Ph33r
Ph33r
Type File virus
Creator Qark
Date Discovered 1995.08
Place of Origin Australia
Source Language Assembly
Platform DOS/MS Windows
File Type(s) .com, .exe
Infection Length 1,332 bytes
Reported Costs

Ph33r (pronounced "fear") is a memory-resident MS-DOS/Win16 infecter of MS-DOS .COM and .EXE files, and Win16 NE (NewEXE) files. Ph33r is the first cross-platform infector running under both MS-DOS and Windows. MS-DOS .COM and .EXE files are infected in the standard manner, Win16 NE executables are infected using the same infection scheme as Winsurfer an earlier virus by Qark.

Table of Contents

Behavior

When run from a MS-DOS .COM or .EXE file Ph33r goes memory-resident in the standard way: If host MCB is the last in the chain then the size of the MCB and 'top of memory' field in the host PSP are reduced to allocate memory, and INT 21h is hooked directly. When run from an infected Win16 file, Ph33r uses a different method of residency: Rather than direct-action infection of the windows shell to stay resident, INT 31h calls are used. Ph33r uses INT 31h to allocate a block of linear memory, align a selector to it, and set its size and protection attributes. This means that Ph33r can go resident off any infected file. INT 31h calls are then also used to hook INT 21h.

When run from an MS-DOS .COM or .EXE, Ph33r takes two unusual actions. First a call is made to INT
16h to disable MSAV (Microsoft Anti-Virus). Secondly the virus attempts to find the original INT 21h vector by taking advantage of internal MS-DOS structures: Ph33r gets the MS-DOS data segment by retrieving the "List of Lists" (INT 21h AH=52h).

The virus then checks for a "NOP, NOP, CALL NEAR" sequence (90h, 90h, E8h) at offset 109Eh of the MS-DOS data segment. If these are found the virus assumes the INT 21h vector to be at offset 10A0h of the same segment. This is a check for the A20 line enable code when MS-DOS is loaded in "high memory". However the hard-coded values mean it may only work with certain versions of MS-DOS.

The infection code used INT 21h file I/O calls and is shared by both the MS-DOS and Win16 INT 21h handler - this reduces the size of the virus. Ph33r still however uses a different INT 21h handler under MS-DOS and Win16. The two INT 21h handlers only have a small difference: The Win16 handler does not infect on INT 21h AH=6Ch (extended open), as this is generally not called under windows. The MS-DOS handler does not infect on INT 21h AH=3Dh (open) as Qark notes that this causes Windows to crash on loading. Other than this, both INT 21h handlers handle Ph33r's residency checks and infect on open (either 3Dh or 6Ch), execute, rename and chmod.

Ph33r checks the extension of the victim file and only infects if it is .CO? (.COM), .EX? (.EXE) or .DL? (.DLL). The virus still examines MZ and NE headers to decide inner format of the victim file. Ph33r does not infect files with names ending in 'AN' (*SCAN, *CLEAN), 'AV' (*AV), 'DV' (DV.EXE, DV.COM) and 'OT' (F-PROT). This is to avoid self-checking anti-virus files. Ph33r also does not infect files ending in '86' (Win386/Win286.EXE - part of the Win16 kernel) as this causes windows to crash. All these checks are not case sensitive.

Ph33r includes the text strings:

=Ph33r=
Qark/VLAD

Effects

Qark himself never released the virus, but it appeared in the wild a month after its source code was published in VLAD magazine. Ph33r was dropped by the Nuclear Word macro virus. It was reported to be wild in Belgium in early 1996 and was considered widespread about that time, so probably found many other place.

Sources

Original research by JPanic aka @JPanicVX

F-Secure Antivirus, Ph33r.

Vesselin Bontchev. Virus-L Digest, Volume 9 : Issue 13, "Re: Can a computer get a virus from the internet?" 1996.02.03

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License