This virus was considered to be huge, as its infection size is almost 18 KB, much larger than typical DOS viruses.
The virus contains 4 decryptors in a nested form. In the main code with a size of 18,273 bytes, there are around 7,000 bytes of useless code and decryption routines, and the rest are the infection routine and 3 engines. The author refers to them as the Random Encryption Syntezator (RES), Stainless Steel Rat Mutation Engine (SSRME) and Metamorphic Mutation Engine (MME).
After the virus has been loaded into memory, the virus hooks INT 21h and it infects any executable file that is run, by writing itself to the end of the file, and also adds a jump to the polymorphic decryptor at the top of the file. This procedure takes some time, since the infection sequence may pass through decryption loop, garbage code and the installation routine, so a noticeable delay can be observed when a program is run. Not every file will be infected by this virus.
To avoid being traced, the virus modifies its own memory block so that it continues the chain of memory blocks and it creates another one at the same time. After that, the virus moves itself to the newly created memory block, then it sets the original memory block to null so that MEM shows no trace of the virus. Then, the virus encrypts the code of INT ABh handler in that new block of memory, and sets the original owner to null. Finally, it overwrites the memory block, which has been set to null with pound signs.
The virus modifies the body of INT 21h so that the DOS kernel calls INT ACh instead when a program executes, thus the virus will gain control.
The virus also fills with INT 1 and 3 instructions which pauses the debugger, one type of INT 3 instruction makes the program run insanely, the
CD 03, as it moves the instruction pointer to an undesired place.
The virus installs a handler at INT 6, locating at the offset 0EC5h, making the infected program execute invalid opcodes, causing the system to kill process or even crash.
The virus detects files having any of the following extensions, and deletes them if found through function call INT 21h/AH=41h:
BAS ICO PAS
When it is done, it returns a string to the function:
Ш И Т !
Translation (from Bulgarian, uncensored):
The memory usage of the TSR code of the virus is 51,296 bytes.
There are several payloads that are triggered in different conditions.
INT ABh tracing detection
The virus checks whether INT ABh is being traced, if yes, it prints the following message:
И долго он INT`ы трассировал... Теперь я грустный терминал!
Translation (from Russian):
For long time he traced INT's... Now I am a sad terminal!
It also corrupts the CMOS checksum, and hangs the system.
If a file's name containing the string "ID" at 2nd and 3rd position (probably AIDSTEST antivirus software), it prints the following message:
А не поpa ли г-нy Лoзинcкoмy нa пeнcию!
Translation (from Russian):
It isn't time for Mr. Lozinsky to retire!
Then, it hangs the system.
Any executables that matches this condition may also trigger this payload.
Virus and Antivirus detection
SSR can be said not only a virus, but an antivirus, and anti-antivirus.
The virus checks for some virus and resident antivirus programs via every INT 21h call, virus like Jerusalem, Sunday, Fingers, Tumen, OneHalf etc. would be detected by SSR, FLUSHOT program is also one of its target. Obviously, the virus would infect them if found.
When detected, it displays the following message at the center of the screen (uncensored):
!!! ALARM WARNING DANGER APPROACHING !!! Hacker-f*cker TSR sh*t or Any Virus Detected !!! Anyone who want to f*ck Revenge is Naivnij Man With best wishes & thanks to DialogScn Emulation engine will have problems with this ZHOM In future versions we will add: 1. Protected Mode Decryptor (VMME) 2. Adinf table Hacker-cracker 3. Destroy Files/Disks/CMOS/Printer/CDROM 4. Disk encryption and BUGs,GLUKs and SHITs ! Dis is only BEGIN... Win95 and her lamers must die! Searching... SEEK & DESTROY There can be only one ...
Plus cycling the background color from black to red, and outputs alarm sound through the PC speaker, and hangs the system.
After 23 minutes of the installation of the virus, it shakes the screen. At this moment the computer is still usable and the user may still do tasks at this moment.
Number of processed files tracking
The virus sets a counter on installation, it counts when a file is accessed. After 15 minutes of the installation of the virus, if the value of this counter is equal to 50, it displays a full screen message with graphical effect (see the screenshot at the top of this article).
When ESC key is pressed, it turns to another message claiming the author's copyright.
Revenge virus v 1.01 released at 20.04.96 Copyright (c) 1996-97 2 Rats Techno Soft Written by Stainless Steel Rat
And then it formats a random sector of the hard disk.
A hard reset must be taken in order to reboot the computer since the CPU is disabled and no longer accepts keyboard inputs after this payload.
If a file containing the original encrypted form of the virus is run, the virus decrypts itself, loads into memory and the size of the file increases, after that this file will become useless and it cannot be executed again. If the user resets the system before infecting any file, the virus will no longer spread.
The virus contains the following text string:
Hi Hacker! Welcome to Hell
Credits to user flightcpuboy in MalwareUp.
- MalwareUp II: Analysis of Virus.DOS.SSR