Goodbye
Goodbye
Type File virus
Creator Qark
Date Discovered 1996.10
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com, .exe
Infection Length bytes

Goodbye is a memory-resident infector of MS-DOS .COM and .EXE files. It was coded by Qark of VLAD and appeared in Issue 7 of VLAD magazine in October 1996. It was intended to be Qark's last virus, a farewell to the VX scene, but was followed by two subsequent viruses. An interesting feature of Goodbye is the use of CRC16 algorithm to perform compares and to mark infected files. Goodbye begins with a strange sequence of SUB/MOV/DEC/DIV/ADD/XCHG instructions. The purpose of this code is unknown.

Behavior

When an infected file is run this sequence of instructions is executed, the virus checks if it is already memory-resident and goes resident if not, and then control is passed on back to the host. When going memory-resident Goodbye uses a slightly different method of allocating memory then most of the other viruses by Qark. Goodbye still reduces the size of the host MCB and "top of memory" field of the host PSP if the host is in the last MCB. However, after this Goodbye modifies the host MCB so it is no longer last in the chain, and creates its own MCB with owner field of 0008h (COMMAND.COM/ System). This stops the UMB (Upper Memory Block) MCB from disappearing leaving UMB memory inaccessible to MS-DOS.

After this INT 21h is hooked directly. The INT 21h handler handles the already-resident check and infects files on open, execute, and chmod calls. Files are not infected on 'extended open' but the infection code still has a check for this. When infecting files Goodbye uses INT 21h AH=60h to normalize, complete and upper-case the filename.

Goodbye checks for .COM or .EXE extension using CRC16 of the last 4 bytes of the filename, but differentiates between file formats by checking for 'MZ'/'ZM' marker (also done with CRC16). Goodbye also avoids infecting files: tbscan.exe, avp.exe, f-prot.exe, scan.exe, dv.exe and progman.exe. These filename checks are done with CRC16 as well .COM and .EXE files are infected in the standard manner, although Goodbye uses an interesting infection marker.

In .COM files, Goodbye stores the CRC16 of the 3-byte JMP to the virus immediately after the JMP instruction - this gives the first 5 bytes a CRC16 of 0 (zero). The virus does similar with .EXE files: Goodbye sets the 'checksum' field (+12h) of the MZ header to the 18 bytes preceding it to give the first 20 bytes of the MZ header a CRC16 of zero as well When infecting .EXE files Goodbye avoids infecting NewEXE files and files with the MZ 'maxmem' not equal to 0FFFFh. Goodbye calculates CRC16s a byte at a time using an 8-bit lookup table, generated at virus start-up Goodbye included the text strings:

Goodbye everyone!
Viruses were fun, but I've got other things I'd like to do
Qark/VLAD

Other viruses

There are no known variants of Goodbye. It was supposed to be Qark's last virus, however for different reasons with each, he coded two subsequent ones, Padania and Memorial.

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License