Trojan-Banker.Win9x.Libertine

Class Trojan-Banker
Platform Win9x
Description

Technical Details


This virus is a multi-platform and polymorphic infector affecting both DOS
and Win32 files. It was named after the text strings in its code:


[Win32.Libertine v1.07b]
Copyright 1998-xxxx by

The virus can be found in three different forms:

  • infected Win32 PE files
  • infected DOS COM files
  • Win32 PE dropper (31672 bytes pure virus code)

Because of bugs the infected COM and EXE files cannot run under Windows NT,
they are terminated with standard NT or DrWatson error message. Despite on
this I name the virus Win32, not Win95 because the virus dropper can spread
the virus on NT computers with no problems.


While infecting both Win32 and DOS files the virus writes its complete 32Kb
code to the end of files and modifies file headers to pass control to the
virus routine. The addresses of entry routines are different in all three
cases of infection. The virus in both infected Win32 and DOS programs when
takes control searches for Win32 dropper (the C:MYLENE.EXE file), executes
it and returns control to the host program. If there are no dropper in root
directory on the C: drive, the virus first creates and then executes it.


These dropper activation routines are quite short in infected files. In
case of DOS COM files it is just about 200-bytes simply
create-write-close-run routine. In case of Win32 files it is more
sophisticated, but also quite silly and short.


So the virus in infected files just creates and runs the dropper – no more, and
all infection and payload virus functions falls on the Win32 virus dropper.

Running the Dropper


When the dropper is executed the virus first of all performs some tricks to
hide its presence in the system. To prevent access violation system
messages the virus by using the SetErrorMode KERNEL32 function disables
General Protection Fault error message. Windows then will just continue to
execute application without any report about protection violation.


The virus then checks the system where it is run (Windows95/98 or Windows
NT), and in case of Windows9x patches system undocumented process database
and sets two flags in it – NukeProcess and ServiceProcess. These flags are
set for at least two purposes: a) the process is not visible in the
Ctrl-Alt-Del task list; b) the process is not terminated when the user logs
off. To enable these flags the virus then re-executes its dropper with
“sexy” ID argument.


Being executed under patched system environment the virus jumps to its
other routines: anti-anti-virus routine, payload and infection.


Anti-anti-virus


To disable anti-virus protection the virus has only one anti-virus as a target, that is APVI – the AVP Inspector integrity checker (CRC scanner). The
virus looks for AVPI file, opens it and scans for specific code. If such
code is found, the virus replaces it with NOP instructions. Depending on
different AVPI versions that caused different effects: either AVPI does not
detect changes in system, or it immediately stops scanning and displays
statistic dialog.


The virus gets the AVPI file name by using the system registry. It opens the
HKEY_USERSDefaultSoftwareKasperskyLabAVPI key, gets Path to AVPI
directory, opens the AVPICHCK.DLL, scans and patches it. To prevent
duplicate patching the virus stores the “kcah” (“hack” written backward) ID
to the file header at the offset 0030h.


The virus also terminates AVPI, if it is active. To do that the virus finds
AVPI32 window, gets its thread ID, opens and terminates the process.


Infection


When the infection routine gets control the virus scans for all files all
subdirectory trees on all installed hard drives starting from C:, if there
is non-fixed disk in the sequence (CD-ROM, remote, or other) the virus
terminates itself.


When a file is found the virus checks it for COM or EXE file name
extension. The virus infects only such files and search for next file or
subdirectory entry otherwise. If the file has executable extension, the
virus with probability 7/8 depending on the system timer jumps to the
infection routine, otherwise it continues searching as well as in case of
non-executable name extension.


First of all the virus separates COM and EXE files by comparing their first
two bytes with magic MZ stamp. In case of EXE file the virus then checks
Portable Executable and virus ID stamps – double words “PE” at the top of
the header and “I M!” in the PE CheckSum field. While adding its code to
the end of Portable Executable files the virus creates a new section named
_Mylene_, modifies Address of Entry Point and some other necessary fields.
It then runs the polymorphic engine, encrypts its copy and writes it to the
end of PE file into the newly created section.


In case of COM file the virus also writes itself to the end of the file,
but also converts file format to EXE by adding EXE header to the top of the
file. The virus does not infect DOS files twice – it checks internal file
format and affects COM files only. Being infected they have EXE format and
are bypassed by the virus infection routine. The virus does not infect as
well files that have “ENUN” text string at the end of the files. This ID
means that these COM files are protected by CRC, so the virus avoids to
infect them. The virus also does not infect small and large COM files with
length below 2K or above 60K.


Infected COM file execution


While infecting DOS COM files the virus converts them to EXE format, i.e.
the infected COM files have EXE header: MZ magic stamp at the top and all necessary EXE header’s fields. The careful investigation of the infected file
header immediately shows hacker’s origin of the program: several fields
have values that cannot be found in ordinary programs. First of all the
HeaderSize (Paragraphs in Header) fields keeps zero, i.e. that means that
there are no bytes in EXE header (but there are at least two – ‘M’ and
‘Z’). The second suspicious field is “CS at entry” with -100h (FFF0h) value
stored in. Using both of these fields in the same EXE header forces DOS to
load such EXE file as standard DOS COM file: the bytes from 0000 till 00FFh
are occupied by Program’s Segment Prefix, bytes from 0100h till the end of
allocated memory are for file image, and very first byte of file is placed
at the offset 0100h. In case of DOS COM files the file image cannot overlap
a segment (64K), in case of DOS EXE files loadable image can be of any size
that fills in one block of free memory.


By using the COM->EXE trick the virus is able to infect COM files of any
size, after converting they do not loose their functionality ever if file
size grows over 64K limitation while infecting. Remember virus size –
without converting to EXE format the virus would not be able to infect COM
files of size above than 32Kb. Another important effect of the trick is
easy way to return control to host program – the virus does nothing but
just restores first 4Fh bytes of file header and jumps to there.


So, the virus code is loaded into the memory starting from very first bytes
(“MZ” stamp) till very last one, and control is passed to the address that
is pointed by EXE header. In case of this virus the entry code is placed
very near of file top – at the address 0020h. This routine by using 32-bits
i386 instructions gets the offset of main virus code (this offset is stored
at the address 001Ch in header), converts it to 16-bits segment:offset
format and jumps to there. The entry routine also hooks INT 24h to prevent
standard DOS error message while writing to write-protected volumes, I have
no idea why virus’ author placed it here but not in the main virus code.


When main virus code receives control it checks Windows presence. If there
is no Windows run, or Windows version is less that 4.0 (Windows95), the
virus restores original host program bytes at its top and returns control
to there. If Windows is run, the virus creates the C:MYLENE.EXE file,
writes Win32 dropper to there, closes the file and executes it. The dropper
takes control and the virus returns on its infection level.

Infected PE file execution


When an infected PE file is executed, the virus polymorphic routine takes
control, decrypts the virus code and jumps to the main routine. This
routine is not the same as in case of COM file. It is 32-bits program that
operates with Windows memory and resources, but the target of this routine
is the same as in case of COM file: it creates and executes the virus
dropper.


To access Windows function the virus has either to import them by using PE
Import Table, or get their addresses by scanning Windows kernel. The virus
selects second way: it pays attention for environment (Windows95/98 or
Windows NT – the virus uses correct offsets in both cases), parses KERNEL32
imports and searches for CreateFileA, WriteFile, CloseHandle and WinExec
functions. The virus procedure in infected PE files is quite simple and it
does not need more but just these four entries. // Here is a bug in virus
code that stops its spreading under WindowsNT.


The virus then in the similar way as in case of infected DOS COM file
creates the C:MYLENE.EXE file, writes dropper’s code to there, closes and
executes this file. The dropper takes control, and this PE branch of virus
algorithm returns back to the root.

Payload


Before calling anti-anti-virus and infection routines the virus calls the
trigger routine. This routine is executed with a probability 1/8 depending on
the system time counter and changes the Windows background picture
(WallPaper). The virus simple creates the C:MYLENE.BMP file, writes an
image of Mylene Farmer(?) to there, converts it to BMP format and declares
as a Windows WallPaper image:




While doing that the virus accesses the installed JPEG viewer from the
system registry:


HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsGraphics FiltersImportJPEG

The virus then loads corresponding library into the memory, gets the
address and calls the ImportGr routine. The virus performs this converting
only to decrease its size: the result BMP image is 160K file, so the virus
keeps in its code the 16K JPEG variant of the same image. As a WallPaper
image Windows95 accepts only BMP format, so the virus has to convert the
JPEG source to BMP.


The result image is then saved to the same C:MYLENE.BMP file that is then
registered as the Wallpaper image for Windows desktop:


HKEY_CURRENT_USERControl Paneldesktop

The only minor point in this converting is that I have everything necessary
on my test computer, but the virus failed to upgrade my Wallpaper.


Direct Action but Memory Resident?


Before infecting each file the virus calls standard Windows API function
Sleep and delays its activity for 3 seconds. This is the very (maybe the
most) important block of virus code. Just one this call makes the virus to
be labeled as “memory resident”.


The result of this sleepy instruction the virus code may stay in the system
memory for long time. Let there are 1000 COM and EXE files on the computer.
The virus goes sleep for 3 seconds before infecting each of them, so it
will stay in the memory for 50 minutes (3000 seconds).


The virus is memory resident: it stays in the system memory for long time,
and other application may be run while the virus infection routine is
active. Despite on this it is direct action virus (like nonmemory resident
viruses are) – it search for files in subdirectory tree and infects them,
and no events hooked.


Still virus-writers try to go the same conservative DOS way: they create
Windows VxD hooking IFS API similar to DOS TSR hooking INT 21h. This is the
most popular decision to create memory resident Windows viruses nowadays.
Maybe the Libertine virus is the first virus with semi-resident feature,
and in future we will se more viruses of such kind – that is much more easy
to debug Windows application than Windows VxD or NT driver.