|Place of Origin||Australia|
|File Type(s)||.com, .exe|
|Infection Length||3,566 bytes|
Padania is a memory-resident and direct-action polymorphic stealth infecter of MS-DOS .COM and .EXE files. Padania used some anti-heuristic and retro (anti-anti-virus) code. It was coded by Qark of VLAD and appeared in Issue 7 of VLAD magazine in October 1996.
When executed, infected files immediately call INT 21h AH=52h (DOS List of Lists). The virus retrieves the segment of the first MCB (Memory Control Block) and walks the MCB chain. Walking of the MCB chain serves 3 purposes: First Padania checks for MCBs with owner name beginningwith 'TB' (ThunderByte Anti-Virus) or 'NE' (Nemesis) and immediately returns control to the host if either anti-virus is found. Secondly, MCBs are checked to see if Padania is already resident. If the last MCB in the chains owner name begins with 'DO' (DOS) Padania is already resident and returns control to the host. Note that 'DOS' owner of is not used by MS-DOS (MS-DOS marks system MCBs by setting the PSP segment field to 0008h), this is just the name of the MCB that Padania decides to use. Thirdly, the last MCB is used to go memory-resident.
When going resident Padania allocates memory by reducing the size of the last MCB and owner PSP 'top of memory' field, marks the affected MCB as not the last in the chain, and creates a new MCB for itself. This allows UMBs (Upper Memory Blocks) to still be accessible. When creating the new MCB Padania marks the MCB as the last in the chain, sets owner PSP field to 0008h (system) and sets the MCB name to 'DOS'. Padania then copies itself to the newly allocated memory, passes control to the new copy of the virus and hooks INT 21h directly. Once Padania is resident it immediately issues an INT 21h AX=4B00h (execute) this stops some memory-resident anti-viruses from warning that the INT 21h vector had changed.
Padania then infects all files with a .COM extension in the current directory, but not if the current directory is on a floppy disk. This direct-action infection is achieved by an ASCII FindFirst/FindNext (INT 21h AH=4Eh/4Fh) loop that calls INT 21h AX=4300h (chmod) on the files, causing the memory-resident virus to infect them. After this control is returned to the host.
Stealth and Retroviral
Padanias INT 21h handler starts with a code stub very similar to that of the MS-DOS INT 21h handler in an attempt to fool some people. Padanias INT 21h handler serves 3 purposes: Infection, stealth and retro abilities. Files are infected on open, execute, chmod and delete calls. Files are marked as infected by setting the 'seconds' field of the victims time-stamp to 62.
Stealth abilities are implemented on handle read (INT 21h AH=3Fh), handle lseek (INT 21h AH=42h) calls, ASCII/FCB FindFirst/ FindNext calls (INT 21h AH=11h/12h/4Eh/4Fh) calls and get file time-stamp (AX=5700h) calls. In the case of read calls, if the read begins in the first 28 bytes of the infected file (modified header) the original uninfected header is substituted. If the read goes past the original end of the file into the virus body the read is terminated at the end of the original file. In the case of lseek call, if the seek is from the end of the file (origin = 02h) then the call is modified to seek from the end of the original file not the end of the infected file. In the case of FindFirst/FindNext calls the files size field is corrected to the original filesize.
Padania also has a retro-routine on execution (INT 21h AX=4B00h). If the file to be executed is a known anti-virus file (TBSCAN, TBSETUP, AVP, F-PROT, SCAN or AVSCAN), arguments are added to the command line to disable scanning of memory.
Padania takes some intelligent action concerning its stealth routines. The virus fetches the name of the host program from the name field of its MCB using INT 21h AH=51h (Get Current PSP). FCB FindFirst/FindNext stealth is only implemented if current process is "??MM" (COMMAND.COM). This allows for stealthing of 'dir' command without 'chkdsk.exe' reporting errors.
In the case of several archiving, backup and communications software, read and lseek stealth is disabled, putting the virus in 'fast-infection' mode. Programs checked for with this feature include: 'PK' (PKZIP), 'AR' (ARJ), 'UU' (UUENCDOE), 'BA' (BACKUP), 'LH' (LHA), 'RA' (RAR), 'MO' (MODEM), 'SP' (SPEEDISK), 'DE' (DEFRAG), 'CP' and 'MS' (MS Backup and Central Point Backup).
When infecting files, Padania checks for .CO? or EX? extension. Padania does not infect filenames beginning with: 'AV' (several anti-virus utilities), 'TB' (ThunderByte Anti-Virus suite), 'IV' (Invircible), 'PR' (Windows progman.exe) and '-V' (old name for AVP). .EXE files with NewEXE header or MZ 'maxmem' field not equal to 0FFFFh are not infected. Padania is polymorphic in all infections. Polymorphic decrypters are padded to a fixed length of 85 bytes to simplify stealth routines. Padania includes the following text string:
Padania Virus by Qark/VLAD This virus is dedicated to all the people in Padania (Northern Italy) who seek separation from Southern Italy and to their party Lega Nord. Questo virus e' dedicato agli abitanti della Padania, in cerca dell' indipendenza dal sud italia, ed al loro movimento Lega Nord
Background and Name
Padania is a region of northern Italy, typically defined as the Po river valley. It can however be stretched to include regions as far south as Tuscany and Umbria. In recent years, the people of this region have been dissatisfied with the government of Italy, believing they are too heavily taxed for what they get in return and that Rome is not in touch with their needs and call for independence or a certain level of autonomy. Lega Nord (the Northern League) mentioned in the virus, is the most popular party advocating for the needs of the people of Padania.
Padania has been a relatively popular subject for virus coders, as there have been five other different virus families named Padania. There is also Padanian Warrior by b0z0 of iKx, which was actually created in Padania.
Original research by JPanic aka @JPanicVX