filmov
tv
Viral Rewind: Virus.DOS.SSR (Stainless Steel Rat)
Показать описание
-----------------------------------------------------------
. Back on MS-DOS 6.2 we're looking at one of the larger and complex DOS viruses known as "Stainless Steel Rat". It goes by "Revenge" or "SSR" depending on the virus firm and their definitions. It starts off as a fairly large file in terms of DOS standards being nearly 22 kilobytes in size. This is due to SSR being a fully-encrypted virus and utilizes four distinct decryption engines in its operations. When run, SSR decrypts itself and loads into memory taking its code and engines with it leaving behind a non-functional program (despite the size increase). It must infect a .COM or .EXE file to spread/operate otherwise if the machine is restarted/powered off before this SSR will not have infected anything. When a program does become infected the size increase will be quite noticeable and overall system performance will be severely diminished.
Being encrypted, SSR hides itself within memory moving itself about and making MEM.EXE unable to show the space it is consuming. Debugging the system just shows # signs in the memory spaces including three text strings referring to three of the decryption engines used by SSR. If any files on the system use the extensions .bas .pas or .ico any attempt to access those files will result in SSR deleting them (the user will get a "bad command or file name" or "file not found" error or similar upon trying to access).
Payloads:
1 - SSR looks for filenames with "ID" in the 2nd and 3rd places (the Russian anti-virus AIDSTEST for example) and when run will print out the following message in Russian:
"It isn't time for Mr. Lozinsky to retire!" Then it will hang the system.
2 - SSR can act as an anti-virus/anti-anti-virus by monitoring whether another virus it is familiar with (examples including OneHalf, Jerusalem and Flushot) attempts to run while SSR is loaded in memory. If so, SSR halts the machine with a repeating red gradient accompanied by an audible alert and text that reads:
"!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-f*cker TSR sh*t or Any Virus Detected !!!
Anyone who want to f*ck Revenge is Naivnij Man
With best wishes & thanks to DialogScn
Emulation engine will have problems with this ZHOM
In future versions we will add:
1. Protected Mode Decryptor (VMME)
2. Adinf table Hacker-cracker
3. Destroy Files/Disks/CMOS/Printer/CDROM
4. Disk encryption and BUGs,GLUKs and SHITs !
Dis is only BEGIN... Win95 and her lamers must die!
Searching... SEEK & DESTROY
There can be only one ..."
3 - When SSR is run, it begins a timer and after 23 minutes will initiate a screen distortion payload. Depending on the CPU speed this will either resulting in shaking, distorting, flashing or other artifacts on the display.
4 - When SSR is run it begins a timer and after 15 minutes if the number of infected files run reaches 50, it will display a graphical payload (provided 23 minutes haven't elapsed otherwise it will run the screen distortion payload) stating:
"This is REVENGE of Stainless Steel Rat". Pressing the escape key drops this out to a text prompt reading:
"Revenge virus v 1.01 released at 20.04.96
Copyright (c) 1996-97 2 Rats Techno Soft
Written by
Stainless Steel Rat"
5 - One payload not demoed involves attempting to perform a trace on INT ABh, the handler SSR makes use of in memory operations. If it detects that interrupt is being traced, it will print out the following message in Russian:
"For long time he traced INT's... Now I am a sad terminal!" It will then attempt to corrupt the CMOS checksum (usually causing a POST error on the next boot) and hang the system.
--------------------------
. Back on MS-DOS 6.2 we're looking at one of the larger and complex DOS viruses known as "Stainless Steel Rat". It goes by "Revenge" or "SSR" depending on the virus firm and their definitions. It starts off as a fairly large file in terms of DOS standards being nearly 22 kilobytes in size. This is due to SSR being a fully-encrypted virus and utilizes four distinct decryption engines in its operations. When run, SSR decrypts itself and loads into memory taking its code and engines with it leaving behind a non-functional program (despite the size increase). It must infect a .COM or .EXE file to spread/operate otherwise if the machine is restarted/powered off before this SSR will not have infected anything. When a program does become infected the size increase will be quite noticeable and overall system performance will be severely diminished.
Being encrypted, SSR hides itself within memory moving itself about and making MEM.EXE unable to show the space it is consuming. Debugging the system just shows # signs in the memory spaces including three text strings referring to three of the decryption engines used by SSR. If any files on the system use the extensions .bas .pas or .ico any attempt to access those files will result in SSR deleting them (the user will get a "bad command or file name" or "file not found" error or similar upon trying to access).
Payloads:
1 - SSR looks for filenames with "ID" in the 2nd and 3rd places (the Russian anti-virus AIDSTEST for example) and when run will print out the following message in Russian:
"It isn't time for Mr. Lozinsky to retire!" Then it will hang the system.
2 - SSR can act as an anti-virus/anti-anti-virus by monitoring whether another virus it is familiar with (examples including OneHalf, Jerusalem and Flushot) attempts to run while SSR is loaded in memory. If so, SSR halts the machine with a repeating red gradient accompanied by an audible alert and text that reads:
"!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-f*cker TSR sh*t or Any Virus Detected !!!
Anyone who want to f*ck Revenge is Naivnij Man
With best wishes & thanks to DialogScn
Emulation engine will have problems with this ZHOM
In future versions we will add:
1. Protected Mode Decryptor (VMME)
2. Adinf table Hacker-cracker
3. Destroy Files/Disks/CMOS/Printer/CDROM
4. Disk encryption and BUGs,GLUKs and SHITs !
Dis is only BEGIN... Win95 and her lamers must die!
Searching... SEEK & DESTROY
There can be only one ..."
3 - When SSR is run, it begins a timer and after 23 minutes will initiate a screen distortion payload. Depending on the CPU speed this will either resulting in shaking, distorting, flashing or other artifacts on the display.
4 - When SSR is run it begins a timer and after 15 minutes if the number of infected files run reaches 50, it will display a graphical payload (provided 23 minutes haven't elapsed otherwise it will run the screen distortion payload) stating:
"This is REVENGE of Stainless Steel Rat". Pressing the escape key drops this out to a text prompt reading:
"Revenge virus v 1.01 released at 20.04.96
Copyright (c) 1996-97 2 Rats Techno Soft
Written by
Stainless Steel Rat"
5 - One payload not demoed involves attempting to perform a trace on INT ABh, the handler SSR makes use of in memory operations. If it detects that interrupt is being traced, it will print out the following message in Russian:
"For long time he traced INT's... Now I am a sad terminal!" It will then attempt to corrupt the CMOS checksum (usually causing a POST error on the next boot) and hang the system.
--------------------------
0:13:33
Viral Rewind: Virus.DOS.SSR (Stainless Steel Rat)
0:04:58
Viral Rewind: IRC-Worm.Win32.Fagot
0:01:42
Virus.DOS.Olga [Olga DOS Virus]
0:04:20
Skynet DOS Virus Review
0:00:29
The Stainless Steel Rat [ book teaser]
0:10:48
Guida - Come effettuare uno stresstest sui pc DOS!
Комментарии