Horsa
Horsa
Type File virus
Creator Qark
Date Discovered 1995.08
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length bytes

Horsa is a direct-action infecter of the first uninfected MS-DOS .COM file in the current directory. It was coded in Australia by Qark of VLAD and appeared in Issue 5 of VLAD magazine in August 1995. What makes Horsa unusual is the use of direct sector reads and writes (INT 25h/INT 26h) when working with files and directories instead of using the usual INT 21h calls. This allowed it to bypass many anti-virus programs.

Behavior

When an infected .COM file is run Horsa restored the first 3 bytes of the host program, saved the DS register Issue and then realigned CS:IP so that the virus is realigned to cs:0. This avoided the uses of delta offset operations through out the virus and also meant that Horsa be aligned on a paragraph (16-byte) boundary when appended to a victim .COM file.

Once realigned Horsa sets the DTA (Disk Transfer Area) to the heap of the virus and used an INT 21h AH=4Eh/AH=4Fh (ASCII FindFirst/FindNext) to find the first uninfected .COM file. Horsa marked files as infected by setting the low byte of the victims time-stamp so that the low 5-bits were 10h. After this FindFirst/FindNext loop, only INT 25h (logical sector read) and INT 26h (logical sector write) are used to manipulate files and directories.

Horsa uses the ASCII FindFirst/Next entry to obtain the drive, first cluster and cluster count of the victim file. Next Horsa obtains the DPB (Disk Parameter Block) of the drive using INT 21h AH=32h. This provides Horsa with all the information it needs on the logical drive. Horsa determines whether the drive is FAT12 or FAT16 by looking at the total number of clusters of the drive: If there are 0FF8h or more clusters the drive is FAT16, otherwise it is FAT12. Horsa obtains the cluster containing the directory
entry for the victim file. That is used to update the victims size and mark the time-stamp as infected.

A special case routine is used if the victim is in the root directory. Horsa reads the first cluster of the victim and stores the first 3 bytes in the virus body. Horsa appends the virus to the end of the .COM file (on a 16-byte boundary) allocating clusters and updating the FAT (File Allocation Table) as needed. Horsa then patches the first three bytes of the file with a JMP to the appended virus and re-writes the first cluster.

On exiting Horsa flushes the MS-DOS buffers (INT 21h AH=0Dh), restores the original address of the DTA, restores the segment registers to their original values and returns control to the host.

Horsa has some short comings as noted by Qark in the virus source code. Firstly, Horsa does not handle the case when a FAT12 entry spans 2 sectors so 1 in 256 infections on a FAT12 drive will fail. Secondly, no buffering is used. This can make infection quite slow especially on floppy disks. Lastly, infecting only the first uninfected .COM file causes the virus to propagate quite slowly.

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License