![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Only a small number of the thousands of viruses written merit analysis. Most researchers do not have the time to go through even those which are 'worth' examining closely. Often, when a virus is detected and cleaned, it is shifted to the 'to-do-in-near-undefined-future' pile. Those which do encourage closer examination are likely to be new, unknown specimens spreading quickly in the real world.
Not long ago, I was asked to check a PC which could no longer run Windows, and had problems booting from a floppy. I expected to find corrupted files or sectors, along with disabled boot from floppy, or perhaps something 'Monkey-like' fiddling with the partition table data.
My investigations revealed a 2351-byte, multi-partite virus spreading through partitions and directories, residing in the boot sector and many executable files. Its most interesting characteristics are its stealth techniques, and the method by which it disables clean boot from system floppy without altering the contents of the CMOS. An attempt to start from a system diskette results in a system hang before a command prompt appears -- neither drive C nor drive A is accessible.
This virus, Rainbow, infects the MBS of hard disks, DOS boot sector of floppies, COM files, and files with EXE-type structure (EXE, DRV, 386, XTP). It is unencrypted, and named after a plain-text message inside its body: 'roy g biv' (an acronym of the colours of the rainbow).
The virus attaches itself to the end of programs. All infected programs have their time stamp modified; the field containing the number of seconds divided by two is set to 31. On infecting a DOS boot sector, Rainbow changes only 25 bytes at offset 3Eh, adding a jump instruction at the sector beginning. The copy of the original boot sector is kept in the diskette's last sector, and the remainder of the virus code written in the preceding five sectors.
When the MBS is infected, only its initial 25 bytes are changed by the virus. The rest of the virus body is written into five sectors on track 0 (cylinder 0, head 0), starting from sector 2. Rainbow does not keep a complete copy of the MBS: the 25 bytes it replaces are stored in sector 6, offset 142h. It also modifies the MBS in a way which could be described as self-protection or as the payload itself.
The information on the active partition (16 bytes) is copied to
sector 6, offset 132h, and the contents of the original Partition
Table replaced by this Hex byte sequence:
This is interpreted by the operating system as a non-active, extended DOS partition, starting from head 0, cylinder 0, sector 1; ending on head 0, cylinder 523, sector 56; beginning one sector from the start of the disk, and containing 444 sectors in total. The most important characteristic is that this partition entry points not to another partition but to the MBS itself (head 0, cylinder 0, sector 1). Such a case is often referred to as 'the recursive partition' and can be a big headache to someone using the latest versions of MS-DOS.
For users of v5 or v6.x of MS-DOS, access to the system containing the recursive partition is no longer possible. Starting from a hard disk or a diskette will put the system in an endless loop in the middle of the boot sequence (the OS loader traces through the extended partition chains and locks itself up, investigating the same sector again and again).
Rainbow incorporates a significant number of system control and stealth procedures. When active in memory, it hooks interrupts 01h (anti-debugging), 12h (hiding 'missing' memory), 13h ('Are you there?' call, stealth/infection of boot sectors), 21h (14 functions used for stealth/infection of files), 24h (stealth), and 2Fh (stealth).
When an infected file is executed, the virus checks to see if the system is infected, and whether the virus is active in memory. This is done by issuing an 'Are you there?' call (Int 13h, AX=1BADh). The value DEEDh returned in the register AXh means the virus is in control ['One bad deed', geddit? Ed.], in which case the original program is restored in memory and its execution follows in the usual way.
If the system is clean, the virus installs itself in memory. It takes the 3K required from the current block of memory (as long as it is the last one in the memory block chain), usually placing its code 3K below the current top of memory. Since the virus relies on the data in the current PSP, it will install itself above the 640K limit if an infected file is loaded high.
Next, the virus hooks Int 01h, and tries to install its own Int 21h
handler. Rainbow changes not the Interrupt Vector Table, but the
current Int 21h service routine. Installation takes place only if the
current Int 21h procedure begins:
CMP AH,??
JNBE ??
The virus replaces these instructions with a FAR JUMP to its own code, saving the original pointers in the virus code. Then, it hooks Int 2F and installs its Int 13h ('Are you there?' call, response only) handler.
Now, the virus infects the MBS of the first physical hard disk. The Int 13h service routine is modified to include full stealth procedures. Int 12h is then intercepted and a new procedure installed which hides the 'missing' memory occupied by the virus. Finally, the infected file is restored in memory, and control is passed to the original program.
When the code in the infected boot sector is executed, the virus locates the top of memory, decreases it by 3K, and copies all of its code into the area allocated.
Now, Rainbow installs its Int 13h handler (with all infection and stealth features). This also includes the code to install its Int 21h handler after the rest of the operating system is loaded. The virus relies on checking the address of the Int 24h service routine. If its segment is smaller than 1000h, the virus assumes that DOS is already loaded.
When an infected file is executed, Rainbow installs itself in memory, intercepting all subsequent interrupts. Unlike most multi-partite viruses, it does not have to be loaded from an infected boot sector to gain full functionality. Rainbow can spread and infect files and floppy boot sectors even on workstations with no hard disk.
The virus infects diskettes on Read or Write access. When active in memory, it returns the clean, original sector at each attempt to read the DOS boot sector. Files are infected on Execution (Int 21h, function 4Bh), or when opened.
COM-type files are infected only if they are less than 63057 bytes and their extension is COM or com. EXE-type files are infected when file length is as specified in the EXE header. Rainbow's stealth procedures include hiding the length of infected files and the virus signature in the file time stamp.
As self-recognition in files is based on the time stamp, attempts to execute a clean file with a time set to 62 seconds often results in a system crash: the stealth procedure tries to disinfect a clean file, but corrupts it instead. It is the only serious bug (minor, in comparison to the poor coding in the vast majority of viruses) which I found in its code.
The safe removal of any virus from an infected system is always based on a clean boot from a system diskette, something which, in this case, is not always easy. Those still using MS-DOS v4 or lower can use the usual system floppies, but those who upgraded to v5 or higher may find themselves in trouble if Rainbow infects their machines.
To gain access to an infected/corrupted MBS, eradicating the recursive partition problem, either boot from an older version of DOS, or boot from an infected disk, then disable the virus in memory or avoid its stealth routines.
If the former is chosen, a system floppy which has an older version of DOS is required -- but how many laptop users have a bootable, 3.5-inch DOS 4 diskette? Diagnostic diskettes which boot to their own operating systems can also help in gaining access to a disk which has a recursive partition problem.
The latter solution requires an anti-virus product which can detect and disable viruses in memory, or can work properly when viruses are active in the system. In the case of the Rainbow virus, this does not appear to be a simple task.
One of the plain-text messages inside the virus body is: '*4U2NV*', which can be read as: 'For you to envy'. Some virus writers may certainly envy the author of Rainbow his ideas and skills, but if this virus becomes common in the wild, the majority of the PC community will only hate him.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Rainbow / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |