F-Secure Virus Descriptions : Fichv 2.1
This encrypted virus contains the text
***FICHV 2.1 vous a eu*****.....
When it activates it will overwrite the first 6 sectors of the track 0,
head 1 of the current drive. A slightly different version 2.0 is also
known, but it is only 896 bytes long.
All but the first 107 bytes of the virus is encrypted with XOR B8h. The
encryption key is one of the code bytes, the encryption routine is made
to look somewhat like the address of the encryption key is incremented
after each byte is dealt with, but is however a constant.
When the file is run, vectors for INT 01h and INT 03h are stored and a
decryption routine to decrypt one byte is installed instead to both
handlers. The first byte is decrypted with int 3 and the rest of the
virus is decrypted with repeated calls to int 1. The first thing done in
the encrypted area is to reinstall the original vectors.
Virus fetches the INT 21h vector. If the first byte of the INT 21h
segment is 'F' the virus considers itself already installed. If the
virus is already installed or if the current program name matches
"*COMMAND.*" or if an error occurs during installation, the PSP is
copied to 6000:0000h and the original file is run.
During installation the old INT 21h vector is stored in the virus code
and the current program name is fetched from the program environment.
The current program is shrunk to the virus size and the INT 21h handler
installed (first byte of the segment is set to 'F'). Then the program is
executed from the disk with interception disabled and the virus exits
with INT 21h/AH=31h. The return value passed in AL is not the program
return value, but is the return value from the load/exec call. Interrupt
vectors are get and set by using DOS calls.
The INT 21h handler intercepts DOS functions 4Bh (load program) and 3Dh
(open file). Interception is disabled by passing BP=00FFh. The DTA is
stored and changed to cs:0080 during interception.
Infection only takes place if more than 3000 bytes are free on the current
drive. A suitable file matching filespec "*.com" in the current
directory is selected for infection. The file must be at least 1500
bytes long and the filetime must not have a seconds field of 62 (this is
used to flag infected files).
A dummy critical error handler is installed each time a file is to be
infected. The old handler is not restored so crashes are likely some
time after running infected files.
Date and time are preserved, except the seconds field is set to 62.
Whenever the infection routine needs a buffer, it uses 6000:0000h not
caring whether any other program is using that area or not. For
instance, the virus is copied to this area for encryption.
Infection is done by appending the virucode to the start of the file.
The infect routine checks whether the byte at CS:0000 is 'G' when it
exits, to determine the exit method. If the virus is installed, it
simply tidies up and exits into DOS. If the virus is not installed, the
PSP is copied to 6000:0000h and if it is March, a damage routine is
invoked. Otherwise a copy routine is copied to 6000:0010 and jumped to.
The copy routine copies the first virus_size bytes of the file back to
the beginning and jumps indirectly to the program start.
The damage routine copies the text '****FICHV 2.1 vous a eu*' 85 times in
succession into the buffer at 6000:0000h. There are 4 more '*' at the end of
this text which were probably meant to be included but the author must have
miscounted. The text means "FICHV 2.1 got you". The text is written to
the first 6 sectors of the first 256 cylinders of the current drive,
heads 0 and 1. This loops forever unless the INT 13h write disk command
returns an error. If such an error occurs the virus exits into the host
program as it would if the damage had not been done.
This variant is 897 bytes, and infects EXE files, not COM files.
An earlier version of the virus.
|
