![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Unashamed is an in-the-wild boot sector virus which infects floppy and fixed disks. It contains a pseudo-random trigger, designed to release a text message payload.
Like all boot sector viruses, Unashamed is first executed when a computer boots from an infected disk. This causes the firmware to load the boot sector of the disk (the very first sector) into memory and pass control to it.
Once loaded and invoked in this way, Unashamed immediately relieves the PC of 1KB from the top of conventional memory, using the standard method of amending the low memory word which controls the number of kilobytes DOS thinks the PC has. Decrementing this word will thus convert a 640K PC into a 639K PC, leaving a nice hole at the top of memory for the virus.
However, there is a twist: the virus author seems to have designed the method he uses to fool some anti-virus software. Rather than simply using the normal address of the memory word, which could be recognised as potentially hostile, the author takes advantage of the 16-bit capacity of the 80x86 chip's registers and loads an over-large value into one of these. This causes the register to overflow, and it is invisibly and automatically converted to the correct value by the CPU without intervention from the programmer.
Whilst this technique does nothing to prevent the virus being detected as a 'known' virus, it would certainly help the virus to escape heuristic tests conducted by scanners which do not specifically know about Unashamed.
With its 1KB safely reserved, Unashamed copies itself to the top of memory and continues execution from there. Next, it takes control of the required interrupt vectors.
In what appears to be another attempt to avoid certain anti-virus products (in this case, behaviour blockers), Unashamed uses a small sub-routine to handle interrupt hooking. This routine relies on certain registers having preset values on entry -- the values set determine the interrupt to be hooked.
The end result is that interrupts are hooked as normal but, because the code doing this is effectively split in two, there is nothing immediately obvious as suspicious code on view. The author appears to have given this a lot of thought and to have considered that the extra work involved in doing this would give his creation a head start against the installed base of anti-virus software.
Unashamed hooks two interrupts, the BIOS disk services interrupt (Int 13h) and the keyboard interrupt (Int 09h). The former is used to allow the virus to replicate, and the latter, to control the trigger and the payload. The original vectors are stored by the virus for later use.
Once its interrupt handlers are in place, Unashamed needs to allow the original boot sector to run so that the computer can boot. This is achieved simply by sending an Int 19h, a seldom-used interrupt which will reboot the system without clearing memory or resetting interrupt vectors, allowing Unashamed to stay in memory and active.
The PC now reboots, this time with the virus already in memory, monitoring all disk and keyboard activity. Remember that, if this is the initial infection (if the PC has just booted from an infected floppy disk), the hard disk is currently still uninfected. However, that state of play only lasts for a moment, as the boot process will cause disk activity which is now intercepted by the virus.
Every disk access (floppy or fixed) causes at least one Int 13h to occur, which is now intercepted by the virus. Unashamed allows all disk activity as normal, with the exception of attempts to read from or write to the Master Boot Sector (MBS) of any disk. This interception is needed to enable future infection, but it also allows the virus to provide itself with stealth capabilities.
If a program attempts to write to the boot sector -- which would obviously destroy the virus -- Unashamed simply stops the write from taking place and returns a success code; essentially 'fooling' the calling process into thinking that the write has worked correctly.
When Unashamed intercepts a read request destined for a boot sector, it uses the far pointer to the original disk handler which it obtained earlier to bypass its own stealth functionality and to read the target sector into memory. It then checks this sector to see if it is already infected. This is deemed to be the case if the bytes 051Ah are found at offset 1BBh inside the sector.
If the sector is infected, Unashamed locates the disk's original boot sector, which is hidden (see below), and returns the contents of this sector instead of those of the infected sector. This will make the PC appear uninfected when standard disk reads are used, and completes the virus' stealth capabilities.
However, if the disk is not infected, Unashamed uses a sub-routine to calculate the best place to hide the original boot sector before infection takes place. This routine determines first whether the target disk is fixed or floppy.
In the case of a fixed disk, sector 14, head 0, cylinder 0 is always used. This will usually fall on an unused sector before the first partition, but this is not guaranteed. The virus takes no steps to ensure that this is the case, so accidental damage could occur.
If the target is a floppy, Unashamed picks up a value from the boot sector which allows it to identify the disk type. From this it selects the sector in which it will hide the original boot sector as follows: for double density 3.5-inch diskettes (720KB) it chooses sector 5, and for double density 5.25-inch diskettes (360KB) it chooses sector 2. For all high density diskette types (5.25-inch 1.2MByte or 3.5-inch 1.44MByte), sector 14 is selected.
Once the hiding place has been decided, Unashamed writes the original clean boot sector to the chosen sector on the disk. It then resets an internal infection counter (see below) and updates its own image in memory with details from the target disk's BIOS Parameter Block (this details the disks structure). It now has an image that can be used to overwrite the target boot sector and thus infect the disk.
Unashamed completes the infection process by writing the boot sector to the disk and incrementing the same infection counter mentioned above. This counter is at offset 01BDh within the virus body, and is used by the other virus interrupt handler.
The virus' keyboard interrupt handler controls the trigger and payload. Every time a key is pressed or released, the virus handler will take control. Immediately, it compares the infection counter to see if it is greater than one. If not, control is then passed down through the interrupt chain to the next keyboard handler.
Should the infection counter reach two or more, Unashamed relies on a pseudo-random trigger based on the PC timer. This gives a 50% chance, one hour in each 10-day period, of the payload being released. If this happens, the virus resets the video display to 40-column mode and unencrypts and displays an embedded message which reads: 'the UNashamed Naked!'. After a short delay, the PC reboots.
The release of the payload is dependent on the infection counter reaching two or more. However, in the copy of the virus used for this disassembly, this would never happen. As has already been noted above, Unashamed resets the counter prior to infection, which voids the action of incrementing it after infection has taken place. This cannot be a programming error: it is surely a conscious decision on the part of the author to give his creation a greater chance of spreading further without detection.
Overall, Unashamed employs interesting variations on standard techniques in an attempt to avoid generic detection. It is in the wild, but is easily detected by signature and not difficult to remove. The virus carries no in-built intent to cause damage.
[Editor's Note: The first sample of this virus was received at Virus Bulletin from a correspondent in Rwanda (Central Africa) approximately one year ago. Since then, more reports of this virus have come in from this part of the world. It has now spread to both Europe and North America, but still appears to be particularly prevalent in Central Africa.]
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Unashamed / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |