Virus.Multi.Fabi

Class Virus
Platform Multi
Description

Technical Details

This is a multi-platform virus infecting Windows32 executable files (PE
EXE) and MS Word documents and templates. As every multi-platform virus its
code contains several parts (components), each of them does its work in its
native environment: as a Win32 application in MS Windows, or as a macro
program in MS Word. When any of two virus components starts in its
environment, it not only infects objects in this environment, but also
spreads virus code to another one: from Windows EXE file to Word documents,
and from Word document to Windows EXE files.

The virus does not contain any destruction and does not manifest itself in
any way. The infected EXE files contain the text:


(c) Vecna
Parecia inofensiva mas te dominou…

Infecting EXE -> EXE

When an infected EXE file is executed, the EXE virus component takes
control. It checks the installed operating system type and if it is Windows
NT, the virus return control to the host program and does not perform any
other action. The virus runs its infection routine only when it is run in
Windows95/98. This routine searches and infects all Win32 executable files
in current directory as well as in WINDOWS and WINDOWSSYSTEM
directories. While infecting the virus writes its code to the end of last
section, increases its size and modifies necessary PE header fields.

Because of a bug the virus corrupts EXE files in case the last section size
is more than 64Kb – the virus writes its code to the file middle, and
corrupted program stay unusable and do not work anymore.

Infecting Macro -> Macro, Macro -> EXE

In infected documents and templates the virus contains one macro AutoClose.
It installs itself into Word global macro area on opening an infected
document, and infects other documents they then are closed. To copy its
code from one document/template to another one the virus uses macro code
editing instructions.

To run infected Windows EXE file the virus uses the standard way. The EXE
file binary data are stored in virus macros in text stings – the binary EXE
data is converted to ASCII hexadecimal dump. The virus saves these data to
disk, creates a temporary DOS BAT helper and by using this helper and DOS
DEBUG utility converts hexadecimal dump back to binary EXE format, and
executes it. The EXE component of the virus takes control, it runs and
infects EXE files on the hard drive as it is described above.

The known version of the virus has a bug here, and cannot to create EXE
files from the macro virus component. As a result, Windows EXE files stays
not infected.

Infecting EXE -> Macro

The routine that drops the macro component to Word from infected EXE files
is activated just after the searching and infecting disk EXE files
procedure is complete. This routine is more complex than other ones
described above, and needs more temporary files to carry the virus code
from EXE to Word. The virus creates three main files here:


FABI.SYS – “dummy” PE EXE file that gets infection by EXE virus component
FABI.SRC – the source virus macro code, plus FABI.SYS binary data
converted to hexadecimal ASCII strings
NORMAL.DOT – Word template with a small macro that completes virus
installation: imports main virus code from FABI.SRC to
NORMAL.DOT

To start spreading from EXE to Word the virus creates a short PE EXE file
C:FABI.SYS and infects it. The virus then creates the C:FABI.SYS file and
writes its macro program AutoClose source code to there. Then it appends to
this file the C:FABI.SYS file data converted to hexadecimal ASCII lines.
To complete this step the virus creates a specially prepared NORMAL.DOT
file. The virus looks for a good place to drop this file in directories:


C:ARQUIV~1/MICROS~?/MODELOS
C:ARCHIV~1/MICROS~?/MODELOS
C:PROGRA~1/MICROS~?/TEMPLA~1

where ‘?’ is counted from 1 till 9. The NORMAL.DOT file that is created in
first directory found contains a short macro AutoExec that is activated
when MS Word starts. This macro just imports the virus macro source code
from the C:FABI.SRC file, and completes virus installation procedure: the
NORMAL.DOT now is infected by complete virus code.