|Type||Boot sector virus|
|Place of Origin||United States|
|Infection Length||1 boot sector|
Incubus is a virus by the American virus coder Priest. It is a master boot record infector that infects floppy disk boot sectors. Incubus is encrypted and uses an interesting method of loading itself into memory. The virus is named after a spirit that impregnates women in their sleep.
Rather than replacing the original boot sector with the virus code and storing the original sector else where on disk, Incubus copies a small 26-byte 'loader' stub over the original code of the sector, saved the original 26-bytes of the sector in the virus body and wrote the full virus else where on the disk. Infected sectors begin with a two byte JMP $+3C (0EBh 3Ch) which passes control to the loader stub at 0:7C3Eh (boot sectors are loaded at 0:7C00h). The small size and position of this stub meant that it sits after the BPB (BIOS Parameter Block) on floppy disks and before the partition table on the MBR.
In floppy disk infections, the full virus body is stored in the last sector of the disk. This is calculated using the 'NumSectors', 'SectorsPerTrack' and 'NumberOfHeads' fields of the BPB. For MBR infections, The main body of the virus is stored in the last sector of the first cylinder of the hard disk (this is unused under MS-DOS). The last sector of the cylinder is calculated by taking the last cylinder/sector field (+06h) of the first partition entry (+1BEh) and then clearing all but the lower 6-bits (sector only). The 26-byte virus loader setup the machine stack and then loaded the virus from the appropriate sector to 0:7E00h (immediately after the original boot sector).
The majority of the code used by Incubus before memory-residency is encrypted - in all 202 bytes. This encrypted portion of the code includes a copy of the 26-byte loader, the original code of the infected boot sector that was patched, the code to infect the MBR and the code to go memory-resident. Incubus uses 300 bytes of the virus that are not encrypted to calculate the encryption key. This unencrypted code includes the INT 40h handler, encryption/decryption routine and the routine to calculate the key, and the routines to patch the sector with the loader and to calculate the last sector of the floppy. Incubus also stores a 'random' 16-bit value in this decrypted code taken from 0:46Ch (BIOS timer ticks) to make the key more random. Before patching a sector with the loader Incubus compares 17 bytes of the sector with the first 17 bytes of the loader to check if it is already infected. When Incubus is loaded to 0:7E00h and executed it immediately sets the DS register and decrypts itself.
The virus next restores the original bytes patched with the JMP and the loader of the boot sector at 0:7C00h. The image of the sector is now its original. Incubus allocates 1kb of memory for itself by reducing the word at 0:413h (BIOS size of conventional memory), copies itself to this newly allocated memory and hooks INT 40h (BIOS Floppy Disk Services). Other strains of Incubus may hook INT 13h (BIOS Disk Services). Incubus will now jump to the new copy of the virus at the top of memory and proceed to infect the MBR. The original MBR code is saved and patched with the JMP/loader and the virus is written to the last sector of the first cylinder.
After infecting the MBR, control is returned back to the original (restored) boot sector at 0:7C00h. The INT 40h (or INT 13h) handler is used solely to infect floppy disks. Floppy boot sectors are infected when a read attempt of exactly one sector is made from the boot sector (head 0, cylinder 0, sector 1). On infecting a floppy, the original code is saved in the virus body, the boot sector is patched and written and the virus is saved in the last sector of the disk. Incubus includes the (encrypted) text string:
Incubus PRiEST - Phalcon/Skism
Incubus has at least two variants. Incubus.B and .C contain a text string "Incubus virus - Little Loc", an alternate name for Priest. They are functionally similar to Incubus.A.
Aside from its interesting infection method, Incubus does not seem to have had any other impact. It is unknown if it appeared in the wild and with no dangerous payload, it could not have caused any damage.
An Incubus is a male spirit that impregnates women in their sleep. The word originates from a Latin word meaning burden or weight, probably because the women could feel the spirit as an oppressive weight on their chests. An incubus was typically a spirit whose insatiable lust for sex caused them to fall from grace. The name was also used for an unsuccessful brand of women's shoes, which became a public relations nightmare for the manufacturer. Priest's reasoning for naming the virus Incubus is uncertain.
Original Research by JPanic aka @JPanicVX
Occultopedia, Incubus, demon lover.