Starship
Starship
Type Multipartite virus
Creator
Date Discovered 1991.01
Place of Origin Moscow, Soviet Union
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 2,616-2,648 bytes
Reported Costs

Starship is a multipartite virus from the Soviet Union. For its time, its infection method was unique and it remains a curiosity. The virus also has an interesting payload.

Behavior

When a .com or .exe file infected with Starship is executed, it infects the master boot record. It does not become memory resident and does not infect any other .com or .exe files. It modifies three bytes of partition table data. Starship places its code in 6 consecutive sectors of the last track. It keeps a counter of the number of times the computer has been booted, initialising it with a random number from 0 to 20 (hex numbers, 32 in decimal).

When the system is booted, Starship installs itself in video memory, where it is decrypted. The text ">STARSHIP_1<" can be found when it is in memory. It uses 4th text video page, so it will not work on monochrome screens. While in video memory, it intercepts interrupts to protect itself from being overwritten on the had disk and waits for the first program to terminate. When the first program has been terminated, it moves itself to the main memory there it takes up 2,688 bytes.

It infects .com and .exe files on drives A: and B: (on DOS, these are usually the drive letters for the 3 and 5.25 inch floppy disk) when the files are created or modified. It waits for the file to be closed before appending its code to it. The increase in size of the infected files will be between 2616 and 2648, the exact increses determined by the virus's random number generator.

Starship releases a payload when the boot counter reaches 80. It may take a few hours, depending on disk activity. The computer plays tones and displays colored pixels. Each of these corresponds to one disk access.

Effects

The virus became relatively common in the Soviet Union and later Russia.

Sources

Muttik I.G.. STARSHIP - interesting file-boot virus.

Vesselin Bontchev. University of Hamburg, Virus Test Center, Possible Virus Attacks Against Integrity Programs And How To Prevent Them.

Gryaznov Dmitry O.. Virus-L, Volume 4 : Issue 165, Re: Mutant viruses (PC). 1991.09.18

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License