drsolly@ibmpcug.co.uk (Alan Solomon) (07/13/89)
DENZUK
DENZUK is a Boot Sector Virus. It replaces the original boot sector
with its own - this looks very like a normal boot sector, as it has
the usual messages "Non-System disk or disk error", "Replace and
strike any key when ready" and "Disk Boot failure". It also has the
references to IBMBIO.COM and IBMDOS.COM. If your system files are
called IO.SYS and MSDOS.SYS, DENZUK doesn't realize this, but it does
mean that the boot sector looks normal.
When the boot sector runs, it loads in the rest of the virus, which is
located on track 40 (normal 360k diskettes have tracks numbered 0 to
39), head 0, sectors 33 to 41 (normal tracks are numbered from 1).
Putting the virus in this place means that some disk-searching
utilities won't find it there. It also means that if you Diskcopy the
infected diskette, most of the virus fails to copy. This gives us one
simple way to clean up an infection - DENZUK could almost be called a
copy-protected virus! If you Diskcopy an infected diskette, the
DENZUK boot is copied, but not the rest of DENZUK. If you use COPY or
XCOPY to copy the diskette, then the infected boot is left behind
also. Of course, you must boot from a known clean diskette before you
start.
When DENZUK runs the code that it has loaded in from track 40, it
replaces two of the PC's interrupts, $13 (diskette) and 9 (keyboard).
A new interrupt is installed, $6F, which is the old interrupt $13;
DENZUK uses this as a short way to call the original routine. The new
interrupt 9 looks for two keystrokes. On seeing a Ctrl-Alt-Del, it
calls a routine that displays its logo (if it is running on anything
apart from a mono monitor), and then reboots. The other keystroke is
Ctrl-Alt-F5, which just triggers a reboot. This is a convenient test
to see if you are infected, as on a PC that is not running DENZUK,
Ctrl-Alt-F5 does nothing. All other keystrokes are passed on to
the original interrupt 9 routine.
The DENZUK logo is a graphic, with the words "DEN ZUK" in large red
letters. The pixels making up these letters come in from each side
until they merge making the words; there is also a symbol to the side
that looks rather like a stylised globe.
Interrupt $13 is used to infect more diskettes. Every time interrupt
$13 is called, provided it is referencing one of the two floppy drives
(DENZUK will not infect a hard disk), and provided the call is a read,
write, verify or format, DENZUK will decrement its infection counter
(which is initially set to eight). When the counter reaches zero,
this triggers the infection process, and the counter is set back to
two.
The infection process works like this. First it reads the sector at
cylinder 0, head 0, sector 1. It looks for two bytes that are found
in DENZUK, and if it finds them, it doesn't infect. If they are
absent, it looks for two other bytes which we surmise are an old
version of DENZUK; if it finds those, it calls the "Find Denzuk Boot"
routine, whereby it reads the boot sector from trach 40, head 0,
sector 33 which is where the original boot is stored. Thus, DENZUK
will update you if it finds that you are running an out-of-date
version of the virus.
If DENZUK finds Brain (or Ashar) virus on the boot sector (which it
does by looking for the $1234 signature of Brain) then it upgrades you
from Brain to DENZUK. First, though, it has to go and find the boot
sector from where Brain has put it; Brain has three bytes on sector
cylinder 0, head 0, sector 1 that tells you where the original boot
sector is, and DENZUK decodes these and reads the boot sector.
Whether the diskette was clean, old-DENZUK or Brain, DENZUK now has
the original boot sector. It formats track 40 head 0, and writes its
nine sectors there. If this write is successful (some diskette drives
may not allow writing beyond track 39) then it replaces the sector at
cylinder 0, head 0 sector 1 with its own version of the boot sector.
The infection process is now complete. It then scans through the
directory to see if there is a volume labels there. Brain, you may
recall, puts " (c) Brain" as a volume label on the diskette. DENZUK
overwrites that with its own label, which is "Y.C.1.E.R.P", where the
is character $F9. DENZUK assumes that it is looking at a 360k
diskette, but makes no attempt to ensure that this is the case.
This directory scan starts at sector 0, 0, 6, and scans through
seven sectors; just right for a 360k diskette. The meaning of this
volume label is obscure.
There is also a generation counter, which keeps track of how many
generations have passed; if this is less than three, then DENZUK
refrains from its visible signs - the logo is not displayed on reboot,
and the volume label is not changed. The specimen that we had
was generation $14. This feature is probably to give it a chance to
spread a bit before detecting it becomes easy.
DENZUK puts the BRAIN signature on the boot sector - this would stop
Brain from infecting a DENZUK-infected diskette. So in a population
of Brain-infected diskettes, DENZUK would tend tobe the virus that
would get the upper hand.
There are a couple of text messages in the virus, which are not
displayed. These are:
At the beginning:
"Welcome to the
C l u b
- --The HackerS--
Hackin'
All The Time "
At the end:
"The HackerS"
It might be thought that DENZUK is actually a helpful virus, in that
it kills Brain. This is not so - consider what will happen if DENZUK
infects a diskette with more than 40 tracks. Track 40 would be
overwritten, and data could be lost as a result. Even worse, DENZUK
assumes that all diskettes are 360 kb diskettes, so when it infects
them, it puts a 360 kb diskette boot sector on top of the old boot
sector. This tells Dos that the diskette has 2+2 FAT sectors and 7
directory sectors, which is not the case. So Dos is not able to read
the diskette properly, and interprets the directory as part of the
FAT, and (depending on what diskette it is) can get the cluster size
wrong, and might ignore some of the sectors on each track. In other
words, DENZUK infecting a 5 1.4 inch 1.2 mb diskette leaves it
unreadable, although putting a correct boot sector back in place will
rescue most of the data (trach 40 head 0 is gone for ever). Other
capacity diskettes (other than 360 kb) will also have problems.
Our specimen of DENZUK came from an academic institution in the UK,
which prefers to remain unnamed. It is the only reported instance
of DENZUK in the UK so far, apart from lab specimens.
We have added tools for dealing with DENZUK to our Anti Virus Toolkit.
If you need more information about this virus, or any of the others,
please contact me at the address below.
Dr Alan Solomon Day voice: +44 494 791900
S&S Anti Virus Group Eve voice: +44 494 724201
Water Meadow Fax: +44 494 791602
Germain Street, BBS: +44 494 724946
Chesham, Fido node: 254/29
Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk
England Gold: 83:JNL246
CIX, CONNECT drsolly