Virus Name: DE'BUGER
Aliases: THE BUGGER
V Status: New, Research Viron
Discovery: January, 1995
Symptoms: Full Stealth - CMOS Checksum Error if Debugged - Fails to work
on 8086 or 8088 processors
Origin: USA
Eff Length: 427 Bytes
Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
The DE'BUGER virus is a HMA memory resident overwriting direct action
infector. The virus is a full 100% stealth virus with no detectable
symptoms. No file length increase; overwritten .EXE files execute
properly; no interrupts are directly hooked; no change in file date or
time; no change in available memory; INT 12 is not moved; no cross
linked files from CHKDSK; when resident the virus cleans programs on
the fly; VSAFE.COM does not detect it; Windows 3.1's built in warning
about a possible virus does not detect DE'BUGER.
The DE'BUGER is a variation of the MUMZI! virus. DE'BUGER was
completely rewritten to avoid being able to use the same scan string
as MUMZI!.
The DE'BUGER virus has an interesting payload: None, until you debug
it. The virus appears to do nothing. It gets an interrupt, sets
an interrupt, then sets it back then terminates and nothing else. If
a person attempts to debug the virus, the virus will appear to do the
above but in all actuality, the virus will quickly determine that
it is being debugged (after the seventh instruction) and will blow the
CMOS CRC so setup will need to be run again. The person stepping
through the virus will never see the computer execute the blow CMOS
CRC instruction. An expert knowledge of DEBUG and machine language
(not assembly language) is necessary to handle this virus.
The DE'BUGER virus will only load if DOS=HIGH in the CONFIG.SYS file.
The first time an infected .EXE file is executed, the virus goes
memory resident in the HMA (High Memory Area). The hooking of INT 13
is accomplished using a tunnelling technique, so memory mapping
utilities will not map it to the virus in memory. It then reloads the
infected .EXE file, cleans it on the fly, then executes it. The
DE'BUGER virus will work with DOS 5, DOS 6+ and NOVELL DOS 7.
If the DE'BUGER virus is unable to install in the HMA or clean the
infected .EXE on the fly, the virus will reopen the infected .EXE file
for read-only; modify the system file table for write; remove itself,
and then write the cleaned code back to the .EXE file. It then
reloads the clean .EXE file and executes it. The virus can not clean
itself on the fly if the disk is compressed with DRVSPACE, DBLSPACE or
STACKER, so it will clean the infected .EXE file and write it back.
It will infect an .EXE if it is executed, opened for any reason or
even copied. When an uninfected .EXE is copied, both the source and
destination .EXE file are infected.
The DE'BUGER virus overwrites the .EXE header if it meets certain
criteria. The .EXE file must be less than 57k. The file does not
have an extended .EXE header. The file is not SETVER.EXE. The .EXE
header must be all zeros from offset 85 to offset 512; this is where
the DE'BUGER virus writes it code. The DE'BUGER virus then changes
the .EXE header to a .COM file. Files that are READONLY can also be
infected.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
less than 57k. The virus will remove itself from each .EXE program
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
an infected .EXE file, then use a tape backup unit to copy all your
files. The files on the tape have had the virus removed from them.
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
system. Restore from tape all the files back to your system.