FreePadania
FreePadania
Type File virus
Creator b0z0/iKx
Date Discovered 1998
Place of Origin Italy
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length 2,730 bytes
Reported Costs

FreePadania is a 16-bit Windows virus that infects New Executables (NE), a common executable format for early versions of Windows and OS/2. IT was coded by b0z0 of iKx. It's most distinguishing feature is the ability to infect files in the middle rather than the more common method of prepending or appending.

Behavior

When executed, FreePadania checks to make sure the file is not already infected. It also checks that the file is a New Executable. It will skip any files not meeting these standards. On finding a suitable file, it adds its code to the middle of the file. It also makes changes to the NE header so the code will not be treated as junk. The virus then returns control to its host.

In the body of the virus, the following text can be found:

Free_Padania
b0z0/iKx

Origin and Name

FreePadania was coded by b0z0 of the iKx group. It appeard in their 3rd issue in May of 1998. It gets its name from the Padania region of Italy, where an independence movement is active. This is also the region it came from. The coder b0z0 himself has coded at least two other viruses with this theme, including a Word macro virus and another .exe infector. Another virus with this name was coded by Australian coder Qark of VLAD.

Midfile Infection

Midfile infectors are still a very rare type of virus. b0z0 defines a "real" midfile inector as one that both places its body in the middle of the file as well as taking control from the middle, rather than placing a jump instruction at the beginning to point to the virus body in the middle. The latter is easier to implement, but also easier to detect. Past midfile infectors in the past included Nexiv_Der, Sailor_Moon, and The_Bugger.

A real midfile infector is much more difficult to code and therefore much rarer. There were a few .com infectors that placed a CALL in an infected file that passes control to the virus from a random point in the file. Such viruses had to execute the host step-by-step to ensure there is a valid instruction starting there as well as that the files are not self-modifying among other things. The CALL is dependent on the actual program. The virus may not always execute, but to detect the virus, the file must be run with all possible paths of execution explored.

Sources

b0z0/iKx. Mid-Infection on relocations. 1998

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License