| Alias: | |
| Strain: | |
| detected when: | July 1993 |
| where: | Germany |
| Classification: | File virus (EXE infector),memory resident,stealth |
| Length: | 1.Length (Byte) on media: 756-771 Bytes 2.Length (Byte) in RAM: 832 Bytes |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Gnat |
Attributes | |
| Easy identification: | "0103h"in bytes 20-21 of infected files (see Self- Identification in files). |
Type of Infection: | File infection: After virus became memory resident, EXE and ZM files are infected upon Trigger conditions (see below) by appending virus code. Self-Identification in files: Virus tests if (file[0014h] = 03h) AND (file[0015h] = 01h) {EXE-IP = 0103h} System infection: Upon execution of an infected file, virus makes itself memory resident (using TWIXT method). Self-Identification in memory: Virus tests if memw[0000h:0086h] > 0350h {SEG(INT 21) > 0350h} |
| Infection Technique: | |
| Infection Trigger: | If (Exec OR Load w/o Exec) AND (memw[0000h:004Eh] <= 0300h){SEG(INT 13)<=0300h} AND (file[4] >= 1) {Length>=512} AND (file[4] = ((Length SHR 9)+(1; IF Length MOD 512 = 0))) |
| Storage Media affected: | |
| Interrupts hooked: | INT 1C, INT 21/4B00, INT 21/4B02, INT 24 (while in INT 21 ISR). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: --- Transient Damage: Virus mirrors screen horizontally and vertically. |
| Damage Trigger: | Permanent Damage: --- Transient Damage: If (Date = October 11) AND (BIOS_timer_low = 0FFFFh) AND at least one new infection at this day. |
| Particularities: | 1) Virus is encrypted,with variable key stored in- side decryption routine (form of polymorphism) en/decryption key is low byte of new CS value in EXE-file-header. 2) Virus contains encrypted string: "GNAT 1.0". 3) Stealth methods: virus sets file r/w for in- fection and restores original file attribu- tes, date and time after infection; hooks interrupts by direct memory access; while running the INT 21h ISR, virus temporarily stores the INT 21 vector saved on infection back to IVT; uses slightly self modifying code; no TSR-call, just jumps to original program at virus' end. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files and replace with clean ones |
Acknowledgements | |
| Location: | Virus Test Center, University of Rostock, Germany |
| Classification by: | Dirk Haratz (dharatz@informatik.uni-rostock.de) |
| Documentation by: | Dirk Haratz Klaus Brunnstein (CVC entry) |
| Date: | 24-July-1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg