Class
Trojan-Banker
Platform
Win9x

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Read more

Platform: Win9x

No platform description

Description

Technical Details

This virus is a multi-platform and polymorphic infector affecting both DOS and Win32 files. It was named after the text strings in its code:

[Win32.Libertine v1.07b]
Copyright 1998-xxxx by 
The virus can be found in three different forms:
  • infected Win32 PE files
  • infected DOS COM files
  • Win32 PE dropper (31672 bytes pure virus code)
Because of bugs the infected COM and EXE files cannot run under Windows NT, they are terminated with standard NT or DrWatson error message. Despite on this I name the virus Win32, not Win95 because the virus dropper can spread the virus on NT computers with no problems.

While infecting both Win32 and DOS files the virus writes its complete 32Kb code to the end of files and modifies file headers to pass control to the virus routine. The addresses of entry routines are different in all three cases of infection. The virus in both infected Win32 and DOS programs when takes control searches for Win32 dropper (the C:MYLENE.EXE file), executes it and returns control to the host program. If there are no dropper in root directory on the C: drive, the virus first creates and then executes it.

These dropper activation routines are quite short in infected files. In case of DOS COM files it is just about 200-bytes simply create-write-close-run routine. In case of Win32 files it is more sophisticated, but also quite silly and short.

So the virus in infected files just creates and runs the dropper - no more, and all infection and payload virus functions falls on the Win32 virus dropper.

Running the Dropper

When the dropper is executed the virus first of all performs some tricks to hide its presence in the system. To prevent access violation system messages the virus by using the SetErrorMode KERNEL32 function disables General Protection Fault error message. Windows then will just continue to execute application without any report about protection violation.

The virus then checks the system where it is run (Windows95/98 or Windows NT), and in case of Windows9x patches system undocumented process database and sets two flags in it - NukeProcess and ServiceProcess. These flags are set for at least two purposes: a) the process is not visible in the Ctrl-Alt-Del task list; b) the process is not terminated when the user logs off. To enable these flags the virus then re-executes its dropper with "sexy" ID argument.

Being executed under patched system environment the virus jumps to its other routines: anti-anti-virus routine, payload and infection.

Anti-anti-virus

To disable anti-virus protection the virus has only one anti-virus as a target, that is APVI - the AVP Inspector integrity checker (CRC scanner). The virus looks for AVPI file, opens it and scans for specific code. If such code is found, the virus replaces it with NOP instructions. Depending on different AVPI versions that caused different effects: either AVPI does not detect changes in system, or it immediately stops scanning and displays statistic dialog.

The virus gets the AVPI file name by using the system registry. It opens the HKEY_USERSDefaultSoftwareKasperskyLabAVPI key, gets Path to AVPI directory, opens the AVPICHCK.DLL, scans and patches it. To prevent duplicate patching the virus stores the "kcah" ("hack" written backward) ID to the file header at the offset 0030h.

The virus also terminates AVPI, if it is active. To do that the virus finds AVPI32 window, gets its thread ID, opens and terminates the process.

Infection

When the infection routine gets control the virus scans for all files all subdirectory trees on all installed hard drives starting from C:, if there is non-fixed disk in the sequence (CD-ROM, remote, or other) the virus terminates itself.

When a file is found the virus checks it for COM or EXE file name extension. The virus infects only such files and search for next file or subdirectory entry otherwise. If the file has executable extension, the virus with probability 7/8 depending on the system timer jumps to the infection routine, otherwise it continues searching as well as in case of non-executable name extension.

First of all the virus separates COM and EXE files by comparing their first two bytes with magic MZ stamp. In case of EXE file the virus then checks Portable Executable and virus ID stamps - double words "PE" at the top of the header and "I M!" in the PE CheckSum field. While adding its code to the end of Portable Executable files the virus creates a new section named _Mylene_, modifies Address of Entry Point and some other necessary fields. It then runs the polymorphic engine, encrypts its copy and writes it to the end of PE file into the newly created section.

In case of COM file the virus also writes itself to the end of the file, but also converts file format to EXE by adding EXE header to the top of the file. The virus does not infect DOS files twice - it checks internal file format and affects COM files only. Being infected they have EXE format and are bypassed by the virus infection routine. The virus does not infect as well files that have "ENUN" text string at the end of the files. This ID means that these COM files are protected by CRC, so the virus avoids to infect them. The virus also does not infect small and large COM files with length below 2K or above 60K.

Infected COM file execution

While infecting DOS COM files the virus converts them to EXE format, i.e. the infected COM files have EXE header: MZ magic stamp at the top and all necessary EXE header's fields. The careful investigation of the infected file header immediately shows hacker's origin of the program: several fields have values that cannot be found in ordinary programs. First of all the HeaderSize (Paragraphs in Header) fields keeps zero, i.e. that means that there are no bytes in EXE header (but there are at least two - 'M' and 'Z'). The second suspicious field is "CS at entry" with -100h (FFF0h) value stored in. Using both of these fields in the same EXE header forces DOS to load such EXE file as standard DOS COM file: the bytes from 0000 till 00FFh are occupied by Program's Segment Prefix, bytes from 0100h till the end of allocated memory are for file image, and very first byte of file is placed at the offset 0100h. In case of DOS COM files the file image cannot overlap a segment (64K), in case of DOS EXE files loadable image can be of any size that fills in one block of free memory.

By using the COM->EXE trick the virus is able to infect COM files of any size, after converting they do not loose their functionality ever if file size grows over 64K limitation while infecting. Remember virus size - without converting to EXE format the virus would not be able to infect COM files of size above than 32Kb. Another important effect of the trick is easy way to return control to host program - the virus does nothing but just restores first 4Fh bytes of file header and jumps to there.

So, the virus code is loaded into the memory starting from very first bytes ("MZ" stamp) till very last one, and control is passed to the address that is pointed by EXE header. In case of this virus the entry code is placed very near of file top - at the address 0020h. This routine by using 32-bits i386 instructions gets the offset of main virus code (this offset is stored at the address 001Ch in header), converts it to 16-bits segment:offset format and jumps to there. The entry routine also hooks INT 24h to prevent standard DOS error message while writing to write-protected volumes, I have no idea why virus' author placed it here but not in the main virus code.

When main virus code receives control it checks Windows presence. If there is no Windows run, or Windows version is less that 4.0 (Windows95), the virus restores original host program bytes at its top and returns control to there. If Windows is run, the virus creates the C:MYLENE.EXE file, writes Win32 dropper to there, closes the file and executes it. The dropper takes control and the virus returns on its infection level.

Infected PE file execution

When an infected PE file is executed, the virus polymorphic routine takes control, decrypts the virus code and jumps to the main routine. This routine is not the same as in case of COM file. It is 32-bits program that operates with Windows memory and resources, but the target of this routine is the same as in case of COM file: it creates and executes the virus dropper.

To access Windows function the virus has either to import them by using PE Import Table, or get their addresses by scanning Windows kernel. The virus selects second way: it pays attention for environment (Windows95/98 or Windows NT - the virus uses correct offsets in both cases), parses KERNEL32 imports and searches for CreateFileA, WriteFile, CloseHandle and WinExec functions. The virus procedure in infected PE files is quite simple and it does not need more but just these four entries. // Here is a bug in virus code that stops its spreading under WindowsNT.

The virus then in the similar way as in case of infected DOS COM file creates the C:MYLENE.EXE file, writes dropper's code to there, closes and executes this file. The dropper takes control, and this PE branch of virus algorithm returns back to the root.

Payload

Before calling anti-anti-virus and infection routines the virus calls the trigger routine. This routine is executed with a probability 1/8 depending on the system time counter and changes the Windows background picture (WallPaper). The virus simple creates the C:MYLENE.BMP file, writes an image of Mylene Farmer(?) to there, converts it to BMP format and declares as a Windows WallPaper image:

While doing that the virus accesses the installed JPEG viewer from the system registry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsGraphics FiltersImportJPEG
The virus then loads corresponding library into the memory, gets the address and calls the ImportGr routine. The virus performs this converting only to decrease its size: the result BMP image is 160K file, so the virus keeps in its code the 16K JPEG variant of the same image. As a WallPaper image Windows95 accepts only BMP format, so the virus has to convert the JPEG source to BMP.

The result image is then saved to the same C:MYLENE.BMP file that is then registered as the Wallpaper image for Windows desktop:

HKEY_CURRENT_USERControl Paneldesktop
The only minor point in this converting is that I have everything necessary on my test computer, but the virus failed to upgrade my Wallpaper.

Direct Action but Memory Resident?

Before infecting each file the virus calls standard Windows API function Sleep and delays its activity for 3 seconds. This is the very (maybe the most) important block of virus code. Just one this call makes the virus to be labeled as "memory resident".

The result of this sleepy instruction the virus code may stay in the system memory for long time. Let there are 1000 COM and EXE files on the computer. The virus goes sleep for 3 seconds before infecting each of them, so it will stay in the memory for 50 minutes (3000 seconds).

The virus is memory resident: it stays in the system memory for long time, and other application may be run while the virus infection routine is active. Despite on this it is direct action virus (like nonmemory resident viruses are) - it search for files in subdirectory tree and infects them, and no events hooked.

Still virus-writers try to go the same conservative DOS way: they create Windows VxD hooking IFS API similar to DOS TSR hooking INT 21h. This is the most popular decision to create memory resident Windows viruses nowadays. Maybe the Libertine virus is the first virus with semi-resident feature, and in future we will se more viruses of such kind - that is much more easy to debug Windows application than Windows VxD or NT driver.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.