FANDOM


Virus.DOS.Diamond is a memory resident virus on DOS that is somewhat dangerous. The virus was written by Dark Avenger, it is named by the payload in some of the variants.

There are 28 variants in 5 versions, represented by the following:

  • Virus.DOS.Diamond.444
  • Virus.DOS.Diamond.568
  • Virus.DOS.Diamond.607
  • Virus.DOS.Diamond.891
  • Virus.DOS.Diamond.1013

There are an additional 3 variants which also belong to this family.

Behavior

When the virus is loaded into memory, it hooks INT 8 and 21h and infects executable that is run by writing itself to the end of the file.

Some executable may have the string "ZM" instead of "MZ" at the beginning in their code, the virus would still identify them as EXE files and set the string to "MZ" during infection.

The virus might corrupt some of the files during execution, causing a system hang or even crash when these programs are run.

Variants smaller than 978 bytes (and except 666 bytes) do not check whether its TSR code is already in memory so that it would install one more copy into when it infects a file, which would lead the system to eventually run out of memory.

When the virus infects a file, it also extracts 8 binary data from the host program and put it at the later part of its viral code, just before the internal text string. The data are extracted from the absolute positions:

Cell 0 1 2 3 4 5 6 7
Position in hex 10 11 0E 0F 14 15 16 17

For example, given the following binary (first 32 bytes):

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E9 3D 1F 0C 01 CD 21 CD 20 90 90 59 52 6F 73 65
47 6F 61 74 20 32 2E 31 35 20 47 6F 61 74 20 46

The resulting string would become:

47 6F 73 65 20 32 2E 31

In ASCII:

Gose 2.1

This is used for identification, when the virus stays in memory, the infection size will be hidden from these infected files, if the string exists and matches. All variants feature this mechanism, but only stealthy variants make use of this.

Diamond.444 and 465

These variants set a multiplier starting at 1 after being loaded into memory, which adds up the upcoming infection size. The infection behaviors on these two types of executable are different.

The virus may infect the file more than once using a loop, before an infection it first calculates the file size after infection, by adding the current file size with its infection size. If it will be larger than or equal to 65,024 bytes (FE00h), it breaks the loop.

For any DOS executable matches this condition, the virus will forgive it and return to the host program (if uninfected). For any EXE file in the same case, a system hang may occur after infecting a file larger than this size.

The infection size increments by 1 every time after infecting a DOS executable, so that the sequence of the multiplier of the infection size will be "1, 2, 3, 4, 5, 6, ...". So the largest infection multiplier is 145 for Diamond.444 and 138 for Diamond.465, given that the host file is not smaller than the virus themselves.

For the case an EXE file is infected, the virus adds the summation of all counts of previous infections to itself, so that the EXE files that are infected after a few counts of infections will become very large. The sequence of the multiplier of the infection size is can be represented by the following formula:

Diamond444-465 infect exe

In this formula, s is the multiplier value to be found, while n is the number of infections.

Hence the sequence can be deduced as "1, 2, 5, 13, 34, 89", and the largest infection multiplier is 89 because the infection size of upcoming multipliers are much larger than 64KB.

If the user resets the system, the count of the multiplier will lost and restore to 1 when the virus is loaded into memory after reset.

On running an infected DOS executable would run the virus only without running the host program, while some infected EXE files can run both.

Diamond.485

After this variant has been loaded into memory, it infects any executable that is run. After infecting a file, the virus does not return to DOS and results a system hang.

It does not check whether a file has been infected and would reinfect it.

Diamond.568, 584, 594, 602, 606, 608, 609, 614 and 620

These variants do not infect a file more than once. Except Diamond.602, the virus does not return to DOS that would hang the system after infecting a file.

Diamond.606, 609 and 614 do not infect files smaller than themselves.

Diamond.607, 621...978, 1013...1110, Greemlin.1146 and RockSteady.666

These variants make use of the extracted 8-byte string to behave stealthy so that there is no file size change can be observed for infected files, and they do not infect files smaller than themselves.

Files infected by these variants might be malfunctioned.

Diamond.Lucifer.1086

This variant also make use of the extracted 8-byte string to behave stealthy when it is in memory. If the timestamp of a file to be infected by this variant is 12:00 AM, it removes the timestamp so that the infected file will have no last modified time.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Diamond.444 496
Diamond.465 512
Diamond.485 528
Diamond.568 608
Diamond.584 624
Diamond.594 640
Diamond.602 640
Diamond.606 656
Diamond.607 656
Diamond.608 656
Diamond.609 656
Diamond.614 656
Diamond.620 672
Diamond.621 672
Diamond.624 672
Diamond.626 672
Diamond.666.b 704
Diamond.891 928
Diamond.978 1,024
Diamond.994 1,120
Diamond.1013 1,056
Diamond.1014 1,056
Diamond.1024 (A and B) 1,072
Diamond.1050 1,296
Diamond.1063 1,120
Diamond.1096 1,136
Diamond.1110 1,152
Diamond.Greemlin.1146 1,184
Diamond.Lucifer.1086 1,136
Diamond.RockSteady.666 704

MD5 hash:

Variant Hash
Diamond.444 7722d86ecc694c19d5ecb183e1efe587
Diamond.465 deaeee27375e8b46f33ca06c8441030e
Diamond.485 33319669e8a35f3a13c3746721e38ae5
Diamond.568 3cf87b2a4bed4dc4a693220ec1f58d88
Diamond.584 4be8d19c1e08f29b9d7318160e1d1886
Diamond.594 158b32b09f2bd8126209241a2c913733
Diamond.602 620f9ad3a1ca979443e71a41aa9d36c4
Diamond.606 e4e0415f153bc6f7ff2e11860f945df8
Diamond.607 e71cf640e2a4219bb9afb18cc6ce9e80
Diamond.608 02f031aca70a4052a1fb6cd1f1bf7d8b
Diamond.609 18a23a340d4473bf0cd937a8276af9f6
Diamond.614 c3e72a56bd2e91d1ae67a91ef712c362
Diamond.620 d1a20329b7e3b462010bd274c947bd16
Diamond.621 e98ac807e0e541045bb3940af76bb5b9
Diamond.624 f5272d82fe6fe118b05d7b33342e984b
Diamond.626 4ea09bbc05370e11fd881ecf5e8a6f86
Diamond.666.b fe1980e97af53a67d65d073ccf862f6b
Diamond.891 fbd1becca56d4d6aba70d09ff1321a0b
Diamond.978 92b16c4d635f81094334913fc35a7303
Diamond.994 a16c9d763d51272f1d27237a8c5516c9
Diamond.1013 ed8bbb180829ee969f96aa35742b20e8
Diamond.1014 719c713664dedfa4dcb45fcf80b63aee
Diamond.1024.a 1bedd9e1c58ceded79d6cbbe92f0c53b
Diamond.1024.b d78c71bf475456c42a76cde2d18b5ede
Diamond.1050 fb2a0adddb7910121ad395d227de4772
Diamond.1063 577922e896fae33ae474cb0ae5c98050
Diamond.1096 0a57eb838fa562679bf57867301412b1
Diamond.1110 fb52c1f7bb08b248d018aff1bd0d8d0d
Diamond.Greemlin.1146 b7058038fbd240fa5cb2e9dbd98d56e2
Diamond.Lucifer.1086 fc82e53cdb8fba3068289faefd8c6773
Diamond.RockSteady.666 adf0633d00407242d76b1455cf5e34e5

Note: Binary modification on some variant samples is required in order to test their behaviors.

Payload

Diamond.444, 465, 485, 607, 614, 621, 624, 626

These variants do not manifest themselves at anyway.

Diamond.568, 584, 594, 602, 606, 608, 609 and 620

When the user issues an DIR command or attempts to copy a file, the virus would drive it to run invalid opcode, which may crash the system, a hard reset must be taken in order to reboot the computer.

Under DOS 7.1, the system might terminate such task without hanging on it.

Diamond.666.b and RockSteady.666

When an infected program is run on 13th of any month, the virus formats the first 10 cylinders in head 0 using INT 13h, and overwrites first 32 logical sectors in C: with garbage, after that the virus resets the system with INT 19h.

Diamond.891

This variant attempts to print a big diamond with diamond characters (ASCII 04h) in different color when the minute is 0 and the second is between 0 and 14 of the system time, but failed.

Diamond.978

This variant attempts to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead.

When the minute is 0 and the second is between 0 and 14 of the system time, the virus would attempt to print the big diamond, but due to the errors in code, it would never be displayed. Instead of this, if the user attempts to issue a command during this period, the system would hang by running the illegal instructions of the payload code in an endless loop.

Diamond.1013, 1014, 1024, 1050, 1063, 1096, 1110 and Lucifer.1086

Diamond1014

Diamond.1014 in action

These variants attempt to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead.

When the minute is 0 and the second is between 0 and 13 of the system time, the virus prints a big diamond with diamond characters in different color, and then it would break up and start bouncing on the screen. There is no method to clear the diamond characters except resetting the system.

For Diamond.1013, it prints the diamond characters that would not move so that they can be cleared by typing CLS or some other commands.

When infections occurs during the payload, the virus also saves the current position of the diamond characters into the host file.

Diamond.Greemlin.1146

This variant also prints a big diamond with diamond characters, and would break up and start bouncing on the screen. Additionally, it slows down the system speed by 10%.

When an infected program is run on July 14th, it overwrites some sectors on floppy disks and the hard drive.

Variants

This family has 31 variants in total:

  • Virus.DOS.Diamond.444
  • Virus.DOS.Diamond.465
  • Virus.DOS.Diamond.485
  • Virus.DOS.Diamond.568
  • Virus.DOS.Diamond.584
  • Virus.DOS.Diamond.594
  • Virus.DOS.Diamond.602
  • Virus.DOS.Diamond.606
  • Virus.DOS.Diamond.607
  • Virus.DOS.Diamond.608
  • Virus.DOS.Diamond.609
  • Virus.DOS.Diamond.614
  • Virus.DOS.Diamond.620
  • Virus.DOS.Diamond.621
  • Virus.DOS.Diamond.624
  • Virus.DOS.Diamond.626
  • Virus.DOS.Diamond.666.b
  • Virus.DOS.Diamond.891
  • Virus.DOS.Diamond.978
  • Virus.DOS.Diamond.994
  • Virus.DOS.Diamond.1013
  • Virus.DOS.Diamond.1014
  • Virus.DOS.Diamond.1024 (A and B)
  • Virus.DOS.Diamond.1050
  • Virus.DOS.Diamond.1063
  • VIrus.DOS.Diamond.1096
  • Virus.DOS.Diamond.1110
  • Virus.DOS.Diamond.Greemlin.1146
  • Virus.DOS.Diamond.Lucifer.1086
  • Virus.DOS.Diamond.RockSteady.666

Other details

Ah (David) and Rocko are variants of Diamond.

Diamond.666.b and RockSteady.666 are later versions of Rocko.

There are illegal instructions in the TSR code of Diamond.994 which would lead the system to run into a deadlock after installing the virus to memory.

Some stealthy variants may detect other variants using the same technique. Assume file A contains Diamond.624 and file B contains Diamond.626, saying A+624 bytes and B+626 bytes respectively. If file B is executed, Diamond.626 becomes memory resident. Under the DIR command, B would show the original file size (i.e. B bytes), but the size of A will have 2 bytes smaller than that when uninfected.

Diamond.444 and 465 contain the internal text string:

9090909090

Diamond.485, 568...626, 891, 978, 994, 1013, 1024 and 1096 contain the internal text string:

7106286813

Diamond.666.b and RockSteady.666 contain the modified internal text string:

RocK STeaDY

Diamond.1050 contains the internal text string:

NEWDIAMOND

Diamond.1063 contains the internal text string:

DAMAGE!!!!

Diamond.1110 contains the internal text string:

Jump for joy!!!
DAMAGE-B!!

Diamond.Greemlin.1146 contains the internal text string:

greemlin

Diamond.Lucifer.1086 contains the internal text strings:

Lucifer (C) by C.J.
C.J.

References

  1. Source code of Diamond on VX Heaven
  2. List of variants of the Diamond virus on VX heaven
  3. Description of some of the variants of Diamond on Online VSUM
  4. Description of Diamond on F-Secure Labs

Videos

Virus.DOS06:44

Virus.DOS.Diamond

Diamond virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.