Virus.Multi.Cocaine

Technical Details

This is the parasitic Windows PE files and MS Word normal templates
infector with email spreading ability, about 22Kb of length. The virus has
three instances: in Windows PE EXE files, in Word NORMAL template and as
attached file in email messages.

The virus code in infected PE EXE files is its main instance. When it is
executed, the virus searches for PE EXE files in the current and Windows
directories and infects them. The virus also drops infected NORMAL.DOT to
MS Word directory from its PE EXE instance, as well as send infected
emails. The virus instance in NORMAL template on each document closing
drops and executes the infected PE EXE file, and is not able to infect
other documents and templates. The virus code in emails appears as attached
file that is infected PE EXE Windows executable file with random name, or
infected NORMAL template.

The virus is per-process memory resident. This means that the virus copy
may stay in memory for long time until infected application terminates. In
case only “short-life” applications are infected, the virus code does not
present in the system memory for long time. In case an application in
permanent use is infected, the virus is active during long time, hooks
Windows functions, infects PE EXE files that accessed and sends email
messages.

The virus is polymorphic in PE files as well as in Word NORMAL template.
The virus has two polymorphic engine in its EXE code: first of them
generates polymorphic decryption loop in infected PE EXE files, second one
makes virus macro program in infected NORMAL.DOT polymorphic too.

The virus has a payload routine that is executed when an infected file is
run in four month it was infected. This routine displays the message boxes
that have the header “W32/Wm.Cocaine” and the text that is randomly
selected from seven variants:

Your life burn faster, obey your master…

Chop your breakfast on a mirror…

Veins that pump with fear, sucking darkest clear…

Taste me you will see, more is all you need…

I will occupy, I will help you die…

I will run through you, now I rule you too…

Master of Puppets, I’m pulling your strings…

The virus pays attention to anti-virus programs and tries to disable them.
Each time an infected file is executed and virus installs its per-process
resident copy it looks for anti-virus data files in the current directory
and deletes them. The names of these files look like follows: KERNEL.AVC,
SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP,
DSAV, NOD, SCAN and other anti-virus data files). The virus also locates
and terminates old version of AVP Monitor on-access scanner.

The known virus version has bugs and cannot spread from Word macro instance
to Windows executable. It also has a bug in PE EXE infection routine and
corrupts some WinNT executable files.

The virus has “copyright” text:

(c) Vecna

Some virus routines (especially macro ones) are related to “Fabi”
multi-platform virus, and some infected files may be detected by the name
of this virus.

Technical details

The virus has quite large size for a program written in Assembler – about
22Kb, and has many routines that are quite interesting from technical point
of view.

Infected EXE run

When an infected file takes control the polymorphic decryption loops are
executed. They decrypt virus code layer-by-layer (the virus is encrypted by
several loops – from two till five) and pass control to the virus
installation routine. It is necessary to note that several virus blocks
stays still encrypted. The virus decrypts and accesses them in case of
need, and then encrypts back. These blocks are MS Word infection data and
routine as well as PE EXE polymorphic engine.

The virus installation routine looks for necessary Windows API functions
addresses that are used by the virus later. The list of these functions is
quite long, this is caused by list of things the virus does to spread
itself. The functions list the virus looks for is below:

Exported by     Functions list

———–     ————–

KERNEL32.DLL:   GetProcAddress GetModuleHandleA CreateProcessA

                CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary

                CreateFileMappingA MapViewOfFile UnmapViewOfFile

                FindFirstFileA FindNextFileA FindClose SetEndOfFile

                VirtualAlloc VirtualFree GetSystemTime

                GetWindowsDirectoryA GetSystemDirectoryA

                GetCurrentDirectoryA SetFileAttributesA SetFileTime

                ExitProcess GetCurrentProcess WriteProcessMemory WriteFile

                DeleteFileA Sleep CreateThread GetFileSize SetFilePointer

USER32.DLL:     MessageBoxA FindWindowA PostMessageA

ADVAPI32:       RegSetValueExA RegCreateKeyExA RegOpenKeyExA

                RegQueryValueExA RegCloseKey

MAPI32.DLL:     MAPISendMail

The virus gets these functions’ addresses by the standard Windows virus
trick: it locates the image on KERNEL32.DLL in the Windows memory, scans
its Export table and gets addresses of two functions: GetModuleHandle and
GetProcAddress. By using these two functions the virus is then able easily
locate all addresses of other necessary functions. The most interesting
feature of this routine is the fact that this is the first virus that
process not only Win95/98 and WinNT addresses while looking for
KERNEL32.DLL image, but pays attention for Win2000 addresses also.

The virus then locates and infects the MS Word, then searches for PE EXE
files and also infects them, then hooks a set of system events (files and
emails access) that is used to locate and infect more files as well as
spread virus copy to the Internet in attached emails.

Infecting MS Word

The very first infection routine that is activated by the virus is MS Word
affecting routine, if it is installed in the system. First of all here the
virus checks for C:ANCEV.SYS file presence.

The C:ANCEV.SYS file (“ANCEV”=”VECNA” written backward) has a special
purpose. This file is created when MS Word template infection routine
completes. So, this file presence means that MS Word was located and
NORMAL.DOT template was infected. In this case the virus while sending
emails sends NORMAL.DOT template but not the infected EXE dropper.

So, the virus checks for this file at very top of MS Word infection
routine. If it does not exist, the virus continues infection. If this file
found, the virus randomly in one cases of ten continues infection, and in
nine cases of ten leaves infection routine. Tha means that in one case of
ten the MS Word NORMAL.DOT will be re-infected anyway.

The virus then disables Word VirusWarning protection by modifying the
system registry keys where Word stores its settings:

SOFTWAREMicrosoftOffice8.0WordOptions, EnableMacroVirusProtection

The virus then gets Word templates directory also by reading system registry:

SOFTWAREMicrosoftOffice8.0CommonFileNewLocalTemplates

and deletes the NORMAL.DOT templates in there, and then creates a new
NORMAL.DOT template file – infected one. The infected NORMAL.DOT contains a
small macro inside. This macro has “AutoExec” Word auto-name, it will be
automatically executed on next Word startup and will import the main virus
macro from the C:COCAINE.SYS file.

The C:COCAINE.SYS file is created by the virus just after overwriting the
NORMAL.DOT template. This SYS file is a text file that contains VBA
program’s source code. This source is extracted by the virus from its code,
mixed with junk (polymorphic) VBA instructions and appended by infected PE
EXE dropper converted to ASCII strings.

So, the MS Word infection routine does its work in two steps. First of all
the virus replaces the original NORMAL.DOT with new one that contains the
“AutoExec” macro program (loader) that imports complete virus code from the
C:COCAINE.SYS file, and completes by that porting virus code from PE EXE
file to MS Word template.

From Word to EXE

To drop PE EXE file from its Word template instance the virus uses the
standard macro-viruses’ trick. It creates two files: first of them is the
C:COCAINE.SRC file with infected PE EXE file image converted to ASCII
form, and second file is a DOS batch with random name. This batch file
contains set of instructions that execute DOS DEBUG utility that converts
ASCII dump back to binary PE EXE form, and executes it.

So the virus jumps to Windows out of infected Word template.

Infecting PE EXE files

When MS Word is affected, the virus goes to PE EXE files infection routine.
The virus looks for PE EXE files in the current and Windows directories and
infects them. The only files are infected that have .EXE or .SCR filename
extensions.

The virus then looks for installed browser and mailer and infects them too.
The virus locates them by system registry keys in HKEY_LOCAL_MACHINE
storage:

SOFTWAREClasseshtmlfileshellopencommand

SOFTWAREClassesmailtoshellopencommand

The virus needs these files to be infected for activating its Internet
infection routines. When these Internet accessing applications are
infected, the virus copy is active in the memory for long time exactly at
the moment a user is connected to the Internet. This is necessary to the
virus to realize its Internet spreading ability.

PE EXE Infection mechanism

The virus checks several conditions before infecting the file. 1st: the
file length has to be not divisible by 101 (it is virus protection to avoid
multiple infection, the already infected PE EXE files have such length).
2nd: when the virus looks for EXE files in the current and Windows
directories to infect them, the name of the file cannot contain ‘V’ letter
or digits, here the virus avoids most popular anti-virus scanners and “goat
files” infection.

If the first section has big enough size (more than 2304 bytes), the virus
writes to there several blocks of junk code that passes the control
block-by-block to the main virus decryption loops. There are eight blocks
written to files when the virus infects them:

+————+

|            |

|PE Header   | —————+

|————|                |

|  +—–+<-+|                |
|  |Junk2|  ||                |
|  +-----+-+|| Entry Point    |
|+-----+   |||<---------------+
||Junk1|   |||
|+-----+----+|
|          | |
|+-----+<--+ |
||Junk3|     |
|+-----+----+|
|           V|
| . . .      |
|     +-----+|
|+----|Junk8||
||    +-----+|
|V           |
|------------|
|Virus code  |
|            |
+------------+

In this case the virus does not modify program’s entry point address, but
it needs to restore all overwritten blocks of host file before return
control to original entry procedure.

If the first section is short, the control goes directly to virus code. In
this case the virus modifies program’s entry address to get control when
infected files are executed.

The virus code itself is encrypted by several (from two till five)
polymorphic loops. The polymorphic engine in the virus is quite strong, and
produces about 2Kb of polymorphic loops.

The virus also patches the Import section to get functions GetProcAddress,
GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection
executable is run.

After all the virus writes its encrypted code to the end of last file
section, and increases section size by patching PE header.

Intercepting Events

When the Word and PE EXE direct infection routines are complete, the virus
hooks several Windows functions and stays in the Windows memory as a part
of host program. The virus hooks two file access function WinExec and
CreateProcessA, if they are imported by the host program from the
KERNEL32.DLL. When these functions get control (a program is executed) the
virus gets the program’s file name, gets its directory, searches and
infects PE EXE files in this directory.

Sending Emails

The virus per-process resident code also runs email infection thread, hooks
MAPISendMail that is exported from MAPI32.DLL, “connect” and “recv” from
WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.

The first hook is used by the virus to send its copy to the Internet. When
the virus intercepts this event it looks for attached data in the message.
If there is no attach, the virus appends to the message infected NORMAL.DOT
or infected PE EXE file (the latter is created on the disk in the
C:ENIACOC.SYS file).

The “GetProcAddress”, “connect” and “recv” hooks are used by the virus to
realize second method of infected Emails sending. When a message arrives,
the virus scans its header for “mailto:” field, gets the address from
there and stores it in its own database.

The infection thread when takes control looks for email address caught by
“connect” and “recv” hookers, calculates its CRC and compares with its
“already infected addresses” database that is stored in the BRSCBC.DAT file
in the Windows system directory. If this address was not sent yet, the
virus adds it to its BRSCBC.DAT database, creates a message with NORMAL
template or infected PE EXE file, and sends it by using MAPISendMail
function. The subject field for the message is randomly selected from
variants:

Kewl page!

Improvement to your page

Your page r0x0r!

You must see this…

Secret stuff!

By using the BRSCBC.DAT database the virus avoids duplicate sendings, but
on each infected program run the virus depending on its random counter
deletes this file, and clears “do-not-send” database by that.

The “GetProcAddress” that is also hooked by virus TSR copy is used only to
intercept “connect” and “recv” WSOCK32.DLL functions, if an application
does not import these routines “by default”, but activates them in case of
need. To do that the “GetProcAddress” virus’ hook intercepts accesses to
“connect” and “recv” WSOCK32.DLL functions’ addresses. If an application
tries to get addresses of these routines to use Internet connections, the
virus returns addresses of its own “connect” and “recv” hookers, and so
intercepts Internet connection.