| Alias: | Uruguvau8 |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 12816 {3210H=321 paragraph(s)} |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Uruguay-#8 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: INT_21;AX=3032;DX=1234 -> AX=5678 |
| Infection Technique: | |
| Infection Trigger: | (Exec or ((Open or OpenCreate) and (*.COM or *.EXE))) and(Size>200h and Size= |
| Storage Media affected: | |
| Interrupts hooked: | 0108 {used during warm reboot}09 {to control if Alt-Ctrl-Del pressed}1321/4B0021/3D21/6C242A {only to restore control over INT_21 if lost} |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | the virus uses variable encryption with a variable decryptor. The virus hides the entry point. |
| Encoding Method: | |
| Damage: | Transient: Virus shows on screen first message from MSG_DISPLAYED,using BIOS service INT_10/0E. Printout is delayed andtakes a few seconds. It is accompanied with randommusical tones, calculated from ASCII code of printedcharacters. Permanent: - |
| Damage Trigger: | Transient: (ExecInfected and (byte[0:46C]=0)) or WarmReboot Permanent: - |
| Particularities: | The virus resides above the last MCB Virus uses Armouring. Displayed text: "Uruguay-#8 VirusProgrammed in Montevideo (URUGUAY). 03/93.This is a research virus - DO NOT DISTRIBUTE."; Encrypted"Uruguay-#8 installed (seg=9CDF)"{This message is always displayed when virus goes resident.Number in the message represents real segment, where virusis located.} Infected EXE files are turned to COM and the virus code is appendedin encrypted form to the end of file.The file starts with virus head. Size of head is 63h bytes - ittransfers control to virus tail (decryptor of virus body andencrypted virus body, both attached to the end of infected file).Uruguay-#8 uses three types of control transfer from head tothe tail: 1.E9 offset; 2.PUSH offset,RET; 3.MOV reg,offset, JMP reg.When an infected program receives control the virus copies itselfto the segment at top of usable conventional memory. Memory availableto DOS is shrinked. If computer has 640K, you can easily calculatecode segment of virus (MEMORY_SIZE=321para, CS=A000-321=9CDF; youwill have 9CDE if UMB is used, because top paragraph will be BFFF,not A000)Virus, after decryption of body restores start of infected file(63h bytes) and, if file was EXE, makes needed relocations itself.Then code is moved down in memory, because EXE header is no longerneeded.Uruguay-#8 intercepts DOS INT_21 rewriting start of DOS serviceroutine in DOS segment with FAR JMP to viral code. DOS segmentis defined using INT_2F/1203.Virus marks infected files modifying time stamp (INT_21/57).Year of creation is orig_file_year+100.Uruguay-#8 marks infected files modifying seconds field of timestamp (INT_21/57, CX&&1F). Selected seconds value is random andmachine-specific (calculated from BIOS contents of computer).Files having this number in seconds field are never infected.Infected file from other computer may be infected for thesecond time. Such a file with very high probability will hangthe computer.Files, infected with Uruguay-#8 usually have many FF bytesat the end of infected file (that is part of videomemoryat [A000:0], because when virus appends itself to the victimfile, virus write operation overlaps from DOS memory intovideomemory).Uruguay-#8 uses initial values of processor registers as set byDOS EXEC call (AX=0000, BX=0000, CX=00FF, DI=FFFE, SI=100) in theviral decryption routine.Uruguay-#8 survives warm reboot via Alt-Ctrl-Del. It hooksINT_08 and INT_09, restores some low-level interrupts,disables A20 usage, sets text videomode, resets interruptcontroller and keyboard and after all calls INT_19.Uruguay-#8 do not infect any file starting with "SC","F-" and any file having letter "V" in the filename.These versions seems to check additionally "AI", butthere is a bug and compare is not working. These checksprobably mean "SCAN", "F-PROT", "VIRUSCAN", "-V", etc.Check for "AIDSTEST" do not work.Current versions of SCAN, F-PROT and most other antivirusprograms (*V*.*) are EXE far beyond 64k limit, so thesechecks seem to be odd.Uruguay-#8 has internal random number generator, extensivelyused in polymorphic engine. It accepts one parameter (AL) andreturns BH=0, BL=[1;AL]. Random number generator uses computerBIOS and current timer [0:46C] contents to calculate output(several XOR, SUB and ADD). It uses static variables to operate.Random number generator is located at the very top addresses ofvirus code.For comparison of Uruguay viruses see the following table:ÚÄÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ ÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄ¿³Virus³Date ³Code size³MEMORY_ ³Infectable ³File ³Head³Stea-³Warm³Memory³³ ³ ³,bytes ³SIZE, para³file size ³growth³size³lth³reboot³slices³ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄ ÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÅÄ ÄÄÄÄÄÅÄÄÄÄÄÄ´³ #1 ³03/92³ 938 ³ 129 ³>200,<=F400³ ~94F ³ 3 ³ - ³ - ³0 ³³ #2 ³04/92³ 8F6 ³ 120 ³>200,<=EC00³ ~91E ³ 3 ³ - ³ - ³0 ³³ #3 ³06/92³ 996 ³ 140 ³>200,<=F400³ |
| Similarities: | Uruguay-#1, Uruguay-#2, Uruguay-#3, Uruguay-#4,Uruguay-#5, Uruguay-#6, Uruguay-#7{There is information that Uruguay-#9 also appeared} |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Igor G. Muttik |
| Documentation by: | Igor G. Muttik |
| Date: | 1994-01-31 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg