Class
Virus
Platform
Multi

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Multi

No platform description

Description

Technical Details

This is a multi-platform virus infecting Windows32 executable files (PE EXE) and MS Word documents and templates. As every multi-platform virus its code contains several parts (components), each of them does its work in its native environment: as a Win32 application in MS Windows, or as a macro program in MS Word. When any of two virus components starts in its environment, it not only infects objects in this environment, but also spreads virus code to another one: from Windows EXE file to Word documents, and from Word document to Windows EXE files.

The virus does not contain any destruction and does not manifest itself in any way. The infected EXE files contain the text:

(c) Vecna
Parecia inofensiva mas te dominou...

Infecting EXE -> EXE

When an infected EXE file is executed, the EXE virus component takes control. It checks the installed operating system type and if it is Windows NT, the virus return control to the host program and does not perform any other action. The virus runs its infection routine only when it is run in Windows95/98. This routine searches and infects all Win32 executable files in current directory as well as in WINDOWS and WINDOWSSYSTEM directories. While infecting the virus writes its code to the end of last section, increases its size and modifies necessary PE header fields.

Because of a bug the virus corrupts EXE files in case the last section size is more than 64Kb - the virus writes its code to the file middle, and corrupted program stay unusable and do not work anymore.

Infecting Macro -> Macro, Macro -> EXE

In infected documents and templates the virus contains one macro AutoClose. It installs itself into Word global macro area on opening an infected document, and infects other documents they then are closed. To copy its code from one document/template to another one the virus uses macro code editing instructions.

To run infected Windows EXE file the virus uses the standard way. The EXE file binary data are stored in virus macros in text stings - the binary EXE data is converted to ASCII hexadecimal dump. The virus saves these data to disk, creates a temporary DOS BAT helper and by using this helper and DOS DEBUG utility converts hexadecimal dump back to binary EXE format, and executes it. The EXE component of the virus takes control, it runs and infects EXE files on the hard drive as it is described above.

The known version of the virus has a bug here, and cannot to create EXE files from the macro virus component. As a result, Windows EXE files stays not infected.

Infecting EXE -> Macro

The routine that drops the macro component to Word from infected EXE files is activated just after the searching and infecting disk EXE files procedure is complete. This routine is more complex than other ones described above, and needs more temporary files to carry the virus code from EXE to Word. The virus creates three main files here:

FABI.SYS   - "dummy" PE EXE file that gets infection by EXE virus component
FABI.SRC   - the source virus macro code, plus FABI.SYS binary data
converted to hexadecimal ASCII strings
NORMAL.DOT - Word template with a small macro that completes virus
installation: imports main virus code from FABI.SRC to
NORMAL.DOT

To start spreading from EXE to Word the virus creates a short PE EXE file C:FABI.SYS and infects it. The virus then creates the C:FABI.SYS file and writes its macro program AutoClose source code to there. Then it appends to this file the C:FABI.SYS file data converted to hexadecimal ASCII lines. To complete this step the virus creates a specially prepared NORMAL.DOT file. The virus looks for a good place to drop this file in directories:

C:ARQUIV~1/MICROS~?/MODELOS
C:ARCHIV~1/MICROS~?/MODELOS
C:PROGRA~1/MICROS~?/TEMPLA~1

where '?' is counted from 1 till 9. The NORMAL.DOT file that is created in first directory found contains a short macro AutoExec that is activated when MS Word starts. This macro just imports the virus macro source code from the C:FABI.SRC file, and completes virus installation procedure: the NORMAL.DOT now is infected by complete virus code.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.