Fandom

Malware Wiki

Diamond

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Diamond is a somewhat dangerous memory resident virus on DOS. The virus was written by Dark Avenger, it is named by the payload in some of the variants.

There are 28 variants in 5 versions, represented by the following:

  • Virus.DOS.Diamond.444
  • Virus.DOS.Diamond.568
  • Virus.DOS.Diamond.607
  • Virus.DOS.Diamond.891
  • Virus.DOS.Diamond.1013

There are additional 3 variants which also belong to this family.

Behavior

When the virus is loaded into memory, it hooks INT 8 and 21h and infects executable that is run by writing itself to the end of the file.

Some executable may have the string "ZM" instead of "MZ" at the beginning in their code, the virus would still identify them as EXE files and set the string to "MZ" during infection.

The virus might corrupt some of the files during execution, causing a system hang or even crash when these programs are run.

Variants smaller than 978 bytes (and except 666 bytes) do not check whether its TSR code is already in memory so that it would install one more copy into when it infects a file, which would lead the system to eventually run out of memory.

When the virus infects a file, it also extracts 8 binary data from the host program and put it at the later part of its viral code, just before the internal text string. The data are extracted from the absolute positions:

Cell 0 1 2 3 4 5 6 7
Position in hex 10 11 0E 0F 14 15 16 17

For example, given the following binary (first 32 bytes):

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E9 3D 1F 0C 01 CD 21 CD 20 90 90 59 52 6F 73 65
47 6F 61 74 20 32 2E 31 35 20 47 6F 61 74 20 46

The resulting string would become:

47 6F 73 65 20 32 2E 31

In ASCII:

Gose 2.1

This is used for identification, when the virus stays in memory, the infection size will be hidden from these infected files, if the string exists and matches. All variants feature this mechanism, but only stealthy variants make use of this.

Diamond.444 and 465

These variants set a multiplier starting at 1 after being loaded into memory, which adds up the upcoming infection size. The infection behaviors on these two types of executable are different.

The virus may infect the file more than once using a loop, before an infection it first calculates the file size after infection, by adding the current file size with its infection size. If it will be larger than or equal to 65,024 bytes (FE00h), it breaks the loop.

For any DOS executable matches this condition, the virus will forgive it and return to the host program (if uninfected). For any EXE file in the same case, a system hang may occur after infecting a file larger than this size.

The infection size increments by 1 every time after infecting a DOS executable, so that the sequence of the multiplier of the infection size will be "1, 2, 3, 4, 5, 6, ...". So the largest infection multiplier is 145 for Diamond.444 and 138 for Diamond.465, given that the host file is not smaller than the virus themselves.

For the case an EXE file is infected, the virus adds the summation of all counts of previous infections to itself, so that the EXE files that are infected after a few counts of infections will become very large. The sequence of the multiplier of the infection size is "1, 2, 5, 13, 34, 89", and the largest infection multiplier is 89 because the infection size of upcoming multipliers are much larger than 64KB.

If the user resets the system, the count of the multiplier will lost and restore to 1 when the virus is loaded into memory after reset.

On running an infected DOS executable would run the virus only without running the host program, while some infected EXE files can run both.

Diamond.485

After this variant has been loaded into memory, it infects any executable that is run. After infecting a file, the virus does not return to DOS and results a system hang.

It does not check whether a file has been infected and would reinfect it.

Diamond.568, 584, 594, 602, 606, 608, 609, 614 and 620

These variants do not infect a file more than once. Except Diamond.602, the virus does not return to DOS that would hang the system after infecting a file.

Diamond.606, 609 and 614 do not infect files smaller than themselves.

Diamond.607, 621...978, 1013...1110, Greemlin.1146 and RockSteady.666

These variants make use of the extracted 8-byte string to behave stealthy so that there is no file size change can be observed for infected files, and they do not infect files smaller than themselves.

Files infected by these variants might be malfunctioned.

Diamond.Lucifer.1086

This variant also make use of the extracted 8-byte string to behave stealthy when it is in memory. If the timestamp of a file to be infected by this variant is 12:00 AM, it removes the timestamp so that the infected file will have no last modified time.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Diamond.444 496
Diamond.465 512
Diamond.485 528
Diamond.568 608
Diamond.584 624
Diamond.594 640
Diamond.602 640
Diamond.606 656
Diamond.607 656
Diamond.608 656
Diamond.609 656
Diamond.614 656
Diamond.620 672
Diamond.621 672
Diamond.624 672
Diamond.626 672
Diamond.666.b 704
Diamond.891 928
Diamond.978 1,024
Diamond.994 1,120
Diamond.1013 1,056
Diamond.1014 1,056
Diamond.1024 (A and B) 1,072
Diamond.1050 1,296
Diamond.1063 1,120
Diamond.1096 1,136
Diamond.1110 1,152
Diamond.Greemlin.1146 1,184
Diamond.Lucifer.1086 1,136
Diamond.RockSteady.666 704

Payload

Diamond.444, 465, 485, 607, 614, 621, 624, 626

These variants do not manifest themselves at anyway.

Diamond.568, 584, 594, 602, 606, 608, 609 and 620

When the user issues an DIR command or attempts to copy a file, the virus would drive it to run invalid opcode, which may crash the system, a hard reset must be taken in order to reboot the computer.

Under DOS 7.1, the system might terminate such task without hanging on it.

Diamond.666.b and RockSteady.666

When an infected program is run on 13th of any month, the virus formats the first 10 cylinders in head 0 using INT 13h, and overwrites first 32 logical sectors in C: with garbage, after that the virus resets the system with INT 19h.

Diamond.891

This variant attempts to print a big diamond with diamond characters (ASCII 04h) in different color when the minute is 0 and the second is between 0 and 14 of the system time, but failed.

Diamond.978

This variant attempts to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead.

When the minute is 0 and the second is between 0 and 14 of the system time, the virus would attempt to print the big diamond, but due to the errors in code, it would never be displayed. Instead of this, if the user attempts to issue a command during this period, the system would hang by running the illegal instructions of the payload code in an endless loop.

Diamond.1013, 1014, 1024, 1050, 1063, 1096, 1110 and Lucifer.1086

Diamond1014

Diamond.1014 in action

These variants attempt to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead.

When the minute is 0 and the second is between 0 and 13 of the system time, the virus prints a big diamond with diamond characters in different color, and then it would break up and start bouncing on the screen. There is no method to clear the diamond characters except resetting the system.

For Diamond.1013, it prints the diamond characters that would not move so that they can be cleared by typing CLS or some other commands.

When infections occurs during the payload, the virus also saves the current position of the diamond characters into the host file.

Diamond.Greemlin.1146

This variant also prints a big diamond with diamond characters, and would break up and start bouncing on the screen. Additionally, it slows down the system speed by 10%.

When an infected program is run on July 14th, it overwrites some sectors on floppy disks and the hard drive.

Variants

This family has 31 variants in total:

  • Virus.DOS.Diamond.444
  • Virus.DOS.Diamond.465
  • Virus.DOS.Diamond.485
  • Virus.DOS.Diamond.568
  • Virus.DOS.Diamond.584
  • Virus.DOS.Diamond.594
  • Virus.DOS.Diamond.602
  • Virus.DOS.Diamond.606
  • Virus.DOS.Diamond.607
  • Virus.DOS.Diamond.608
  • Virus.DOS.Diamond.609
  • Virus.DOS.Diamond.614
  • Virus.DOS.Diamond.620
  • Virus.DOS.Diamond.621
  • Virus.DOS.Diamond.624
  • Virus.DOS.Diamond.626
  • Virus.DOS.Diamond.666.b
  • Virus.DOS.Diamond.891
  • Virus.DOS.Diamond.978
  • Virus.DOS.Diamond.994
  • Virus.DOS.Diamond.1013
  • Virus.DOS.Diamond.1014
  • Virus.DOS.Diamond.1024 (A and B)
  • Virus.DOS.Diamond.1050
  • Virus.DOS.Diamond.1063
  • VIrus.DOS.Diamond.1096
  • Virus.DOS.Diamond.1110
  • Virus.DOS.Diamond.Greemlin.1146
  • Virus.DOS.Diamond.Lucifer.1086
  • Virus.DOS.Diamond.RockSteady.666

Other details

Ah (David) and Rocko are variants of Diamond.

Diamond.666.b and RockSteady.666 are later versions of Rocko.

There are illegal instructions in the TSR code of Diamond.994 which would lead the system to run into a deadlock after installing the virus to memory.

Some stealthy variants may detect other variants using the same technique. Assume file A contains Diamond.624 and file B contains Diamond.626, saying A+624 bytes and B+626 bytes respectively. If file B is executed, Diamond.626 becomes memory resident. Under the DIR command, B would show the original file size (i.e. B bytes), but the size of A will have 2 bytes smaller than that when uninfected.

Diamond.444 and 465 contain the internal text string:

9090909090

Diamond.485, 568...626, 891, 978, 994, 1013, 1024 and 1096 contain the internal text string:

7106286813

Diamond.666.b and RockSteady.666 contain the modified internal text string:

RocK STeaDY

Diamond.1050 contains the internal text string:

NEWDIAMOND

Diamond.1063 contains the internal text string:

DAMAGE!!!!

Diamond.1110 contains the internal text string:

Jump for joy!!!
DAMAGE-B!!

Diamond.Greemlin.1146 contains the internal text string:

greemlin

Diamond.Lucifer.1086 contains the internal text strings:

Lucifer (C) by C.J.
C.J.

References

Source code of Diamond, The Diamond Virus 2.1 - Virus for MS-DOS written by Damage, Inc

Collection of Diamond, Virus collection (VX heaven)

Description of some of the variants of Diamond, Online VSUM - Diamond Virus

F-Secure Labs, Diamond Description

Videos

Virus.DOS06:44

Virus.DOS.Diamond

Diamond virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.