FANDOM


Virus.DOS.SSR.18273, also called as the Stainless Steel Rat (abbreviated as SSR) is a memory resident complexly encrypted virus on DOS, believed to originate from Russia.

This virus is considered to be huge as its infection size is almost 18 KB, which is much larger than typical DOS viruses.

The virus contains 4 decryptors, in a nested form. In the main code with a size of 18,273 bytes, there are around 7,000 bytes of useless code and decryption routines, and the rest are the infection routine and 3 engines. The author refers to them as the Random Encryption Syntezator (RES), Stainless Steel Rat Mutation Engine (SSRME) and Metamorphic Mutation Engine (MME).

Behavior

After the virus has been loaded into memory, the virus hooks INT 21h and it infects executable that is run, by writing itself to the end of the file, and also adds a jump to the polymorphic decryptor at the top of the file. This procedure takes some time since the infection sequence may pass through decryption loop, garbage code and the installation routine, so a noticeable delay can be observed when a program is run. But not every file will be infected by the virus.

To avoid being traced, the virus modifies its own memory block so that it continues the chain of memory blocks and it creates another one at the same time. After that the virus moves itself to the new one, and then set the original one to null, so that MEM shows no trace of the virus. Then the virus encrypts the code of INT ABh handler in that new block of memory, and sets the original owner to null. After that it overwrites the memory block which has been set to null with pound signs.

The virus modifies the body of INT 21h so that the DOS kernel calls INT ACh instead when a program executes, thus the virus will gain the control.

The virus also fills with INT 1 and 3 instructions which pauses the debugger, one type of INT 3 instruction makes the program run insanely, the CD 03, as it moves the instruction pointer to an undesired place.

The virus installs a handler at INT 6, locating at the offset 0EC5h, making the infected program execute invalid opcodes, causing the system to kill process or even crash.

The virus detects files having any of the following extensions, and deletes them if found through function call INT 21h/AH=41h:

BAS
ICO
PAS

When it is done, it returns a string to the function:

Ш И Т !

Translation (from Bulgarian, uncensored):

Sh*t!

Memory usage

The exact memory usage is 51,296 bytes.

Payload

There are several payloads that are triggered in different conditions.

INT ABh tracing detection

The virus checks whether INT ABh is being traced, if yes, it prints the following message:

И долго он INT`ы трассировал...
Теперь я грустный терминал!

Translation (from Russian):

For long time he traced INT's...
Now I am a sad terminal!

It also corrupts the CMOS checksum, and hangs the system.

Filename detection

If a file's name containing the string "ID" at 2nd and 3rd position (probably AIDSTEST antivirus software), it prints the following message:

А не поpa ли г-нy Лoзинcкoмy нa пeнcию!

Translation (from Russian):

It isn't time for Mr. Lozinsky to retire!

And then it hangs the system.

Any executables that matches this condition may also trigger this payload.

Virus and Antivirus detection

Ssr detect virus

SSR gives a "Warning" when Finger virus is run.

SSR can be said not only a virus, but an antivirus, and anti-antivirus.

The virus checks for some virus and resident antivirus programs via every INT 21h call, virus like Jerusalem, Sunday, Fingers, Tumen, OneHalf etc. would be detected by SSR, FLUSHOT program is also one of its target. Obviously, the virus would infect them if found.

When detected, it displays the following message at the center of the screen (uncensored):

!!! ALARM WARNING DANGER APPROACHING !!!
Hacker-f*cker TSR sh*t or Any Virus Detected !!!
Anyone who want to f*ck Revenge is Naivnij Man
With best wishes & thanks to DialogScn
Emulation engine will have problems with this ZHOM
In future versions we will add:
1. Protected Mode Decryptor (VMME)
2. Adinf table Hacker-cracker
3. Destroy Files/Disks/CMOS/Printer/CDROM
4. Disk encryption and BUGs,GLUKs and SHITs !
Dis is only BEGIN... Win95 and her lamers must die!
Searching... SEEK & DESTROY
There can be only one ...

Plus cycling the background color from black to red, and outputs alarm sound through the PC speaker, and hangs the system.

Screen shaking

After 23 minutes of the installation of the virus, it shakes the screen. At this moment the computer is still usable and the user may still do tasks at this moment.

Number of processed files tracking

The virus sets a counter on installation, it counts when a file is accessed. After 15 minutes of the installation of the virus, if the value of this counter is equal to 50, it displays a full screen message with graphical effect (see the screenshot at the top of this article).

Ssr copyright

Copyright message of the virus.

When ESC key is pressed, it turns to another message claiming the author's copyright.

Revenge virus v 1.01 released at 20.04.96
Copyright (c) 1996-97  2 Rats Techno Soft
Written by
Stainless Steel Rat

And then it formats a random sector of the hard disk.

A hard reset must be taken in order to reboot the computer since the CPU is disabled and no longer accepts keyboard inputs after this payload.

Other details

If a file containing the original encrypted form of the virus is run, the virus decrypts itself, loads into memory and the size of the file increases, after that this file will become useless and it cannot be executed again. If the user resets the system before infecting any file, the virus will no longer spread.

The virus contains the following text string:

Hi Hacker! Welcome to Hell

References

Credits to user flightcpuboy in MalwareUp.

  1. MalwareUp II: Analysis of Virus.DOS.SSR

Videos

Virus.DOS09:05

Virus.DOS.SSR

SSR virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.