WINSTART - the memory resident BAT worm
   
   
     _________________________________________________________________
   
   The WINSTART virus is named after the WINSTART.BAT file where the body
   of the virus is placed. That BAT file contains four text lines
   followed by binary data:


 @ECHO  OFF
 :s%r#
 COPY %0.BAT C:\Q.COM>NUL
 C:\Q
 [ binary data ]

   On execution of that file the virus copies itself (the BAT file) into
   the COM dropper, and executes it. This dropper is placed in the root
   directory of the C: drive with the name Q.COM. Being executed, it
   installs itself into the High Memory Area, hooks INT 2Fh, and creates
   the WINSTART.BAT files on floppy drives and copies the virus body into
   the newly created BAT file.
   
   Execution of BAT-File
   
   The installation routine of the WINSTART virus contains the same ideas
   introduced with the first memory resident BAT virus named BATMAN. As
   well as BATMAN the WINSTART virus receives control when being executed
   as the batch file is started. It transforms itself into COM format by
   the commands listed in its text part:


 command                     action
 -------                     ------
 @ECHO  OFF                  disable the echoing
 :s%r#                       this is the label, it is not executed in batch
 COPY %0.BAT C:\Q.COM>NUL    copy the host file to C:\Q.COM
 C:\Q                        run newly created C:\Q.COM

   The next line contains the binary data bytes that begin with 1Ah byte.
   That byte indicates "end-of-file", and as the result the binary code
   line will not be executed in batch mode.
   
   Execution of the COM-File
   
   The Q.COM file is the copy of source BAT one, but during execution it
   receives the control as COM file. The text strings are executed by
   processor as "do-nothing" command such as:

 INC     AX          ;  '@'
 INC     BP          ;  'E'
 INC     BX          ;  'C'
 DEC     AX          ;  'H'
 DEC     DI          ;  'O'
 AND     [BX+SI],AH  ;  '  '

   This dummy code is terminated with the "label" string (second line in
   BAT file). The processor executes this part of virus as the
   instructions:

 JNC    Install      ;  's%'
 JC     Install      ;  'r#'

   These instructions pass the control to binary part of the virus, and
   that part installs the memory resident portion of WINSTART.
   
   Installation into the system memory
   
   First, the virus performs a "Are you here?" call INT 2Fh with
   AX=B700h. The memory resident portion of the virus returns FFh value
   in AL register. This call is absolutely the same as performed by the
   DOS utility APPEND on installation, and they may confuse each other.
   It shows the best way to protect oneself against that virus - it is
   only necessary to install the APPEND utility.
   
   If there is no WINSTART virus copy in the system memory the virus
   allocates a block of the High Memory Area (HMA) with INT 2Fh function
   AX=4A02h. The request is for 173 bytes only, and such a small hole is
   enough for the virus to install itself into the memory. It copies the
   part (168 bytes) of its code into the allocated block and stores the
   INT 2Fh address into there (total 168+4=172 bytes). The code copied
   there contains the virus INT 2Fh handler and infection routine only,
   the installation routine is not placed into the virus TSR part. The
   address of interrupt 2Fh vector is taken from the not documented DOS
   area (that address is new for me, I've never seen it before!). That
   address is used by DOS 6.0+ when DOS internal INT 2Fh routines pass
   the control from one part of code to another one.
   
   Then the virus performs the last part of the installation routine -
   this code is also executed if there is no HMA memory and the virus has
   not installed itself into the memory. It renames the C:\Q.COM file
   with the name C:\WINSTART.BAT, and then deletes the C:\Q.COM file. The
   reason for such deleting is: if the WINSTART.BAT file already exists,
   the rename command fails, and the Q.COM file is not deleted while
   renaming. After deleting the virus sets the attributes of
   C:\WINSTART.BAT to "read-only", and terminates itself with INT 20h
   call.
   
   The result of the installation routine is as follows: the virus hooks
   INT 2Fh, keeps its INT 2Fh handler in the HMA block, and leaves the
   C:\WINSTART.BAT file with the copy of the virus.
   
   INT 2Fh Handler The virus intercepts two INT 2Fh functions. The
   first one is "Are you here?" call (or APPEND installation check)
   AX=B700h. In that case the virus immediately returns FFh value in AL
   register.
   
   The second call is an internal Installation Check AX=AE00h function of
   the COMMAND.COM processor. The last call is performed on execution of
   a new COMMAND.COM copy (on execution of any DOS application from some
   file shell such as XTREE or NortonCommander for example). In this case
   the virus passes the control to infection routine.
   
   The infection routine drops the copy of the virus on the current drive
   under two conditions only:
    1. the current drive is A: or B:
    2. it has 50% or less of free disk space (i.e. there are some files
       that occupy 50% or more of that disk, and new file may be "hidden"
       between other file names while DIR command)
       
   In that case the virus hooks INT 24h to prevent the DOS error message
   while writing to write-protected disks, creates new WINSTART.BAT file
   on the current (A: or B:) drive, and copies the C:\WINSTART.BAT into
   there. While copying, the virus uses the INT 18h address in the
   Interrupt Table (addresses 0000:0060-0063) as read-write buffer. That
   interrupt is not used during the DOS session on any IBM-PC machine
   (this trick allows the virus to save four bytes of memory it
   occupies!), but may have troubles on non-IBM-PC clones.
   
   After copying, the virus sets the file date and time stamp of the
   destination file to the same value as the source file has, closes the
   files and returns the control to original INT 2Fh address. The
   infection has been done.
   
   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
