Hemlock was a polymorphic, full stealth and multipartite infector of the MBR, floppy boot sectors and MS-DOS .COM, .EXE and .SYS files. It was coded by Qark of VLAD and published in issue 3 of VLAD magazine in February of 1995.

Behavior

MBR Infection

When loading from an infected boot sector or MBR, the virus takes several actions. First the virus sets up its own stack. Next the virus allocates 8 kilobytes of memory by reducing the 16-bit WORD at 40h:13h (this is the amount of conventional memory available to the machine according to the BIOS).

Hemlock then attempts to read the 7 sectors containing the virus code to this newly allocated memory - the virus will go into an (infinite) loop until this read succeeds. Upon reading the virus, 3 variables are reset related to the hooking of INT 21h later on and INT 13h (BIOS Disk Services) and INT 09h (Keyboard IRQ Handler) are hooked directly in the IVT (Interrupt Vector Table). The entire IVT (Interrupt Vector Table) and the original video mode are also saved. This is done in an attempt to survive a warm reboot: When CTRL + ALT + DEL is pressed Hemlock restores the original video mode and IVT, makes sure the machine is not in protected mode and then issues an INT 19h (BIOS Boot Strap Loader).

The INT 13h hook provides 3 functions - boot sector infection, boot sector/MBR stealth and hooking INT 21h when MS-DOS is loaded. When attempting to read physical sector 1 of a disk (boot sector/MBR) if the disk is infected stealth action is taken, if the disk is uninfected the disk is infected. The boot sector/MBR stealth mechanism simply redirects reading of the infected boot sector to the sector containing the original uninfected sector.

When infecting disks the original boot sector/MBR is replaced with the virus boot loader that takes action as described above. In the case of MBR (hard drive) infection, the original MBR and virus body are saved in the 8 sectors starting from physical sector 3 - this space should be unused on a machine running MS-DOS.

When infecting a floppy disk boot sector the virus takes some strange actions. the virus calculates and allocates the last cylinder of the floppy using the BPB (BIOS Parameter Block). The virus body is saved to the last cylinder of the diskette but the original boot sector is placed at sector 14, cylinder 0, head 1. This leads to the same problem as BIOS Meningitis - floppy types other than 5.25 inch 1.2mb may be corrupted.

On infecting the MBR, the virus attempts to bypass anti-virus software by using 'tunneled' INT 13h and INT 15h vectors. The virus attempts to retrieve the original INT 15h address by checking a hard-coded value in the ROM BIOS: F000h:F859h. The virus searches segment F000h as well for 5-byte signature of most AMI-BIOS's INT 13h handler.

The INT 13h handler is additionally used to hook INT 21h when MS-DOS is loaded when boot from an infected disk - four conditions are used to decide when to hook INT 21h. The first condition to hook INT 21h is if any write attempt is made to disk. The second is if INT 13h is called with Hemlocks residency check - this will always come from a file since infected sectors are not re-executed due to the INT 13h stealth
mechanism. The third is if AUTOEXEC.BAT seems to be read - the virus checks for the read of a sector starting with '@EC' (case insensitive). The fourth method to check for MS-DOS loading is the read of the first MZ header - or the tenth if QEMM (Quarterdeck Expanded Memory Manager) is found to be present.

File Infection

When infecting .SYS, .COM and .EXE files the virus checks the extension (case insensitive) but differentiates .COM and .EXE files by checking for MZ marker. When run from an infected .SYS checks if the virus is already resident and if the MBR is is already infected and hits the MBR if not. The tunneled INT 13h and INT 15h vectors are used as described above.

Hemlock does not go memory resident from infected .SYS files. When run from an infected .COM or .EXE file Hemlock performs the same actions as with .SYS files and then installs itself memory resident. The virus allocates memory by ensuring the MCB (Memory Control Block) of the host file is the last block in the chain and then reduces its size by the amount required and adjusts the PSP 'top of memory' field (offset 02h). The virus copies itself to this newly allocated space and hooks INT 21h and INT 13h directly. The virus then returns to the host.

When infecting .EXE files Hemlock adjusts the 'maxmen' field of the MZ header to avoid some anti-virus programs self-check (specifically Thunder-Byte). Apart from this, .SYS, .COM and .EXE files are infected in a standard manner. The virus increases the date-stamp of infected files by 100 years as an infection marker.

Hemlocks INT 21h handler is used both for file infection and stealth. Files are infected on open, execute, chmod and rename calls. On 'open' calls special 'stealth' action is taken too: Hemlock retrieves the SFT
(System File Table) entry for the infected file and reduces the file length field to the uninfected size to stop programs reading past the original end of file and into the virus body.

On 'execute' calls special action is taken too. If the program to be executed is a known archiver (PKZIP, ARJ or LHA) stealth is disabled to allow the virus to spread - infecting files to be added to the archive. The same action is taken in the case of disk checking programs (CHKDSK, NDD, SCANDISK) - this is done to stop these programs reporting file system corruption because space allocated on disk does not correspond to the reported length of the file.

When 'TBSCAN' is run Hemlock appends "co nm" to the command line. This stops TBSCAN from scanning memory and detecting the virus. When WIN is run (MS-Windows) Hemlock appends "/d:f" to the command line. This disables 32-bit disk access, allowing Hemlocks INT 13h handler to stay active. On 'read' calls Hemlock checks if the read attempt is in the first 24 bytes of the file and is it is redirects the read to the original file header making the file appear uninfected.

On FCB/ASCII FindFirst/FindNext calls Hemlock implements 'size stealth' substituting the infected length of the file with the uninfected length and also hides the viruses date-stamp marker. On an attempt to retrieve the date-stamp of an infected file, the date-stamp marker is also removed. Hemlock attempts to disable anti-virus and other software from single-step tunnelling through its INT 21h and INT 13h handlers by disabling the Trace Flag. Hemlock is polymorphic in all file infections.

Hemlock includes the text string:

Hemlock by [qark/VLAD]

Variants

There is one variant of Hemlock. The only difference is that the text contained in the virus body is "Hemlock".

Name and Background

The Hemlock source code contains the comment: "Hemlock is the poison that killed Socrates and the way I figure it, what's good for one Greek philosopher is good enough for another." This seems to be a reference to 'Aristotle', the VX BBS sysop who developed a reputation for self-aggrandizement and unethical behavior. The final straw came when without permission, he released the source code of the Nuke Encryption Device (NED, a polymorphic engine) to several people, including Priest, a coder he would turn in to the Secret Service shortly after.

Sources

Original research by JPanic aka @JPanicVX

Qark. VLAD Issue 3, Hemlock source code

Rock Steady. NuKE Info-Journal #8, Screwing People Over, The Aristotle Style. 1994.04