Analysis and prevention of tpvo/3783 virus

Virus Introduction:

tpvo/3783 virus is a contagious, hidden virus, it is unique to be able to infect Windows files, so that the virus can host memory when Windows executes. The virus infects the hard drive, the floppy boot area and WINDOWS, DOS executables, including. exe.com.ovl.386 and so on files, not infected with the file covered, the program was infected after the length of 3783 bytes increased, the file date was added 100 years as an infection mark.

After the virus resides in memory, with the DIR command can not see the file length changes, with INT 13H read out of the disk boot record is normal, rather than a poisoned boot record, with the application read out of the poison file is normal, but by ARJ, PKZip, RAR, LHA, BACKUP, Msbackup, Telix Seven programs read out of the file is poisonous, so by these compression program into the package or use the Telix through the modem to other places of the file is poisonous, thus the virus in the hidden and spread of good intentions.

The virus in the main boot area of the hard drive hidden in the 0 cylinder 0 first 5 sectors, infected floppy boot zone hidden in the new format of the 81st track, infected files attached to the end of the file, the virus itself is not encrypted. When a poisoned WINDOWS system is running, the virtual memory file in the root directory is 386SPART. The PAR attribute becomes a normal property and can be listed with the DIR command.

Virus Analysis:

1. Resident memory and interception interrupt the virus uses the method of modifying the memory control block to host memory. If UMB exists, the virus resides in UMB, which intercepts the int 21H and int 13H interrupts to complete the infection of the file and boot area, when intercepting int 21H, the virus takes A different way. The following is an INT 21H internal fragment, after the interrupt program completes initialization, will AH in the function number in BX and then multiply by 2, then use look-up table method to get the corresponding subroutine address, and then use the near call to execute the corresponding subroutine, specifically see below:

　　 ．．．
　　 FDC8:4198 8ADC　　　　MOV　BL,AH　　　　　 ；AH 为子功能号
　　 FDC8:419A D1E3　　　　SHL　BX,1　　　　　　；放于 BX 中再乘 2
　　 ．．．
　　 FDC8:41EA 2E8B9F9E3E　MOV　BX,CS:[BX+3E9E]
　　　　　　　　　　　　　　　　　；3E9E 为各功能地址表的基地址
　　 FDC8:41EF 36871EEA05　XCHG BX,SS:[05EA]　　；调用地址在 05EA 中
　　 FDC8:41F4 368E1EEC05　MOV　DS,SS:[05EC]
　　 FDC8:41F9 36FF16EA05　CALL SS:[05EA]　　　 ；调用相应功能的子程序 ．．．

When the virus resides, it intercepts int 2AH and detects that the stack used in int 2AH is MSDOS. SYS stack segment, the interrupt is signaled by the INT 21H, and the MSDOS is obtained by the interrupt return address. SYS Program section of the address, and then find the above several instructions and call ss:[05ea] change to the call xxxx:053d point to the virus code, in the completion of the modification, infection and other functions and then turn to the original INT 21H execution. Since this piece of code is more than 100 words in INT 21H, this piece of code is moved into the HMA when it is started with the Dos=high parameter, so the interception of the virus is deceptive enough not only to cheat almost all memory monitors, but even to manually disassemble an INT 21H interrupt program is not necessarily Be aware of the anomalies.

When intercepting int 13H, the virus first uses the 1300H feature that is not publicly interrupted int 2FH to get the original int 13H address used by the DOS internal device driver, and then randomly looks for an int xx code in the BIOS that is larger than the e0h number and points the interrupt vector to the virus int 13H Service program, and then the DOS save the original int 13H address to point to the BIOS in the Int XX directive, so that in different computers to point to the virus program interrupt vector number is not the same.

2. Infections and other components

The virus intercepts the INT 13H to infect the disk the boot area, when carries on the ordinary reading and writing function, the virus is not contagious, therefore the disk reads and writes speed does not have the obvious slow down, only when reads and writes to the disk boot area, the virus only then carries on the infection. When infecting the main boot area of the hard drive, the virus is hidden in 8 sectors starting with the reserved track 0 cylinder 0 Head 5th sector, the original boot record is saved in 0 cylinder 0 Head 13th sector. The general floppy disk has only 80 tracks, the virus in the transmission floppy boot record, first format a 81st track, and then hide itself in the 81st Track 1 sectors began in 8 sectors, the original boot record was saved in the 81st Track 9th sector. When a program reads the boot record, the virus reads the original boot record out and sends it back.

Virus interception int 21H to complete the transmission of executable files and some deceptive functions, in the 21H 11H, 12H, 4EH, 4FH matching file search function, the virus returned the correct file length and time, in the 57H read and write file time function, the virus returned the correct file time, in the 3FH read the text Part of the function, if you read the file is modified, the virus will return the correct content, in the 40H write file function, if you write the infected file, the virus will restore the file, to later close the file when the infection. Results in the application software, there is nothing unusual about the poison file.

When performing the 3DH open file of INT 21H, 3EH close file, 43H file attribute function, 56H file renamed, 4BH execute file, virus is transmitted to file, virus is attached to file tail after infection, file start pointer is pointed at virus entrance. For. COM files, the virus will change the first sentence of the file to JMP XXXX to jump to the virus entrance, for ordinary. EXE file, the virus will file entry pointer to the virus entrance, the stack point to the tail of the virus 200H.

The following is a detailed analysis of the virus's modifications to the Windows executable, and since the data for the Windows executables is rare, here is a brief introduction to the structure of the Windows file: Windows files are composed of Dos and Windows, and the DOS section is simply Print a message that exits, and the WINDOWS section is overwritten in the back of the file. The file header is divided into two parts, the first part is ordinary. EXE file header, the second part of the "NE" new format executable header, the relevant section is described as follows:

普通 .EXE 文件报头　18H　字
重分配表偏移( WINDOWS 文件必须大于 0040H)
　　　　　　　　　　　　3CH　双字　　"NE" 可执行报头在程序中的偏移
　　"NE" 可执行报头　　 00H　2 字节　"NE" 符号
　　 (长 40H 字节)　　　14H　字　　　程序入口 IP
　　　　　　　　　　　　16H　字　　　程序入口段的段地址记录号
　　　　　　　　　　　　18H　双字　　程序初始 SS:SP
　　　　　　　　　　　　1CH　字　　　段地址表中的记录数
　　　　　　　　　　　　22H　字　　　段地址表在程序中的偏移
　　　　　　　　　　　　32H　字节　　段大小的计数单位 (移位值)

All the sections in the program are described by a record in the paragraph Address table, including the offset of the segment in the program, the size of the segment, the property of the segment, the size of the memory to allocate, when the program is executed, the system is the location and size of the segment in the program by the record number of the entry section, and the code is loaded into memory, and then the entrance IP begins execution. Each record in the Segment Address Table occupies 8 bytes, in the following format:

　　　　　　　　　　　　00H　字　　　本段在程序中的偏移 (乘以计数单位)
　　　　　　　　　　　　02H　字　　　本段的长度 (单位：字节）
　　　　　　　　　　　　04H　字　　　本段的属性
　　　　　　　　　　　　06H　字　　　要分配的容量 (单位：字节)

The virus adds a Segment Address table record to describe the virus code segment attribute, in a WINDOWS file, the Segment Address table is generally immediately followed by the "Ne" header, and the Segment Address table is followed by other data, with no extra bytes in the middle, so the virus moves the entire "NE" Header and Segment Address Table forward 8 bytes, and then in the vacated 8 Byte to write a new section Address table record, and then change the Program Entry section record number to point to this new record, specific changes in the data are: 003CH at the "NE" header offset minus 8, "NE" Header 16H entry section record number to the virus segment, 1CH segment Address table records plus 1, plus 04H, 2 Offset of other related tables in 4H, 26H, 28H, 2AH plus 8.

2. Virus Source: Slightly