the decrypted code; instructions to take control of Int 13h (ROM BIOS disk interrupt) and reduce the amount of available memory by 1KB. They must be encrypted, as they contain now-standard instructions seen in most boot sector viruses and are thus detectable by scanners with even a modest generic capability. Once executed, Quandary re-encrypts them, as they are no longer required.
The virus now copies 512 bytes of its own image to offset 7C00h in the new segment it has created in the top of memory. At this point, a virus will normally issue a jump to the virus image at the new location. Quandary, however, issues an Int 19h, forcing the PC to reboot. This is neither a warm nor a cold reboot: all interrupt vectors and memory contents are left intact and the firmware loads the boot sector into memory and passes control to it.
When the firmware tries to read the Master Boot Sector, the request passes through the virus disk handler, which performs the read via a far call to the BIOS which was set up when Quandary captured the interrupt vector. Should this fail, the virus returns to the caller, returning the correct error code.
In the case of a successful disk access, Quandary checks the sector for the signature 55AAh in the sector's last two bytes: this should appear in all MBRs. If for any reason the MBS is missing its signature, the PC's hard disk will not be infected.
If the boot sector is considered valid, another test is made to see whether the word at offset 125h contains value 1405h. This is a puzzle, as it will not do so if infected with Quandary or if clean. It seems the virus is identifying another infection, replacing it with itself - a free upgrade, perhaps! If the boot sector contains the value 1405h here, Quandary performs the 'upgrade', taking the contents of sector 14 (which appears to be where the previous virus placed the MBR copy) and copying it onto sector 15. It then replaces the MBR with its own image and returns control to the caller.
In the absence of this other virus, Quandary checks for itself by comparing the word at offset 1BBh with C928h. If found, this means the disk is infected, and Quandary then retrieves the original MBS from sector 15 and returns it to the caller, thus realising the virus' limited stealth capabilities.
In all other cases Quandary has now identified an uninfected disk and begins infection. It writes the untouched MBS to head 0, sector 15, copies 64 bytes from offset 1BEh in the MBS to its image in memory (to preserve the partition table) and writes itself to head 0, sector 0, completing infection.
Floppy infection is similar: the virus preserves the original BIOS Parameter Block by copying 60 bytes from the start of the sector over itself. It stores the original boot sector at head 1, sector 15. Quandary only infects 1.44MB diskettes.
As viruses go, Quandary has little to make it stand out from the crowd. Its programmer appears to have written at least one other virus, but the code has signs of inexperience and a lack of understanding of how some instructions work. It is in the wild, however, and works well. Its stealth routines do not protect it being overwritten, and it contains neither trigger nor payload: perhaps we should be grateful.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Quandary / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |