Predator
Predator
Type Multipartite virus
Creator Priest
Date Discovered 1993
Place of Origin United States
Source Language Assembly
Platform DOS
File Type(s) .com, .exe*
Infection Length 1,055 bytes
Reported Costs

Predator is a family of memory-resident stealth encrypted viruses originally coded by Priest. The original Predator was a .com file infector, but its later variants were multipartite viruses capable of infecting the master boot record in addition to .exe files. It appeared in the 11th issue of 40Hex.

Behavior

When a Predator infected file is run, the virus decrypts itself then passes control to the decrypted virus body which immediately restores the stack pointer (SP register) to its original value. Predator then issues an INT 21h call to check if it is already memory-resident. If this is the case, Predator immediately returns control back to the original host.

Otherwise, Predator goes memory resident. Predator checks if the MCB (Memory Control Block) of the host is the last in the chain. If it is not then return is controlled to the host. Predator then goes memory resident by reducing the size of this MCB as well as the 16-BIT WORD at 0:413h (BIOS size of convention memory) to allocate memory. The virus then copies its self to this newly allocated memory and jumps to it to continue execution.

Predator then hooks INT 21h (MS-DOS API) and INT 13h (BIOS Disk Services). INT 21h/AH=35h (Get Interrupt Vector) is used to retrieve original interrupt values and then INT 21h/AH=25h (Set Interrupt Vector) is used to hook these interrupts. Predator then sets the 'count down' variable for the payload to a random value and returns control to the host. The INT 21h handler is used to infect files and implement stealth routines and provide Predators residency check. The INT 13h is used solely for Predators destructive payload.

The INT 21h handler infects files on open, extended open and execute calls. Stealth routines are provided on FCB and ASCII FindFirst/FindNext calls and on FCB Open call. Stealth is implemented the same way on all of these calls: the file size is reduced to the original file size, and Predators 'infection marker' in the date-stamp field is removed. When infecting files Predator checks for the '.COM' extension (upper-case only) as well as the absence of the 'MZ' marker. Predator is encrypted in all file infections. Infected files are marked as infected by adding 100 years to their date-stamp.

Predator includes the text string:

Predator virus  (c) Mar. 93  Priest

Payload

Predator also contains a dangerous payload. The destructive payload of the INT 13h handler randomly inverts one bit on sector reads. On INT 13h/AH=02h, Predator performs the read and then subtracts the number of sectors read from the payloads 'count down' variable. When this variable becomes less than or equal to zero the payload is implemented: A random 16-bit WORD in the read buffer is chosen, a random bit in this word is complemented and the 'count down' variable is reset to a new random value.

Variants

Priest himself coded at least two different variants of predator. His name can be found in variants 1055 (A and B), 1063, 1070.B, 1137, 1148, 1195 and 2144. Some of these may have actually been modified by someone else without removing Priest's text strings.

Predator 2

Predator 2 is a more complex semi-polymorphic stealth multipartite infector of MS-DOS .com and .exe files, floppy boot sectors and the MBR. Like many of Priests viruses, Predator 2 tunnels interrupts 13h and 21h on execution of an infected file, in an attempt to bypass anti-virus software. On execution of an infected file Predator 2 hits the MBR then goes memory resident. Upon booting from an infected MBR/boot sector, the virus also goes memory resident.

Once resident the virus hooked INT 21h to hit files and INT 13h to hit floppy boot sectors. These interrupts were also used for Predator 2's stealth routines. When going resident under MS-DOS, rather than placing a hook in the INT 21h vector chain, Predator 2 patches the tunnelled INT 21h address with an 0EAh (JMP FAR) instruction pointing to the virus handler.

When infecting files Predator 2 checks for the file names of several anti-virus programs and does not infect them. These names are stored backwards in a single string: "TORPNACSAELCFASVVAPC.VANOCED"- PROT, SCAN, CLEA*, VSAF, CPAV, NAV, and DECO respectively. Predator 2 includes the text strings:

Predator virus #2  (c) 1993  Priest - Phalcon/Skism
THE PREDATOR

Wookie

These variants contain the text:

Predator virus
(c) Mar. 93
In memory of all those who were killed... Wookies ain't the only ones that drop!  Priest

These are 1,195, 1,148, 1,137 and 1,063 bytes long. They appear to be very similar to Predator 2, with the ability to infect both .com and .exe files as well as boot sectors.

Sources

Original research by JPanic aka JPanicVX

ESET Threat Encyclopedia, Predator.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License