[Previous] [Up] [Home] [Next]


Natas -- Fated to be?

Computer viruses, like people, differ greatly in the renown they enjoy. A few, such as Michelangelo, have become household names, even 'virus superstars'; the majority, however, eke out a miserable existence in virus specialists' collections. The reason for these varying degrees of fame is not entirely clear_ perhaps it is just fate?

Natas is arguably a 'superstar' of a virus, with an unlimited target infection area. Thousands of computers have been hit by it, and there are still an unknown number of infected PCs about, notwithstanding the fact that practically all popular anti-virus scanners have been updated to detect it.

Installation

When a Natas-infected file is executed, control passes to the end of the file where the polymorphic decryption routine is located. This code decrypts the body of the virus and passes control to the installation routine.

Natas has features which prevent its code being traced or debugged: the first of these is executed when the installation routine receives control. The virus calls the already-loaded TSR copy and, at the same time, issues an 'Are you there?' call (Int 21h: AH=30h, BX=F99Ah).

Due to the virus' Int 01h handler (see below), it is not possible to trace through the memory-resident routines. Control returns to the host program if the TSR copy is loaded, or if the version of DOS present is under 3.0.

When tracing is in progress, the virus does not make an 'Are you there?' call to prevent this happening. Instead it decreases the size of conventional memory as held by the BIOS (at address 0000:0413), cuts the last Memory Control Block (MCB) and copies itself into that freed space.

Installation continues with a tunnelling routine. The virus hooks Int 01h (the Single Step Interrupt), tracing interrupt vectors 13h, 15h, 21h and 40h to calculate their original addresses. The virus' Int 01h handler is complex, analysing code traced and simulating a 'no tracing' state if traced code checks (or appears to check) the trace flag. Using these tracing results, the virus hooks Int 13h and Int 21h by storing five bytes of both interrupt handlers and overwriting the entry point of the code with a FAR JMP to the virus.

Finally, before returning to the host program, the Master Boot Sector (MBS) is infected. The virus saves nine sectors of its body and the original MBS (in encrypted form) in the sectors before the first disk partition (as a rule these sectors are free) and overwrites 29h bytes of the MBS with the virus' loader code.

One interesting feature of this virus is that the loader code will be placed in different offsets according to the contents of each boot sector. The virus compares the first byte of the boot sector with the JMP NEAR (E9h) and the JMP SHORT (EBh) opcodes and writes the loader's code into the area to which the JMP instruction points. If there is no JMP, the virus simply overwrites the beginning of the boot sector.

When loading from an infected MBS or floppy boot sector, the virus decreases the size of conventional memory as held by the BIOS, reads its own saved body from disk, hooks Int 13h, decrypts itself, and passes control to the original MBS or boot sector. Natas will infect the MBS on loading from an infected floppy, and on execution of an infected file.

Int 13h Handler

The virus uses the Int 13h handler for three purposes: hooking Int 21h, infecting floppies, and hiding itself on infected disks. Int 21h is hooked in a manner common to most multipartite viruses. On each Int 13h call, the virus checks the address of the Int 21h handler: when DOS installs itself, the Int 21h address changes, and the virus, detecting this at its next call to Int 13h, hooks Int 21h.

The virus intercepts only the Read function (AH=02) of Int 13h. It looks for its identification bytes when reading the infected boot sector (MBS of hard drive or floppy boot sector): if it is infected, the virus decrypts and returns the original code.

Natas will infect any clean floppy boot sector, using a routine similar to hard disk infection. Utilising the BIOS parameter block, the virus finds the last disk sectors, stores its code (nine sectors) there and overwrites the original boot sector code with the virus loader. The remainder of the routine is similar to hard disk infection.

Int 21h Handler

On each call to Int 21h, the virus locks the keyboard by using system ports, and hooks Int 24h. Hooking Int 24h permits the virus to disable the standard error message on writing to write-protected disks. Locking the keyboard is a slightly more subtle trick. Should the computer have any memory-resident behaviour blocker installed, a warning message will be displayed, and the software will wait for a keypress. Thus the virus will make it appear that the behaviour blocker has crashed the system.

Once infection is complete, Natas releases the keyboard lock and returns Int 24h to its original address before passing control to the original Int 21h handler. Natas is also capable of accessing Memory Control Blocks and the System File Table, assisting itself to hide its code in memory.

When resident, Natas intercepts several Int 21h subfunctions: 30h (Get_DOS_Version), 11h, 12h, 4Eh, and 4Fh (Find_First, Find_Next), 42h subfunction 02h (Seek_End), 57h subfunctionns 00h and 01h (Get/Set_File_Time/Date), 3Fh (Read_File), 40h (Write_File), 4Bh (Load_and_Execute) and 3E (Close_File).

Several of the intercepted functions are used to provide comprehensive stealth functionality. The increase in the size of infected files is hidden when they are accessed using the DOS functions Find_First and Find_Next. Additionally, Natas is capable of hiding changes made in an infected file when it is loaded from disk. The virus detects when a write request is made to an already-infected file and disinfects it so the write can be completed without causing file corruption. When the write is completed, the file is reinfected.

Such features are standard in stealth viruses, and suffice for the virus to hide itself well within the system, but sometimes conflict with software such as disk checkers and file compression utilities.

These sort of difficulties are taken care of by the virus: using the Memory Control Block's fields, it checks which program is calling the intercepted Int 21h, disabling stealth routines if that program is CHKDSK*.* (CHKDSK.EXE), AR*.* (ARJ.EXE), LH*.* (LHA.EXE), PK*.* (PKZIP.EXE, PKLITE.EXE and other PKWare programs). It also searches for the strings BACK and MODEM in the program names, but I was unable to ascertain to which software these refer.

File infection takes place on calls to Close_File and Load_and_Execute. Natas checks the filename and internal file format in order to determine whether it is in the COM or EXE file format. Secondly, the year field of the date stamp is checked to see if it has had 100 added to the value. This is used as a method of identifying infected files on disk, and prevents multiple infection. When resident, Natas also stealths these small changes to the file date.

The infection procedure is not new from a technical point of view: the virus writes itself at the end of the file and overwrites the file header with a JMP instruction to the virus code in COM files, or changes the entry address in EXE file header. The virus checks COM file length and EXE header fields, and does not infect very small or large COM files, or EXE files with internal overlay code. On infection, the virus encrypts itself with a polymorphic routine, which is new but not as complex as the MtE or the TPE polymorphic engine.

Trigger Routine and Last Notes

The trigger routine is extremely simple and destructive: it formats the entire hard drive. It executes if the virus detects the debugger, or on a one in 512 chance on loading from an infected disk.

The virus contains two internal text strings. The first is 'Natas', which appears after the virus body has been decrypted, and the second is 'BACK MODEM'. The virus keeps the latter string in an encrypted form and decrypts it 'on-the-fly' when comparing it with the file names in the Int 21h handler.

As for variants of Natas, I know of four; 4744, 4746, 4774, 4988 bytes long. They are very similar to the original (the length of which is 4744 bytes), but contain other internal text strings, including, for Natas.4774:
Time has come to pay (c)1994 NEVER-1
and for Natas.4988:
Yes I know my enemies.
They're the teachers who taught me to fight me
Compromise, conformity, assimilation, submission
Ignorance, hypocrisy, brutality, the elite
All of whitch are American dreams
(c) 1994 by Never-1(Belgium Most Hated)
Sandrine B.


Natas

Aliases:
None known.
Type:
Memory-resident, multipartite, polymorphic stealth virus.
Infection:
COM and EXE files, MBS of hard drive; boot sector of floppies.
Self-recognition on Disk:
Compares code at entry (where JMP points) or at sector beginning (if there is no JMP) with bytes E8?? 00BF.
Self-recognition in Files:
100 added to year field of date stamp.
Self-recognition in Memory:
'Are you there?' call with Int 21h (AH=30h, BX=F99Ah). Memory-resident handler returns zero in AX/BX registers.
Hex Pattern in files:
None possible.
Hex Pattern in MBS and on floppies:
E800 00BF 4000 8EDF 836D D306
8B45 D3B1 0AD3 C88E C0B8 0902
Hex Pattern in Memory:
FA2E 8C16 D512 2E89 26D7 120E
17BC D913 FBE8 65FB E421 0C02
E800 00BF 4000 8EDF 836D D306
8B45 D3B1 0AD3 C88E C0B8 0902
Intercepts:
Int 13h for floppy disk infection, stealth and Int 21h hooking, Int 21h for file infection and stealth.
Trigger:
Formats sectors of the hard drive.
Removal:
Under clean system conditions, identify and replace infected files, repair infected MBS with FDISK /MBR.


[Previous] [Up] [Home] [Next]

[VB] Virus Bulletin: Natas / webmaster@virusbtn.com © 1998 Virus Bulletin Ltd.