Strain:PREDATOR strain
detected when:
Classification:COM and EXE infector, Master-boot record (HD) infector, DBR
Length:6 kilobyte(s)


Operating System(s):MS-DOS
Version/Release:All models KNOWN
Computer model(s):PC's


Easy identification:

Type of Infection:

Appending, uses DOS file length to position virus. Bootsector infection. Virus stored in additional Track. Selfrec in memory: INT_13; AX=50FD -> AX=FD50 Selfrec on disk: FILEDATE.LOWBYTE >200 (FILES) MBR or FBR starts withFA BF 14 7C B8 32 00

Infection Technique:
Infection Trigger:(OPEN or EXEC or EXTENDED OPEN) and (MZ or ZM or .COM)and (not(filename_with(PROT,SCAN,CLEA,VSAF,CPAV,NAV. ,DECO)))and (LengthCOM > 1000) and (LengthCOM < 62088)and (LengthEXEheader = LengthEXEfile)
Storage Media affected:Harddisks, Disketts
Interrupts hooked:21/11 21/12 21/4E 21/4F 21/3D 21/4B 21/6C 13/02 13/50FD24 {24 only when needed}
Oligo/Polymorphism:the virus uses variable encryption with a variable decryptor, but the decryptor can be detected with a wildcard string.
Encoding Method:
Damage:Transient: - Permanent: -
Damage Trigger:Transient: - Permanent: -
Particularities:The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. Bug in FindFirst/next using FBC could cause odd behaviourin some programs (not checked). Unexpected reboots whilebooting from an infected floppy. Not displayed text: "Predator virus #2 (c) 1993 Priest - Phalcon/Skism","THE PREDATOR"; Encrypted,"Here comes the Predator!"; Encrypted{as the virus is encrypted, in fact we could considerthat the first message is also encrypted, but in someinstances the virus isn't encrypted} The author's handle is Priest, and his affiliation isPhalcon/Skism. It seems to be written in late 1993.The virus attempts not to infect anti virus, by not infectingfiles containing the strings PROT, SCAN, CLEA, VSAF, CPAV, NAV.or DECO. Those are: F-prot, Scan, Clean, Vsafe, Cpav, and Nav.I don't know what DECO means.A poor error handling when booting from diskette may causereboots. The virus calls int 18 in case of error, whichcauses reboots in most systems.It uses tunnelling to hide its activities while infectingfiles or MBR/FBR.If the DOS code for int 21 begins with 0EA (jmp far) or0CC (breakpoint), it doesn't tunnells it.It hooks interrupt 21 by patching its code with a jump far tothe virus code. The virus int 21 handler fixes the code,and re-patches it after ending, tracing execution withint 1. When the execution of the first instructions ofint 21 is completed, it re-patches it and stops tracing.The decryptor is only variable in key and in encryptionmethod. The encryption method is selected by randomfrom a table.When loading the virus from boot sector, it hooks theint 13h not using tunnelling, and waits for DOS to loadto hook int 21, also not using tunnelling. It detectsDOS loading by watching int 21 vector in interrupt vectortable. When it changes to a offset > 0800h it hooksthe interrupt.It is fully stealth hiding itself from MBR/FBR, but itonly hides file length and file date modificationswhen in files, and only to FindFirst/Next calls.There is a bug in the FCB stealth, so it would returna corrupted FCB instead a fixed FCB.It checks for a file to be a EXE if it begins with MZ or ZM.It checks .COM file by checking it file extension.The virus uses a lot of self-modification in order to enableor disable some routines.It contains the following bytes that are never referenced. Itseems like a never used routine:BC 9B 9C MOV SP,09C9B97 XCHG AX,DI9D POPF9F LAHF8C 9B 9C E0 MOV W[BP+DI+0E09C],DS8C 91 E0 BF MOV W[BX+DI+0BFE0],SSAE SCASBBD AA D2 MOV BP,0D2AAD2 D2 RCL DL,CLE0 RETF


Standard means:


Location:Virus Test Center, University Hamburg, FRG
Classification by:Fernando Bonsembiante
Documentation by:Fernando Bonsembiante
Information Source:Caroentry (autom.converter by S.Freitag)

(c) 1996 Virus-Test-Center, University of Hamburg