Details ArjVirus It’s a dangerous not-memory resident virus. It searches for the archive files and infects them. Fortunately, it searches only for the format of archivators. The archive files for infection should be in ARJ standard only. These file-archives are the result of the ARJ.EXE compressor’s work. ARJ.EXE is an archiver program which allows to compress and store one or more files (including subdirectories) in one or several archives (in slang – arjive) files in compressed format. This software is copyrighted (c) 1990-1993 by Robert K Jung. This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution, this infector searches for the files with ARJ extension by using “*.arj” mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories. If the ARJ archive file is found, the virus creates a temporary file with a random selected name and COM extension. This name consist of four letters from ‘A’ t0 ‘V’; the ‘V’ limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is ‘V’. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length. The virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes. The 5000 bytes is the length of worm’s body which is stored in file on any infection. Then the virus inserts that file into the archive which was found. It does it by the easiest way – the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is “a” character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with “a” character by using the standard C function. The string which is executed looks as: c:\ /c arj a .com where is the name with extension of ARJ archive which was found, is the four bytes of length random selected name described above. The “/c” switch causes COMMAND.COM to execute the pointed program (ARJ.EXE) and immediately exit. On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file which was found. Then the virus deletes the temporary file and searches for the next ARJ file. If there are no archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS. One of the features of this infector is duplicate infection. On execution of the archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not an easy task, and I see that the author of this virus did not set it (duplicate infection) as an object. He realized the new idea by the easiest way, not more. The virus generates random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. Of course, the probability of execution of worm file grows in that case. For hiding its spreading the virus hooks INT 10h – the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hides the virus, but if on virus activity errors occur, the ARJ.EXE program or DOS will display the error message (for example, “Write protect error writing drive A:”) and wait for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and it’s impossible to switch to another task. Last note: this virus contains the short internal text string: *.arj .. /c arj a c:\

Leave a Reply

Your email address will not be published. Required fields are marked *