The Blah virus is a memory-resident, stealth, multipartite partition table/ batch file virus. What follows is the raw source file. After the source file is a batch file infected with Blah which demonstrates the workings of the virus. To install the virus, simply run this batch file. Or you can assemble the source, run the output file, and then execute a batch file. Be cautious when running this virus, however, since it immediately infects the partition table and your hard drive will become unavailable should you boot from diskette. You have been warned! The Blah virus The world's only stealth, multipartite PT/BAT infector Written by Dark Angel at the end of 1994 This virus is "mostly stealth" and "mostly harmless". It infects the partition table on hd0 as well as batch files. To install the virus, simply assemble this source to a COM file and run the output. The virus will then reside on the partition table of the first hard drive of the computer. The partition table portion of the virus loads itself into the slack space between the partition table and the first disk partition. The virus assumes the first disk partition is the one closest to the partition table, which is reasonable. It only infects the partition table on the first physical hard drive, since that will always be loaded anyway. The original partition table is stored following the virus code in the aforementioned slack space. Since the partition table infector does not copy the partition table itself into its code, several effects result. First, the system will not recognise the hard drive if it is booted from a floppy. This can be considered a useful side-effect, since it prevents disinfection via a clean boot. Additionally, when modifying the virus, one must take care to keep the word 0AA55 at offset 01FE in the file, or else the BIOS will not recognise the partition table as a valid one. If you edit a batch file while the virus is in memory, the batch file will become infected by the virus, but will load into memory as if it were uninfected. When you save the file, it will remain uninfected. However, once you run the batch file, it will again become infected. This virus adds 3004 bytes to batch files. However, this file will assemble to 1148 bytes, since an encoded form of this file is written to batch files. The virus prepends its own code to the batch files that it infects. This code consists of lines which 1. create an executable file 2. run this executable file 3. delete the executable file and 4. reruns the batch file. The code which creates the executable file is simply a bunch of ECHO statements which are redirected into a file. These characters, when run, will run the code you see below. The bytes following the ECHO consist of code which reassembles and runs the code below and the data of the virus, which is encoded in a special printable text-only format. The virus removes this file after it has executed it in order to cover its traces. Finally, the virus runs the batch file again. This is to allow the stealth to work properly. The stealth works by bumping up all read requests on infected files by an amount equal to the size of the virus prepended text. The stealth is designed to not take effect until after the third file open it sees. Since DOS opens batch files each time it needs to execute the next command, this is the equivalent of waiting until after two statements have executed. This leaves enough time to remove the temporary file and reexecute the batch file. Now the stealth kicks in and DOS doesn't even see the virus code in the batch file. The virus hides the filelength increase on directory searches (in .BAT files only, of course). It also hides itself from reads (with handle calls only). It infects when a .BAT file is opened. It stamps files with a 62 second mark, but that is for the findfirst/findnext routine only. The checks for previous infection do not make any assumptions based on the file creation time. The virus also prevents overwriting of itself in the partition table. It also redirects attempts to view absolute sector 0. However, it does not try to stop reads to other parts of the disk that are infected, i.e. the sectors immediately following the first. The source code to the decoder (the raw text is included in the virus) can be found at the end. Anyway, this virus was written mostly because I felt like doing something lame. I think I succeeded, with only a modest effort. Dark Angel, Phalcon/Skism, 31 December 1994 Happy New Year's!