Spaces
Spaces
Type File virus
Creator
Date Discovered 28-DEC-1999
Place of Origin
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 1,245 bytes
Reported Costs

Spaces, also known as Busm or Twospaces is a parasitic memory resident Windows virus that infects portable executables on Win9x systems. It has a potentially dangerous payload that can render a system unbootable.

Behavior

When a file infected with Spaces is run, it first checks for itself in memory, which it determines by the presence of the hex code 0x20 0x20 (two spaces) in the .exe header. If it doesn't find another instance of Spaces running, it continues and goes memory resident.

It installs itself as a device driver, jumping from the application level Ring 3 to system kernel level ring 0 and installing itself as a VxD driver by patching the protected mode Interrupt Description Table. It then allocates a block of system memory to copy its code there, intercepts the installable file system API Windows calls, returns back to Ring 3 and jumps to the host program's code.

The virus hooks file opening and infects portable executables as they are run by the user or system. It appends itself to the end of the file. It can be manually identified with the text "ERL" found in the body.

Payload

On the first of June, the Spaces corrupts the master boot record of the hard drive and turns off the computer. It's able to bypass any BIOS antivirus protections by directly writing to the hard drive's controller ports. The routine contains a bug that produces a "General Protection Fault" error in some configurations, so it may not go through with the payload.

It erases the MBR loader code and patches the Disk Partition Table so that there is only one partition listed, pointing to the MBR sector so it loops back to itself. Loading systems become trapped in an infinite loop searching for the last disk partition. Recovery from this can be a difficult procedure if there were no backups.

Variants

There are a few variants of Spaces weighing in at 1445 and 1633 bytes. Their behavior is little different from the original, though some of the identifying texts contained in the virus bodies can be different.

Effects

Spaces was widespread around the globe, mostly in Asia, North and South America, and some parts of Europe and Australia. It last appeared in the wild as late as November of 2008.

Name and Origin

The virus got its name for the spaces used to detect its copy in memory. Some variants contain "BUSM" or "PUSM". Researchers noted some similarities between Spaces and CIH. It seems unlikely to be the work of Chen Ing Hau, but most likely was used as a template.

Sources

F-Secure, Spaces.

VSantivirus, W95/Spaces.1445. 14-DEC-2000

LiuUtilities, W95.Spaces.

Fortiguard, W95/Spaces.1445 22-FEB-2005

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License