Win95.Punch.9262
================
This is the first known "memory resident" parasitic virus that infects
Win95 EXE files (PE executables). It seems that this one opens new line of
Win95 parasitic infectors.
The virus infects the system by two steps. When an infected Win95 EXE file
is executed, the virus drops to the disk a VxD file (dropper) that contains
virus code, and then the virus registers this VxD in SYSTEM.INI file. The
virus then returns to the host file and does not affect the system in any
other way up to the next rebooting. When Win95 loads itself next time, it
reads from disk VxD files and brings control to them. The virus in VxD file
receives control, hooks system file access calls and then infects Win95 EXE
files that are opened.
Fortunately, the virus has several lethal bugs and it cannot replicate
itself under standard environment without corrupting Win95 system files. So,
the infected system will work not stable, and this virus has no chances to
be "in-the-wild". Unfortunately, these bugs may be easily fixed, and new
version of this virus may bring much more problems for Win95 users.
The virus contains the text strings that are used while accessing system
resources and functions:
KERNEL32
CreateFileA
WriteFile
ReadFile
SetFilePointer
CloseHandle
The virus also contains the strings to use them while searching for Win95
directory and creating files in there:
c:\win95\system.ini
c:\windows\system.ini
c:\win95\system\vvfs.vxd
c:\windows\system\vvfs.vxd
The next text string is the name of virus section in PE header:
QuantumG
The virus was named after the last string appeared in its code:
Beating You to the Punch in the '97 (almost)
Infected EXE File Run
---------------------
When an infected Win95 EXE file is executed, the virus gets control and
drops VxD file. To do that the virus performs the system calls
GetLogicalDriveStringsA (KERNEL32 function #350) and
SetEnvironmentVariableA (KERNEL32 function #372), gets information about
system parameters and pointers to file access system routines CreateFileA,
WriteFile, ReadFile, SetFilePointer, CloseHandle.
The virus then creates the VxD file C:\WIN95\SYSTEM\VVFS.VXD. If that call
fails (there is no such directory), the virus creates the file
C:\WINDOWS\SYSTEM\VVFS.VXD. If that call fails too (there are no such
directories on disk), the virus returns to the host program. Otherwise, the
virus writes to newly created VxD file 9262 bytes of data and code that are
really VxD file (LE EXE file).
To complete infection the virus looks for C:\WIN95\SYSTEM.INI or
C:\WINDOWS\SYSTEM.INI file, scans it for first appearance of "ice=" string
("device=") and inserts "vvfs.vxd," string to there:
Before infection: device=some.vxd
After infection: device=vvfs.vxd,some.vxd
The virus also checks "device=" line for "vvfs" string beforehand, and does
not inserts its VxD name twice. Then it closes the SYSTEM.INI file and
returns to the host program.
As a result of infection there is newly created VxD file in Win95 SYSTEM
subdirectory, and SYSTEM.INI file is modified so that while loading Win95
will load and execute this VxD.
Loading Win95 and IFS API Hook
------------------------------
When an infected VxD file (dropper) takes control, the virus checks version
of DOS IFS Manager (DOS Installable File System Manager), hooks IFS API
calls and stays in the Win95 memory as a VxD driver.
IFS API hook is very similar to the way TSRs work in DOS but with some
differences. The hook interposes itself between the IFS Manager and the
File System Drivers. The hook handler gets control before the File System
Drivers are called and it can do anything it wants.
The virus hook handler intercepts only one function - OpenFile (IFSFN_OPEN)
and infects files when the system is opening them (note: the virus hooks
the control when _any_ application opens a file - Win95 or DOS window under
Win95, and infects files ever if they are being opened in DOS window).
Infecting EXE files
-------------------
When the virus intercepts the file opening call, it reads file header and
checks it for MZ (DOS EXE stub) and PE (Portable Executable) stamps. It
then reads other fields from PE header, creates new section with the name
"QuantumG", writes itself (10185) to the end of the file (into new section)
and then fixes PE header. The virus also patches Resources section and
Resources Directory to allow accessing to KERNEL32 functions while dropping
VxD file.
To prevent duplicate infection the virus compares the name of last section
in PE header with "QuantumG" and does not infect EXE files twice.
Infecting: Last Notes
---------------------
While infecting a file the virus does not access file time and date stamp
and leaves the infected file with current time and date. The virus also
does not check the file attributes, and as a result the virus fails to
infect Read-Only files. The virus does not check the file name extension
and infects not only *.EXE files, but also DLL, CPL, DRV and other files
that have PE EXE internal format.
The virus writes different number of bytes while infecting EXE files (10185
bytes) and dropping VxD (9262 bytes). This is caused by differences between
PE EXE and VxD formats. In different files the virus has to have different
entry points. This virus fixes that problem by writing additional code to
EXE file. That additional code contains the routine that drops VxD file,
and it is placed before the main virus code:
VxD dropper Infected EXE file
========================== <-| ==========================
VxD DOS stub and LE header | host file header,data,code
-------------------------- |
|
API hook and infection |-+---> ========================== Entry point
routines | | VxD dropping routine,
---------------------------| | writes the rest to VxD
|
VxD dropping routine +-+---> --------------------------
| VxD DOS stub and LE header
---------------------------| --------------------------
Other data API hook and infection
========================== <- routines
| --------------------------
| VxD dropping routine
| (second copy)
| --------------------------
| Other data
------> ==========================
The virus also may increase the size of EXE files by different values - the
virus increases the file size up to the section alignment, and then it
writes its 10185 bytes to the end of the file.
Trial
-----
This virus was tested in Windows95 4.00.950. The infected EXE file and
next generation of the virus dropped the VxD file and modified the
SYSTEM.INI file without any problem and side effects.
The problems appeared while loading Win95 with VxD dropper. The Win95
loading process was not completed - the system error message
(blue-screaned) appeared:
A fatal exception 0E has occurred at xxx:xxxxxx. The current application
will be terminated.
Then the system continued booting and the next message appeared: "A fatal
exception 0C ...", and the system locked up.
After rebooting in DOS mode I found that the virus infected the USER32.DLL
file in SYSTEM subdirectory. After replacing infected USER32.DLL with
original one I set this file to Read-Only mode and re-booted the computer.
This time Win95 loading process was completed, but it was several times
interrupted by the system message:
This program has performed an illegal operation
and will be shut down.
If the problem persists, contact the program
vendor.
I rebooted to DOS, searched for other infected files and found several
ones: EXPLORER.EXE in Win95 directory and COMCTL32.DLL, MPREXE.EXE,
MPRSERV.DLL, MPR.DLL, MSPWL32.DLL, SHELL32.DLL in SYSTEM subdirectory.
I restored infected files and put Read-Only attribute for all EXE and DLL
files. Win95 loading was interrupted by "illegal operation" message again -
the virus infected the files DESK.CPL and WINSPOOL.DRV (both are of PE EXE
format). When all executable system files in Win95 directory were marked as
Read-Only, Win95 loaded itself without any problems.
There were no problems to infect several applications such as WRITE.EXE,
but in some cases these application caused "illegal operation" message
while loading, but then they did work correctly. Other problems appeared
when I tried to infect special short test files (goat-files) - they
increased in size up to 9Mb (!).
Conclusion
----------
I have not test this virus in other Win95 releases, and maybe it does work
in some specific Win95 release only, but several bugs in the virus that are
not release-specific are too lethal to allow the virus to spread itself out
of anti-virus research labs.
Ever if an infected file would be launched to Internet (as it was with
"Hare"), the "Punch" virus will disclose itself in very short time because
it have too serious bugs. But anyway, this is the first TSR Win95 virus, and
there are no chances - this is not the last one.
Virus Description (C) Eugene V. Kaspersky 1996
Regards,
Keith Peer
--
---------------------------------------------------------
Central Command Inc. AntiViral Toolkit Pro
http://www.command-hq.com HS Anti-virus
info@command-hq.com sales@command-hq.com
Compuserve: 102404,3654 GO AVPRO
Ph: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4130
---------------------------------------------------------
* Silver Xpress V4.01 SW12662
--- InterEcho 1.19
---------------
* Origin: PC-Ohio PCBoard * Cleveland, OH * 216-381-3320 (1:157/200)
|