     VVM virus -- the shortest stealth virus for PC.
     ===============================================

     Igor G. Muttik

     Low Temperature Physics Laboratory,
     Physics Department,
     Moscow State University, 117234, Russia

     Phones: +7 095 9391147
             +7 095 3396238
     Email: MIG@lt.phys.msu.su


     KEYWORDS
     --------

     Virus, EXE-header, resident, stealth.


     ABSTRACT
     --------
                             
     The virus, called VVM, is described. Size of
     virus is 205 bytes. Virus is resident. It is
     a shortest  stealth  virus  ever  found.  It
     infects EXE  headers on  disk-access  level.
     Size of  infected file is not changed. Virus
     conflicts with disk caching programs.


     INTRODUCTION
     ------------

     Many new viruses appeared during last years. Number of
viruses is  constantly growing,  but all of them falls into
four groups: file, boot, companion and cluster. Intergrowth
of viral  type properties gives new virus families. We have
faced up with multipartite viruses, combining properties of
file-infectors and boot sector infectors. Companion viruses
appeared, which  were very simple in their idea -- they use
DOS  quirk   that  executable   COM  and   EXE  files   are
distinguished by  their contents,  not by  name. VVM  virus
uses the  same DOS  peculiarity, it  accesses disk  on  low
level (like  bootsector viruses), but infects an executable
files. VVM  can be regarded as a representative of a family
of header infectors.


     HISTORY OF DISCOVERY
     --------------------

     First signals  about new  virus were received on 15-16
December 1993,  when some  computers were  infected in  the
Physics Department of Moscow State University. It was clear
that virus  is new,  because testing with the last versions
of scanners  (F-Prot and  Scan were used) does not indicate
infection.
     The virus  was extracted  from the infected executable
files, disassembled  and analyzed  on the  17 December. The
analysis itself  took only  1-2 hours, because the virus is
simple enough  (its size  is only  205 bytes  and it is not
encrypted). Virus  had only one string at the bottom of the
viral code  -- "(C)VVM".  It is  easy to  understand why  I
called virus  VVM. The  virus was available for analysis to
many CARO members on 19-20 December.


     GENERAL DESCRIPTION AND INFECTION STRATEGY
     ------------------------------------------

     Behavior of  this particular  virus  is  uncommon.  It
intercepts low-level disk access (read and write) and check
if currently  accessed sector  "looks like"  EXE-header. If
this is  the case  -- VVM virus infects this sector in hope
that it  will be  recently called as a part of EXE file, to
which it  belongs. The  layout of  the infected  header  is
shown in Fig.1.
     VVM infects  only those  EXE files, which size is less
than 65024 bytes (the virus analyzes an EXE file size taken
from EXE  header). Infected  EXE file  becomes COM, because
its header  has no  more 'MZ'  signature at  the beginning.
This signature  is overwritten with a jump on a viral code,
located at  sector bottom.  The header  is  a  part  of  an
executable COM  file now,  its  beginning.  (When  speaking
about COM  and EXE  I always  mean internal  contents, i.e.
absence or  presence of  header). I would like to emphasize
that virus  does not  check if such an "EXE-header looking"
sector actually belongs to any executable file.
     Obviously, there  is no change in the size of a victim
file, when it is infected.
     The virus  receives control when user starts file with
a modified  header.  The  virus  sets  new  low-level  disk
service  handler  and  invokes  original  program.  Such  a
sequence is  a remarkable idea from technical point of view
(already found  in some  other  viruses):  virus,  being  a
stealth, issues  simple EXEC  function  with  the  infected
program name as parameter. Now, because all DOS accesses to
disk goes  through the  virus stealth  routine --  DOS will
execute an  "unchanged"  file!  We  see  that  the  stealth
routine  of  VVM  virus  has  two  purposes  --  to  ensure
execution of  a victim  file and  to hide  presence of  the
viral code.
     VVM appears  to be the shortest stealth virus known at
present moment.
     After the  invocation of the infected executable file,
VVM  virus   sets  itself  resident.  It  simply  uses  DOS
interrupt 27h.  The size  of a  memory block  is 768  bytes
(decimal), or  300h (hex). Now resident virus code examines
all disk  accesses and infects any sector looking like EXE-
header.
          VVM  has   no  direct  destructive  payload,  but
computer will  not operate properly when VVM is active. For
details see section "Errors and bugs".


     VIRUS LAYOUT AND STEALTH PROPERTIES
     -----------------------------------

     Virus code  size is 205 bytes (decimal) or 0CDh (hex),
not including  first jump  on viral  code. You see that the
virus takes only 40% of standard 512-bytes EXE header.
     First three  bytes of infected EXE header (sector) are
always occupied by a jump on the virus code (see Fig.1). It
is always 0E9h, 30h, 01h (jmp 233, when sector is loaded at
address 100h,  as COM  file). Viral  code is written to the
sector/header end  (233h-2FFh,  when  sector  start  is  at
offset 100h)  if it  is free  (zero-filled). VVM virus will
not  infect   this  sector/header  if  any  byte  at  these
locations is non-zero.
     That gives simple idea to make file inoculation -- put
any  non-zero   byte  after  relocation  table.  Or  simply
compress  file  with  PKLITE  or  LZEXE  utility  --  after
compression virus will not infect file any more (zone 133h-
1FFh will be non-zero).
     Unfortunately most EXE headers of MS-DOS utilities (in
versions 3.0-6.2) are infectable, because zone at 133h-1FFh
is usually zero-filled.
     You see  that infected  file is really a COM file, but
if the  virus is  already resident its stealth routine will
hide changes  in EXE  header and file will "look like" pure
EXE. Stealth  routine of  VVM virus  restores  initial  two
bytes ('MZ')  and fills all viral code zone with zeroes. We
can see only one modification of initial file -- in byte at
offset 2  in header.  Virus puts here 01h (high byte of JMP
on viral  code) and  it does  not restore this byte (it was
lost on  infection). In  original EXE header this lost byte
is low  half of  word, designating  number of pages in file
(each page is 512 bytes). Fortunately (for VVM) DOS usually
ignores this field.
     This "hole" in stealth routine of VVM makes it easy to
fix presence of the virus with any integrity checker.
     I think  it was  easy for  VVM author to preserve this
mentioned byte  at offset  2, but  it will  make VVM  file-
specific.  Current   version  of  VVM  stealth  routine  is
independent on the contents of file. Probably author of VVM
preferred loose  in stealth  properties,  but  he  obtained
advantage in size and, though, in infection capability.


     VIRUS INTERNAL STRUCTURE
     ------------------------

     The block diagram of VVM virus is given in Fig.2.
     When VVM receives control it first resets disk through
DOS function 0Dh -- DOS closes all files. Then VVM gets and
sets low-level  disk handler routine, using DOS service Int
2Fh (AH=13h).  This routine seems to be prepared especially
for VVM!  It performs  two functions at one call -- it gets
old routine  pointer  (dword)  and  set  new  disk  service
handler (dword).  This DOS  service helps  VVM to  make its
code compact and effective.
     Virus shrinks  memory block  to give  space for  child
process --  it prepares  to start  (EXEC) infected program.
After that  it scans  the environment  to locate  real name
(ASCIIZ) of the started executable (this will work only for
DOS 3.0  or  higher,  so  VVM  will  not  execute  original
infected program  on DOS  versions prior to 3.0). The virus
creates EXEC  parameters block  and starts program. The new
viral disk  service routine is already working, so DOS will
have no  problems to  execute infected  file (it  will  see
"uninfected" version, because the stealth routine is active
now).
     When  terminating,   the  infected  program  transfers
control to the parent process -- to VVM virus. Now VVM sets
itself resident  (resident size is 768 bytes, not including
environment). Used  method is  usual --  Int 27h.  Resident
viral code  monitors disk  read/writes to  infect  new  EXE
headers and hide presence of viral code.


     INFECTION CONDITIONS
     --------------------

     Sector will  be infected  if the  following conditions
are met (this sector may or may not belong to the file):
     1. It is starting with 'MZ'=4D5Ah (not 5A4D!)
     2. Word  at offset  4 in this sector is less than <7fh
(for EXE file -- size is less than 65024)
     3. Space  at 133h-1FFh is zero (in the EXE header that
means a  relocation table  at this  address  range  is  not
present).

     PECULIARITIES OF VVM VIRUS
     --------------------------

     I think  VVM virus  can be  regarded as uncommon virus
because it  infects all "header-like" sectors, which may be
located out of executable files in hope that 'MZ' signature
with high  probability means  EXE header. Moreover, viruses
do not  use any  DOS services  to infect  file -- infection
routine is  written  on  sector  level  and  is  not  file-
specific. Executable  file code is not modified in any way.
Virus infects  only header -- it can really be called "EXE-
header/sector" infector.  We see that infection strategy is
specific for  MS-DOS EXE header properties. Moreover, virus
uses DOS  quirk  that  EXE  and  COM  files  are  processed
identically  and  discrepancy  between  filename  and  file
contents is not reported.
     VVM virus has some portions of code similar to a known
BootEXE virus.  The author  of both viruses is probably one
person.


     TECHNOLOGY TO REMOVE
     --------------------

     Sequence of  steps, which  can remove VVM virus is the
following. First,  you should  check that  the virus is not
active (i.e., not present in the memory). Cure with a virus
active in memory is senseless.
     To deactivate  virus you  should reboot  from  "clean"
system disk.  The other way is to disable in-memory copy of
virus. Virus  is not  encrypted, and  it is  visible by DOS
MEM/c command.  You can  get  code  segment  (called  later
vir_cs) of  virus from MEM/c or you can scan memory for the
following  scan  string:  B4,13,BA,75,02,8B,DA,CD,2F  (this
string can  also be  used to locate infected files on disk,
because virus is not encrypted). To disable driver, you can
change  code   at  vir_cs:275h   (put  here  --  jmp  dword
cs:[2e7h]). When you get rid of a memory copy of the virus,
you are ready for the next step.
     Scan all  drives for  EXE files, which have 0E9h, 30h,
01h sequence at the very beginning (i.e. such files will be
COM files,  named as  EXE). For example, you can use F-PROT
or TBAV  heuristic scan  --  they  both  warns  about  this
discrepancy. When  such  a  file  is  found  --  check  for
reliability if viral code is present at address range 133h-
1FFh (file  start is  assumed to  be at  zero  offset).  To
disinfect file  -- substitute 0E9h, 030h with 'MZ' and (for
reliability) calculate  and correct  byte at  offset 2  and
fill virus  zone  with  zeroes  (to  prevent  future  false
alarms).
     If you  need to  restore a  file urgently  -- you  can
substitute only  starting 0E9h,  030h with  'MZ'.  That  is
sufficient to  cure the  file, but  you can get false alarm
soon, because  inactive viral  code will  remain  unchanged
(but now,  if you  cure all  infected files,  it will never
receive control).


     ERRORS AND BUGS
     ---------------

     VVM virus conflicts with any disk-cache utilities. The
origin of  the  problem  is  the  following.  When  reading
infected file  it goes  through cache  and  file  image  is
stored somewhere  in cache  memory. When the virus receives
control it  sets stealth  routine and invokes original file
via EXEC  call. DOS tries to reload file, but request comes
to cache.  It  takes  copy  from  cache  memory  and  virus
receives control  for the  second time. The process repeats
like recusive  procedure. When  all  free  memory  will  be
filled  with   the  virus   copies,  DOS   reports  "Memory
allocation error. Cannot load COMMAND, system halted". This
messages  typically   appears  after   long  delay  because
invocation of  multiple copies of the file needs time. That
is time, taken for filling all free memory with recursion.
     Some users reported "lost clusters" to be generated on
infected computers.  The origin  of this problem is yet not
clear.


     CONCLUSION
     ----------

     Many features of VVM virus show that it was written by
a talented  programmer. The  virus is clear and laconic. We
see that  VVM virus is more than simple -- it is primitive.
Any programmer  can easily modify VVM and I think that many
subvariants of this virus may appear in future.


     ACKNOWLEDGEMENTS
     ----------------

     I would  like to express my acknowledgements to Dmitry
Gryaznov and  Vesselin Bontchev  for fruiful discussions of
this article.


     FIGURES
     -------

Fig.1. Infected EXE header layout.

     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    +-----------------------------------------------+
000 |E9 30 01+jmp-+                                 |
010 |--------+                                      |
020 |             |                                 |
030 |                                               |
040 |             |                                 |
050 |                                               |
060 |  +- --  -- -+                                 |
070 |                                               |
080 |  |                                            |
090 |                  Unchanged area of            |
0A0 |  |                                            |
0B0 |                  EXE header sector            |
0C0 |  |                                            |
0D0 |                      (3-132h)                 |
0E0 |  |                                            |
0F0 |                  (size=304 bytes)             |
100 |  |                                            |
110 |                                               |
120 |  |     +--------------------------------------|
130 |  +-  ->|                                      |
140 |--------+                                      |
150 |                                               |
160 |                    133h-1FFh                  |
170 |                                               |
180 |                                               |
190 |             Viral code zone (205 bytes)       |
1A0 |                                               |
1B0 |                                               |
1C0 |                                               |
1D0 |                                               |
1E0 |                                               |
1F0 |      00 00 00 00 00 00 00 00 (  C  )  V  V  M |
    +-----------------------------------------------+
     00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F


Fig.2. Block diagram of viral program
       (not including resident disk
       i/o hadler routine).

   +--------------------------+
   |    Jmp to viral code     |
   |    (0E9h, 030h, 01h)     |
   +--------------------------+
   +--------------------------+
   | Disk reset (close files, |
   |    flush file buffers)   |
   +--------------------------+
   +--------------------------+
   |   Shrink owning memory   |
   |    blocks to minimum     |
   +--------------------------+
   +--------------------------+
   | Get disk driver routine. |
   | Set new disk service     |
   +--------------------------+
   +--------------------------+
   | Search for infected EXE  |
   | filename in environment  |
   +--------------------------+
   +--------------------------+
   |  Build EXEC parm block   |
   +--------------------------+
   +--------------------------+
   |     Execute original     |
   |   (infected) EXE file    |
   +--------------------------+
   +--------------------------+
   |    Terminate and stay    |
   | resident (size=30h para) |
   +--------------------------+
