Good times | |
---|---|
Type | File virus |
Creator | Qark |
Date Discovered | 1995.04 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 1131 bytes |
Good Times is a polymorphic memory-resident infecter of MS-DOS .COM and.EXE files. The source code of Good Times includes a small portion of the 'Good Times' hoax email, which caused a great deal of panic and confusion in the mid-1990's. It was coded by Qark of VLAD and appeared in Issue 4 of VLAD magazine in April 1995. Among its features is the use of the polymorphic engine RHINCE, coded by VLAD member Rhincewind, as well as anti-heuristic structures.
Behavior
Good Times used fairly standard methods of infecting .COM and .EXE files, with one exception: When infecting .COM files the virus will follow and JMP NEAR (E9h), JMP SHORT (EBh) and CALL (E8h) instructions in an attempt to place the jump to the virus further inside the file. Only these 3 instructions were followed.
When infecting .EXE files Good Times will avoid overlay files, .EXE files whos 'maxmem' field is not 0FFFFh and Windows executables. .EXE files were marked as infected by setting offset 12h (checksum value) of the MZ header to 'BV' (VB). This caused the virus to avoid infecting files that had been generically disinfected by the 'Virus Buster' anti-virus.
When an infected executable is run the Good Times checks if it is already resident in memory, goes memory-resident if not and then returns control to the host. To allocate memory Goodtimes uses Qarks standard method by reducing the size of the MCB of the host if it is the last in the chain, as well as the 'top of memory' field of the host PSP. The virus copies itself to this allocated block of memory and hooks INT 21h.
The Good Times INT 21h handler handles the viruses residency check and infect files on open, execute, rename and chmod calls. Only files with extensions beginning with 'c', 'C', 'e' or 'E' are infected. Good Times differentiates between .COM and .EXE files by checking for presence
of MZ header. Good Times included the text string:
Good Times by Qark/VLAD
Origin and Name
Good times was coded in Australia in 1995 by Qark of VLAD and appeared in the 4th issue of VLAD's magazine. "Good times" was also the name of a hoax email warning of a virus that spread by email in the 1990's. There never was an actual email capable virus named Good times. Though there were some examples of email worms in the late 1980's, such as the Christmas Tree worm, but there would not be an actual email virus until the Sharefun macro virus of 1997.
Sources
Original research by JPanic aka @JPanicVX