Megastealth | |
---|---|
Type | Multipartite virus |
Creator | Qark |
Date Discovered | 1995.02 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com |
Infection Length | bytes |
Megastealth is a memory resident stealth multipartite infecter of MS-DOS .COM files, floppy boot sectors and the Master Boot Record. The main feature of this virus is 'hardware' level stealth. It was coded by Qark of VLAD and appeared in Issue 3 of VLAD magazine in February of 1995.
Behavior
When loading from an infected sector 'Megastealth' sets up the stack and then allocates 2 kilobytes of memory. Like 'Hemlock' and 'BIOS Meningitis' memory is allocated by reducing the 16-bit value at 40h:13h (amount of conventional memory installed) by 2. Megastealth then reads in two sectors containing the virus body and hooks INT 13h, clears a flag to mark if INT 21h has been hooked and if the virus is a 80286+ (AT) hooks INT 76h (IDE Controller IRQ). Megastealth the issues an INT 19h (BIOS Bootstrap Loader) to continue with the boot process.
The INT 76h handler is used to implement stealth of the MBR at the hardware level. When the IRQ occurs, Megastealth checks if it is a read from physical sector 1 (the MBR) by querying values of the IDE Controller (ports 1F0h - 1F7h). If it is a read of the MBR, Megastealth reads in data of original read attempt from the IDE data port and then sends values and command to the IDE controller to read in physical sector 4 (the original uninfected MBR). This algorithm means that even when using the original ROM BIOS INT 13h handler, the MBR is stealthed while INT 76h handler is in place.
Megastealth disables the INT 76h handler while infecting a disk. Megastealth's INT 13h handler serves three
purposes: to infect boot sectors, to stealth boot sectors and to hook INT 21h when booting from an infected disk. The INT 13h handler function is very similar to that of Hemlock. When reading the boot sector/MBR of a disk, if the disk is infected, the read is stealthed. If the disk is not infected the disk is infected.
Megastealth shares the same peculiarity with 'Hemlock': the track to store the virus body on when infected is calculated using the BIOS Parameter Block, but the last sector of the root directory used to store the original uninfected sector is hard-coded, leading to corruption of all floppies other than 5.25 in 1.2mb ones. Megastealths INT 13h hooks INT 21h on loading from an infected disk when the first 'MZ' header is read
in.
When executed from an infected .COM file, Megastealth first checks if it is already present in memory and goes resident if not. Memory is allocated in the same manner as 'Hemlock': if the host MCB is the last in the chain, it and the 'Top Of Memory' field of the host PSP (Program Segment Prefix) are reduced in size, and the virus copies itself to the newly created space. Megastealth then hooks INT 13h, issues a read of the MBR (to infect MBR by INT 13h handler) and then hooks INT 21h. After this Megastealth restores and returns control to the host.
INT 76h is not hooked when loading from an infected .COM file. The INT 21h handler is used primarily for one purpose: infecting .COM files. .COM files are infected on open, execute, chmod and rename calls. The INT 21h handler also seems to have a debugging feature: on each INT 21h call the handler displays a '"' (double quote) character in the corner of the screen if the VGA controller is in a text mode.
Megastealth includes the text string:
[MegaStealth] by qark/VLAD
Sources
Original research by JPanic aka @JPanicVX