Apparition Famil

Apparition Famil
Details Apparition Family It is a dangerous memory resident polymorphic parasitic virus. The TSR virus code is encrypted in the memory as well as in files. Before passing the control to encrypted routines the virus decrypts them and then encrypts again with a random selected key. The virus does work on 386+ processors only. The virus uses anti-debugging tricks in major part of its routines, some of these tricks are based on 386+ processor features. Being executed the virus decrypts its code by several decryption loops and installs itself memory resident. While installing the virus hooks INT 1, 6, 0Dh, 34h and performs several quite complex anti-debugging tricks. The virus scans the system memory for some program (anti-virus monitor?) and patches it. Then the virus releases interrupt vectors that were hooked before, allocates a memory block for its TSR copy, copies itself into there, hooks INT 6, 9, 10h, 1Ch, 21h, 2Fh, 77h and stays memory resident. Before return to the host program the virus searches for COM and EXE files in the current directory and infects them. The virus does not use INT 10h hook in any way. INT 77h is used just to detect the virus TSR copy already installed into the memory. INT 2Fh is used to detect the MS-Windows call AX=1605h. In this case the virus removes itself from the system memory. The virus intercepts several INT 21h functions. On Keep call (AH=31h) the virus merges its code to the program that stays memory resident. On Execute call (AH=4B00h) the virus infects the file that is executed. On ChangeDir call the virus searches for COM and EXE files and infects them. When a file is executed the virus also checks the file name, and in case of the LOGIN.EXE file the virus gets and saves all keys that are pressed when LOGIN.EXE is run, and then saves these keys to C:\RUSSIAN.FNT file when LOGIN.EXE is terminating (INT 21h, AH=4Ch). To get the keys the virus hooks INT 9. The virus writes itself to the end of COM and EXE files with the length less than 55K. The virus does not infect the files: COMMAND.COM, *HIEW.EXE and *EB.EXE. While infecting an EXE file the virus converts it to COM format. While infecting a file the virus scans the file’s code for C/Pascal subroutine “header”: 55 PUSH BP 8B EC MOV BP,SP and overwrites these bytes with FFFFh code. If that routine takes control, the processor generates INT 6 Unknown Opcode call, the virus INT 6 handler takes control and restores these bytes. As a result, such files are not disinfectable, but they do work under infected DOS-only system. Under QEMM and similar V86 processes or memory managers this exception should fall back to the control program, totally ignoring the (real mode) INT 6 vector. In QEMM’s case it would report that the program attempting to execute a invalid instruction, complete with register and code dumps, and would then present the option to terminate or reboot. If the sequence 55 8B EC happened to occur somewhere else in the code or perhaps data, but was not the above instructions, there could also be problems. To prevent disinfecting (deactivating) its TSR code the virus calculates CRC sums of several routines (infection routine, INT 9 and INT 21h handlers) and on each INT 1Ch calls re-calculates these sums and checks them. To prevent deactivating of its INT 1Ch handler the virus saves the “backup” copy of INT 1Ch code and compares that “backup” with its INT 1Ch handler on each INT 9 call. Under debugger or if the virus code it patched (deactivated) the virus erases the CMOS, beeps by PC speaker and halts the computer. While installing memory resident the virus checks the processor’s type, and if the installed processor is not 386+, the virus displays the message: 386 or later processor missing. Please replace processor, then press any keyall The virus also may display: Warning : This file is infected by Apparition ! The virus also contains the text strings: Here I am, can you see me Passing through, on my way To a place I’d been to only in my dreams …before *.COM *.EXE C:\RUSSIAN.FNT **************** THE APPARITION THE APPARITION II Multi Layer Coder v 2.00. Jul ’96

Leave a Reply

Your email address will not be published. Required fields are marked *