Class Trojan-Spy
Platform Win9x

Technical Details

While infecting a PE EXE file the virus parses its internal file format,
creates one more section at the end of the file and writes its encrypted
text to there. The virus section is continued by the virus’ Export table
that is used by virus to link its code with necessary Windows API functions
when an infected file is executed. Because the virus has its own Export
table, it modifies the pointer to it in the PE header. The virus also pays
special attention to original host file’s Export table. To save it the
virus moves necessary data from it to the file end and appends it to its
own Export table. As a result when Windows loads infected files, it
processes both virus and host Export tables.

To link its section with victim file body the virus modifies necessary
fields in the PE header. The virus does that very accurate, and as a result
in most of cases does not cause errors when infected files are loaded, ever
under WinNT.

The virus detects already infected files by a stamp that is saved in file
LastWrite date and time stamp. This ID value is not constant and depends on
other fields of file’s time&date (the virus Rol/Ror/Xor-es five of them to
caclulate the ID).

Trigger routines

While installing memory resident the virus calls three of its trigger
routines. First of them checks system environment and depending on it turns
the virus to the “debug mode”. The second one depending on the system
time’s seconds value displays the MessageBox:

The last one depending on the virus random counter (that depends on the
system date and time), in one case of sixteen, drops the OEMINFO.INI and
OEMLOGO.BMP files to the Windows system directory. The OEMLOGO.INI file
contains the following text strings in two sections:

Model=Very large life zone for Harrier

[Support Information]
line1=Today the virus is not the virus,
line2=but the part of operating system. . .
line3=(C) by 95-th Harrier from DarkLand
line5=The pretty LOGO picture was created
line6=by PolyGris and LionKing. Main idea
line7=and code of all versions was developed
line8=by me – TechnoRat

This BMP file and “General” sections are shown in “System Property” window
when MyComputer/Properties is selected. The virus “Support Information” is
displayed when corresponding button in the same “System Property” is

The virus “debug mode” is activated when the system environment contains a
specific string (“Variable=Value”, is set by “SET=” DOS instruction, for
instance). This string has 19 symbols and is detected by the virus by using
a silly CRC loop. This CRC loop “compresses” the string to four bytes, so
there are several millions “readable” variants of this string.

When virus debug mode is on, it displays the message box:

The virus then on each infection displays a MessageBox and informs requests
permission to infect a file, for example:

On “OK” the virus runs infection routine, on “Cancel” the virus displays
one more MessageBox and exits:

As it is mentioned above, the USER32 and GDI32 hooks are used by virus in
its trigger routine – the virus changes the texts that are displayed, or
outputs its own messages.

When an infected application calls to WinHelpA function on the 16th time,
the virus displays its own MessageBox instead of calling Windows function:

“95-th Harrier from DarkLand”
God will help! 😉

On any MessageBoxA call the virus checks system time and depending on it
replaces original text in MessageBox with one of six variants:

System malfunction!
VXDs rings overcrossed!
CPU mode thunking error!
CPU overclocked, cooler device emergency!
Help subsystem is damaged!
Attention! Bugs inside computer, use SoftIce.

On other hooked calls the virus scans the text for four variants of
substrings and replaces them with its own versions:

BILL GATES -> Gill Bates
HARRIER -> Oh! Guys! Is it about me?

Find out the statistics of the threats spreading in your region