Blah.3385 - the memory resident stealth BAT-file and MBR infector
   
     _________________________________________________________________
   
   Blah.3385 is dangerous memory resident stealth multipartite virus. It
   hooks INT 13h, 21h and writes itself into MBR of the hard drive and
   into the beginning of BAT-files. On the hard drive the virus occupies
   three sectors starting from the MBR of the hard drive, the fourth
   sector contains the original MBR. On infection of BAT-files the virus
   encodes itself with some BIN-to-ASCII algorithm, and writes the result
   and several DOS command strings into the BAT-files beginning (texts
   between '[' and ']' are comments):

 @echo [ binary data ] >|.com
 @echo [ binary data ] >>|.com
 @echo [ text data ] >>|.com
 @echo [ text data ] >>|.com
 [ repeated ... ]
 @echo [ text data ] >>|.com
 @if %0. == . |
 @
 @del .com
 @if %0. == . autoexec
 @%0

   [| represents ASCII char 186]
   
   The binary data contains the ASCII-to-BIN decoder, the text data
   contains the main virus body which is converted to ASCII text strings
   ( la UUencode/XXencode).
   
   On execution of such a BAT-file the virus creates the file |.COM ,
   then writes decoder and ASCII data into there, and executes that file.
   Being executed the virus (from the |.COM file) decodes itself from
   ASCII text into binary code, installs itself memory resident, hooks
   INT 13h, 21h and returns the control back to infected BAT-file. The
   rest of codes of BAT-file deletes |.COM file, and then executes the
   host BAT-file again. The already installed virus stealth routine does
   not allow the virus BAT-code to be executed twice, and the original
   code of infected BAT-file receives the control.
   
   The virus pays special attention to the AUTOEXEC.BAT file because it
   is a special BAT-file: on first execution of AUTOEXEC.BAT (on DOS
   loading) the command "%0" does not return the file name, on any other
   execution of BAT files "%0" command contains the name of the host
   file.
   
   During execution of the decoded body of the virus it checks the system
   memory with "Are you here?" call (INT 21h, AH=62h, DX=F904h), and
   passes the control to the installation routine. That routine cuts a
   block of the system memory by decreasing the system memory size (the
   word at address 0000:0413h), copies the virus into that memory block,
   hooks INT 13h and INT 21h, and passes the control to MBR infection
   code.
   
   That code reads the MBR of the hard drive, checks the virus ID-stamps
   (the word 6540h at the offset 010Ah), checks the partition table, and
   overwrites the first four sectors of the hard drive with the virus
   code, the last (fourth) sectors contains the code of the original MBR.
   After infection of the hard drive MBR the virus returns control to the
   host BAT-file.
   
   On loading from an infected MBR the virus calls the installation
   routine that is practically the same as on loading from an infected
   file. The virus decreases the size of system memory, copies itself
   into there, hooks INT 13h and returns the control to the original MBR
   code. On INT 13h calls it checks INT 21h handler's address, and if it
   points to DOS addresses the virus hooks INT 21h.
   
   The INT 21h virus handler intercepts five DOS functions:

 AH/AX (hex)     function
 ---------       --------
 11,12           FindFirst/Next FCB  (DIR command)
 3D00            Open file
 3F              Read from file
 62              Get PSP

   On FindFirst/Next calls the virus "decreases" the length of infected
   BAT-files, to separate the infected and not infected files the virus
   uses virus ID stamp in the file time and date stamp - the infected
   files have a 62 seconds stamp.
   
   On Get PSP calls with DX=F904h (the virus "Are you here?" call) it
   disables the virus INT 13h and 21h handlers, and returns. I see no
   reason for that call because the virus code cannot be executed twice -
   the INT 13h/21h stealth routines redirect the accessing to original
   bodies of BAT-files and MBR.
   
   On Open File calls the virus hooks INT 24h to prevent the DOS error
   message on writing to write-protected disks, checks the file extension
   for "BAT", opens that file using the undocumented System File Table,
   checks is the file already infected, and infects it.
   
   On Read from File calls the virus checks if the file is infected, and
   substitutes the infected files with their original (not infected)
   forms. That code is the virus' stealth routine.
   
   While checking if the file is already infected (on Open File and Read
   from File calls) the virus reads the file header and compares the
   first 108 (6Ch) bytes with the virus code.
   
   During infection the virus moves the file body down for 3385 bytes,
   and writes into the file beginning the 3385 bytes of virus code:
   ASCII-to-BIN decoder, the converted to ASCII virus code, and the
   additional DOS command as described above.
   
   INT 13h virus handler intercepts two functions only: Read and Write
   (AH=2,3), and on accessing to hard drive only. On both calls the virus
   infects MBR (if it is not infected yet) and performs the stealth
   routine.
   
   Last notes:
   
   The virus has a bug - the boot/MBR sector stamp 55AAh is placed at the
   wrong offset in the virus body (01FFh instead of 01FEh), it causes
   system error message on loading from such a MBR.
   
   The virus contains the internal text string:

 Blah virus (DA/PS)

   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
