Vlad (virus)
Vlad
Type File virus
Creator Qark
Date Discovered 1994.11
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com, .exe
Infection Length 1,221 bytes

VLAD is a memory-resident, polymorphic and size-stealthing infecter of MS-DOS .COM and .EXE files including COMMAND.COM. It was coded by Qark of the VLAD group (after which it is named) and appeared in Issue 2 of their magazine in November of 1994. It had many similarities to the Republic virus and may have been a model for that virus.

Behavior

VLAD Virus goes memory resident by reducing size of MCB of the host if it is last MCB in the chain, and moves itself into the newly created space. The virus also reduces 16-bit WORD at offset 2 of the PSP - Top Of Memory. The virus then hooks INT 21h vector directly.

VLAD is mildly polymorphic and seems to named 'VIP 0.1' (VLAD Infinite Polymorphy) by the author. VLAD Virus uses a similar CPU prefetch trick to the one used in above mentioned viruses. VLAD Virus also has some stealth features: on FCB and ASCII FindFirst/FindNext the virus corrects returned size field of infected file to original file size.

The virus uses an interesting infection marker. That is, lower five bits of low order byte of the infected files time-stamp is set to lower five bits of high order byte of the infected files time-stamp.

Like other viruses by Qark, VLAD virus checks for .COM or .EXE file extension. This virus now uses INT 21h AH=60h (MS-DOS Get Qualified Filename), which among other things converts the filename to upper-case. Thus this virus does not infect only handle files with upper-case extensions like some of Qark's earlier viruses. VLAD Virus uses INT 2Fh (MS-DOS Multiplex) calls to get the SFT (System File Table) entry for the victim file. The virus uses this system structure to bypass some operating system calls including lseek, chmod and setting/getting file date/time stamps. Use of the SFT also allows for infecting read-only files, without modifying the files attributes.

VLAD Virus attempts to delete anti-virus checksum databases used by Thunder-Byte, Central Point and Microsoft anti-viruses. These database files are: 'ANTI-VIR.DAT', 'MSAV.CHK', 'CHKLIST.CPS', and 'CHKLIST.MS'. When memory-resident, VLAD Virus infects files on execute, open, chmod and rename calls. The virus avoids infecting files beginning with 'SCAN', 'TB', 'F-PR' and 'DV.E' as these files may be self-checking.

VLAD Virus includes the text strings:

[VLAD virus]
by VLAD!
[VIP v0.01]

Sources

Original research by JPanic aka JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License