Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Virus Multi

Virus.Multi.Cocaine

Class
Virus
Platform
Multi

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Multi

No platform description

Description

Technical Details

This is the parasitic Windows PE files and MS Word normal templates infector with email spreading ability, about 22Kb of length. The virus has three instances: in Windows PE EXE files, in Word NORMAL template and as attached file in email messages.

The virus code in infected PE EXE files is its main instance. When it is executed, the virus searches for PE EXE files in the current and Windows directories and infects them. The virus also drops infected NORMAL.DOT to MS Word directory from its PE EXE instance, as well as send infected emails. The virus instance in NORMAL template on each document closing drops and executes the infected PE EXE file, and is not able to infect other documents and templates. The virus code in emails appears as attached file that is infected PE EXE Windows executable file with random name, or infected NORMAL template.

The virus is per-process memory resident. This means that the virus copy may stay in memory for long time until infected application terminates. In case only "short-life" applications are infected, the virus code does not present in the system memory for long time. In case an application in permanent use is infected, the virus is active during long time, hooks Windows functions, infects PE EXE files that accessed and sends email messages.

The virus is polymorphic in PE files as well as in Word NORMAL template. The virus has two polymorphic engine in its EXE code: first of them generates polymorphic decryption loop in infected PE EXE files, second one makes virus macro program in infected NORMAL.DOT polymorphic too.

The virus has a payload routine that is executed when an infected file is run in four month it was infected. This routine displays the message boxes that have the header "W32/Wm.Cocaine" and the text that is randomly selected from seven variants:

Your life burn faster, obey your master...
Chop your breakfast on a mirror...
Veins that pump with fear, sucking darkest clear...
Taste me you will see, more is all you need...
I will occupy, I will help you die...
I will run through you, now I rule you too...
Master of Puppets, I'm pulling your strings...

The virus pays attention to anti-virus programs and tries to disable them. Each time an infected file is executed and virus installs its per-process resident copy it looks for anti-virus data files in the current directory and deletes them. The names of these files look like follows: KERNEL.AVC, SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP, DSAV, NOD, SCAN and other anti-virus data files). The virus also locates and terminates old version of AVP Monitor on-access scanner.

The known virus version has bugs and cannot spread from Word macro instance to Windows executable. It also has a bug in PE EXE infection routine and corrupts some WinNT executable files.

The virus has "copyright" text:

(c) Vecna

Some virus routines (especially macro ones) are related to "Fabi" multi-platform virus, and some infected files may be detected by the name of this virus.

Technical details

The virus has quite large size for a program written in Assembler - about 22Kb, and has many routines that are quite interesting from technical point of view.

Infected EXE run

When an infected file takes control the polymorphic decryption loops are executed. They decrypt virus code layer-by-layer (the virus is encrypted by several loops - from two till five) and pass control to the virus installation routine. It is necessary to note that several virus blocks stays still encrypted. The virus decrypts and accesses them in case of need, and then encrypts back. These blocks are MS Word infection data and routine as well as PE EXE polymorphic engine.

The virus installation routine looks for necessary Windows API functions addresses that are used by the virus later. The list of these functions is quite long, this is caused by list of things the virus does to spread itself. The functions list the virus looks for is below:

Exported by     Functions list
-----------     --------------
KERNEL32.DLL:   GetProcAddress GetModuleHandleA CreateProcessA
                CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary
                CreateFileMappingA MapViewOfFile UnmapViewOfFile
                FindFirstFileA FindNextFileA FindClose SetEndOfFile
                VirtualAlloc VirtualFree GetSystemTime
                GetWindowsDirectoryA GetSystemDirectoryA
                GetCurrentDirectoryA SetFileAttributesA SetFileTime
                ExitProcess GetCurrentProcess WriteProcessMemory WriteFile
                DeleteFileA Sleep CreateThread GetFileSize SetFilePointer
USER32.DLL:     MessageBoxA FindWindowA PostMessageA
ADVAPI32:       RegSetValueExA RegCreateKeyExA RegOpenKeyExA
                RegQueryValueExA RegCloseKey
MAPI32.DLL:     MAPISendMail

The virus gets these functions' addresses by the standard Windows virus trick: it locates the image on KERNEL32.DLL in the Windows memory, scans its Export table and gets addresses of two functions: GetModuleHandle and GetProcAddress. By using these two functions the virus is then able easily locate all addresses of other necessary functions. The most interesting feature of this routine is the fact that this is the first virus that process not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image, but pays attention for Win2000 addresses also.

The virus then locates and infects the MS Word, then searches for PE EXE files and also infects them, then hooks a set of system events (files and emails access) that is used to locate and infect more files as well as spread virus copy to the Internet in attached emails.

Infecting MS Word

The very first infection routine that is activated by the virus is MS Word affecting routine, if it is installed in the system. First of all here the virus checks for C:ANCEV.SYS file presence.

The C:ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special purpose. This file is created when MS Word template infection routine completes. So, this file presence means that MS Word was located and NORMAL.DOT template was infected. In this case the virus while sending emails sends NORMAL.DOT template but not the infected EXE dropper.

So, the virus checks for this file at very top of MS Word infection routine. If it does not exist, the virus continues infection. If this file found, the virus randomly in one cases of ten continues infection, and in nine cases of ten leaves infection routine. Tha means that in one case of ten the MS Word NORMAL.DOT will be re-infected anyway.

The virus then disables Word VirusWarning protection by modifying the system registry keys where Word stores its settings:

SOFTWAREMicrosoftOffice8.0WordOptions, EnableMacroVirusProtection

The virus then gets Word templates directory also by reading system registry:

SOFTWAREMicrosoftOffice8.0CommonFileNewLocalTemplates

and deletes the NORMAL.DOT templates in there, and then creates a new NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a small macro inside. This macro has "AutoExec" Word auto-name, it will be automatically executed on next Word startup and will import the main virus macro from the C:COCAINE.SYS file.

The C:COCAINE.SYS file is created by the virus just after overwriting the NORMAL.DOT template. This SYS file is a text file that contains VBA program's source code. This source is extracted by the virus from its code, mixed with junk (polymorphic) VBA instructions and appended by infected PE EXE dropper converted to ASCII strings.

So, the MS Word infection routine does its work in two steps. First of all the virus replaces the original NORMAL.DOT with new one that contains the "AutoExec" macro program (loader) that imports complete virus code from the C:COCAINE.SYS file, and completes by that porting virus code from PE EXE file to MS Word template.

From Word to EXE

To drop PE EXE file from its Word template instance the virus uses the standard macro-viruses' trick. It creates two files: first of them is the C:COCAINE.SRC file with infected PE EXE file image converted to ASCII form, and second file is a DOS batch with random name. This batch file contains set of instructions that execute DOS DEBUG utility that converts ASCII dump back to binary PE EXE form, and executes it.

So the virus jumps to Windows out of infected Word template.

Infecting PE EXE files

When MS Word is affected, the virus goes to PE EXE files infection routine. The virus looks for PE EXE files in the current and Windows directories and infects them. The only files are infected that have .EXE or .SCR filename extensions.

The virus then looks for installed browser and mailer and infects them too. The virus locates them by system registry keys in HKEY_LOCAL_MACHINE storage:

SOFTWAREClasseshtmlfileshellopencommand
SOFTWAREClassesmailtoshellopencommand

The virus needs these files to be infected for activating its Internet infection routines. When these Internet accessing applications are infected, the virus copy is active in the memory for long time exactly at the moment a user is connected to the Internet. This is necessary to the virus to realize its Internet spreading ability.

PE EXE Infection mechanism

The virus checks several conditions before infecting the file. 1st: the file length has to be not divisible by 101 (it is virus protection to avoid multiple infection, the already infected PE EXE files have such length). 2nd: when the virus looks for EXE files in the current and Windows directories to infect them, the name of the file cannot contain 'V' letter or digits, here the virus avoids most popular anti-virus scanners and "goat files" infection.

If the first section has big enough size (more than 2304 bytes), the virus writes to there several blocks of junk code that passes the control block-by-block to the main virus decryption loops. There are eight blocks written to files when the virus infects them:

+------------+
|            |
|PE Header   | ---------------+
|------------|                |
|  +-----+<-+|                |
|  |Junk2|  ||                |
|  +-----+-+|| Entry Point    |
|+-----+   |||<---------------+
||Junk1|   |||
|+-----+----+|
|          | |
|+-----+<--+ |
||Junk3|     |
|+-----+----+|
|           V|
| . . .      |
|     +-----+|
|+----|Junk8||
||    +-----+|
|V           |
|------------|
|Virus code  |
|            |
+------------+

In this case the virus does not modify program's entry point address, but it needs to restore all overwritten blocks of host file before return control to original entry procedure.

If the first section is short, the control goes directly to virus code. In this case the virus modifies program's entry address to get control when infected files are executed.

The virus code itself is encrypted by several (from two till five) polymorphic loops. The polymorphic engine in the virus is quite strong, and produces about 2Kb of polymorphic loops.

The virus also patches the Import section to get functions GetProcAddress, GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection executable is run.

After all the virus writes its encrypted code to the end of last file section, and increases section size by patching PE header.

Intercepting Events

When the Word and PE EXE direct infection routines are complete, the virus hooks several Windows functions and stays in the Windows memory as a part of host program. The virus hooks two file access function WinExec and CreateProcessA, if they are imported by the host program from the KERNEL32.DLL. When these functions get control (a program is executed) the virus gets the program's file name, gets its directory, searches and infects PE EXE files in this directory.

Sending Emails

The virus per-process resident code also runs email infection thread, hooks MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.

The first hook is used by the virus to send its copy to the Internet. When the virus intercepts this event it looks for attached data in the message. If there is no attach, the virus appends to the message infected NORMAL.DOT or infected PE EXE file (the latter is created on the disk in the C:ENIACOC.SYS file).

The "GetProcAddress", "connect" and "recv" hooks are used by the virus to realize second method of infected Emails sending. When a message arrives, the virus scans its header for "mailto:" field, gets the address from there and stores it in its own database.

The infection thread when takes control looks for email address caught by "connect" and "recv" hookers, calculates its CRC and compares with its "already infected addresses" database that is stored in the BRSCBC.DAT file in the Windows system directory. If this address was not sent yet, the virus adds it to its BRSCBC.DAT database, creates a message with NORMAL template or infected PE EXE file, and sends it by using MAPISendMail function. The subject field for the message is randomly selected from variants:

Kewl page!
Improvement to your page
Your page r0x0r!
You must see this...
Secret stuff!

By using the BRSCBC.DAT database the virus avoids duplicate sendings, but on each infected program run the virus depending on its random counter deletes this file, and clears "do-not-send" database by that.

The "GetProcAddress" that is also hooked by virus TSR copy is used only to intercept "connect" and "recv" WSOCK32.DLL functions, if an application does not import these routines "by default", but activates them in case of need. To do that the "GetProcAddress" virus' hook intercepts accesses to "connect" and "recv" WSOCK32.DLL functions' addresses. If an application tries to get addresses of these routines to use Internet connections, the virus returns addresses of its own "connect" and "recv" hookers, and so intercepts Internet connection.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
20 December 2024
Securelist
BellaCPP: Discovering a new BellaCiao variant written in C++
19 December 2024
Securelist
Attackers exploiting a patched FortiClient EMS vulnerability in the wild
19 December 2024
Securelist
Lazarus group evolves its infection chain with old and new malware
18 December 2024
Securelist
Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations
17 December 2024
Securelist
Download a banker to track your parcel
16 December 2024
Securelist
Dark web threats and dark market predictions for 2025
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.