RPS.b
     

                    - C.A.R.O. Analysis | RPS.b virus -


Name.............: RPS.b
Aliases..........: RPS2
Targets..........: MBR, FBR
Resident.........: IVT
Memory_Size......: 182 bytes
Storage_Size.....: 1S
Where............: At 0/0/1
Stealth..........: 13h/02
                   When the function accesses MBR on the first physical
                   HD, at return of the interrupt function the virus fills the
                   buffer pointed by ES:BX registers with 1BAh zeroes.
Polymorphic......: None
Armouring........: None
Tunneling........: It hooks INT 13h at boot time
Infectivity......: 6
Obviousness......: None
Commonness.......: ITALY(3)
Commonness_Date..: 1995/02/10
Transient_Damage.: It disables the keyboard by masking IRQ 1
                   (programming the IMR of 8259 chip).
T_Damage_Trigger.: See P_Damage_Trigger
Permanent_Damage.: It overwrites track 0 and a random portion of physical HDs
                   identified by ROM BIOS as 80h and 81h
P_Damage_Trigger.: INT 13h -> CX == 1 && DX == 80h && (AH == 3 || (AH == 2 &&
                   Internal_Counter == 0))
Side_Effects.....: The virus does not preserve the BPB of floppy boot
                   sectors.
Infection_Trigger: FBR infection: INT 13h -> AX == 0201h && CX == 1
                                             && DX == 0
                   MBR is infected booting from an infected floppy.
Msg_Displayed....: None
Msg_Not_Displayed: "RPS2"
Interrupts_Hooked: 13h/2, 13h/3
                   Virus code is installed in IVT, overwriting a range of
                   interrupt vectors [C0h..EDh].
Selfrec_In_Memory: None
Selfrec_On_Disk..: BootRecord[8].WORD = 6
Limitations......: CPU >= 80188
Comments.........: Very buggy code. When the virus infects MBR, it overwrites
                   the sector with own code. At boostrap, the virus attempts
                   to identify active partition scanning the Partition Table.
                   In case of failure, it performs a CALL FAR with registers
                   DS:SI intended to point at damage routine. Actually, at
                   boot time, the registers DS:SI are not set properly by
                   the virus.
                   The Selfrec_On_Disk is buggy too. The value written at
                   offset 8 of Boot Record (infected MBR and FBR) is 600h,
                   not 6.
                   There are several other bugs.
                   Since FBR is overwritten, when the virus starts from an
                   infected floppy it attempts to boot from the first
                   physical HD, searching and loading in memory the DBR of
                   the active partition.
Analysis_By......: Paolo Monti - I.C.A.R.O.
Documentation_By.: Paolo Monti - I.C.A.R.O.
Entry_Date.......: 1995/02/10
Last_Modified....: 1995/11/28
See_Also.........: None
End..............:

     
       _______________________________________________________________
     
     &copy; Copyright 1995 Paolo Monti
     
     GV291195
