Gilgamesh | |
---|---|
Type | File virus |
Creator | Qark |
Date Discovered | 1996.02 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 3,001 bytes |
Gilgamesh is a tunnelling, polymorphic, memory-resident retro virus infecting MS-DOS .COM and .EXE files. Polymorphy is achieved by using the VIP engine (VLAD Infinite Polymorphy) engine. Gilgamesh contains some anti-heuristic and anti-debugging structures, and also attempts to avoid infecting 'bait' files. It was coded by Qark in Australia in February of 1996 and appeared in Issue 6 of VLAD magazine.
Behavior
Tunneling
The first thing done when an infected file is executed is to issue an INT 21h, AX=5253h. This call serves 4 purposes: It is the viruses residency check. It retrieves the MS-DOS 'List Of Lists' (used later to tunnel INT 21h). It places IP on the stack to retrieve 'delta offset' of the virus. Lastly it serves as an anti-debugging trick since the IP on the stack will be over written if the virus is being traced.
Gilgamesh uses an unusual method of tunnelling. The virus retrieves the INT 21h vector from the IVT (Interrupt Vector Table) and scans the first 1000 bytes for 0EAh (JMP FAR) or 9Ah (CALL FAR). If either instruction is found Gilgamesh moves on to the destination of the JMP/CALL and begins that 1000 byte scan again. This is done until the virus reaches the MS-DOS data segment (returned by INT 21h AH=52h) or until no JMP/CALL is found. As Gilgamesh scans byte-by-byte this may sometimes be unreliable.
Residency and Infection
After this the virus goes memory-resident. Residency is achieved using the standard method by Qark: If the host MCB is the last in the chain it is reduce along with the 'top of memory' field in the host PSP, and INT 21h is hooked directly.
.COM files are infected in a quite standard manner. When infecting .EXE files the virus checks for overlays, 'New Executables' such as NE files and that the 'maxmem' field of the header is 0FFFFh. Some checks are made before infecting the victim. Gilgamesh will not infect files created on the current data or files containing numerical digits in their names - this is to avoid bait files. Gilgamesh also will not infect files beginning with: "SC" (scan, scandisk), "TB" (all programs in the ThunderByte Anti-Virus suite), "F-" (F-Prot), "GU" (Dr Solomans 'Guard'), "AV" (AVP and others), "DV" (dv.exe, dv.com), "CH" (chk*) and "PR" (progman - windows program manager). INT 21h AH=60h is used to create standardise, full upper-case path of victim.
Gilgamesh checks for .COM or .EXE extension but differentiates file formats by checking for MZ marker. When infecting files Gilgamesh deletes checksum databases belonging to ThunderByte Anti-Virus, Central-Point Anti-Virus, Microsoft Anti-Virus, AVP (Anti-Virus Pro), Invircible, as well as "chklist.tav" and "smartchk.cps". Full list of checksum databases deleted is: 'ANTI-VIR.DAT', 'CHKLIST.CPS', 'CHKLIST.MS', 'CHKLIST.TAV', 'SMARTCHK.CPS', 'AVP.CRC' and 'IVB.NTZ' The INT 21h handler of Gilgamesh is quite standard. It performs the residency check and infects files on open and execute calls.
Gilgamesh includes the text string:
=Gilgamesh= by Qark - A VLAD Australia Production
Name
"Gilgamesh" is the name of an ancient semi-legendary Sumerian king and the main character in an epic poem. Qark's reason for giving it this name is not entirely clear.
Sources
Original research by JPanic aka @JPanicVX