Virus.Multi.Moridin

Class Virus
Platform Multi
Description

Technical Details

This is a multi-platform virus infecting Win32 systems. The virus infects Win32 executable files, MS Word documents, and spreads via e-mail through IRC channels as well as infecting the local network. The virus also has Backdoor ability.

The virus is about 70K in size, and there are several other components embedded in it: Win32 EXE “helper” (additional application), Word template, Word macro component source, as well as several script programs:
VBS, mIRC, PIRCH and vIRC. The EXE virus routines are written in Assembler.

The virus can be found in several forms:

– infected PE EXE file
– EXE helper
– infected Word documents
– VBS script
– IRC sctiprs

While spreading via e-mail through the network and IRC channels, the worm names its copies as: CRACK.EXE, PACKED.EXE, SETUP.EXE, NETX.EXE, and INIT.EXE.

PE EXE Virus Component – Infected PE EXE Files

Infecting PE EXE files

While infecting a PE EXE file, the virus increases the size of the last file section, encrypts itself with a polymorphic routine and writes itself here. The polymorphic code is of average complexity.

To gain control when an infected file is run, the virus patches the file entry code with a short semi-polymorphic code that immediately passes control to a polymorphic decryption loop when an infected file is run.

Infected File Run

When an infected file is run, the virus polymorphic code gains control, decrypts the main virus code and transfers control here. The virus then creates four files in the Windows system directory:

ADVAPI33.EXE (note: “33” not “32”)
PACKED.EXE
MMSYSTEM.BIN
COMMDLG.VBS

the first three files contain the same code – a 60K virus helper (see below)- which is a PE EXE file and is executed as a typical Windows application. These files are used by other virus components to infect Word documents, as
well as spread the virus via IRC channels and e-mail (see below).

The PACKED.EXE and MMSYSTEM.BIN are then infected by the virus in the same way other EXE files are infected (see above). As a result, the size of these files is increased up to 130K (60K of helper plus 70K of complete virus code), and the code of the helper is duplicated here (the helper is
infected by a virus that has another helper embedded in it).

The COMMDLG.VBS file contains VBScript that spreads the virus on the Internet via e-mail messages.

System Registry Keys

The virus then modifies the system registry keys. It creates the following keys:

1. HKEY_CLASSES_ROOTexefileshellopencommand
default = “%SystemDir%MMSYSTEM.BIN” %1 %*”

2. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
mmsystem = COMMDLG.VBS

3. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionNetworkLanManASMODEUS$

Flags = 0x392 (914)
Parm1enc = 7c d1 15
Parm2enc = 00
Path = “C:”
Remark = “”
Type = 0

and deletes the following key:

4. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicies
NoDriveAutorun

modifies the following keys:

5. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork
DisablePwdCaching = 0

6. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
WinDrop = “%SystemDir%”

where %SystemDir% is the name of the Windows system directory.

The “1” causes the system to run the virus helper when each EXE file is run (see below). The “2” activates a VBS component that sends affected e-mail upon Windows startup. The “3” seems to be some virus ID stamp. The “4” enables AUTORUN.INF file auto-processing. The “5” allows a backdoor component to obtain system passwords (the virus code doesn’t contain a routine for that, but it can be downloaded and installed, see below). The “6” is another virus ID stamp that is used by the MS Word virus component to locate the exact directory where other virus components are located.

If the virus fails to install itself to the Windows system directory, it drops its files to the Windows temporary directory and creates/deletes/modifies exactly the same keys with the exception of “3”.

Infection, etc.

The virus then infects up to five EXE and up to five SRC files in the current directory. The virus uses the masks “GOAT*.EXE” and “GOAT*.SCR” to locate the files, so the virus is a “research” one and cannot infect files
with standard names. However, that virus “feature” may be easily fixed by the virus’ author, and the virus will infect PE EXE files of any name.

Despite the fact that this virus version infects GOAT* files only, it checks a file for an anti-virus name and skips infection. The virus detects anti-virus programs according to the first four characters of the name:

FSAV PAND INOC TBSC NAVS NAVD NAVX ADVA SCAN NOD3 DRWE SPID AMON AVP3 AVPM

The virus also does not infect WinZip self-extractors.

The virus deletes the following anti-virus data files:

CHKLIST.MS CHKLIST.DAT CHKLIST.CPS CHKLIST.TAV AGUARD.DAT AVGQT.DAT
ANTI-VIR.DAT SMARTCHK.MS SMARTCHK.CPS IVP.NTZ AVP.CRC

This virus component contains the texts:

-[W97-2K/Win32.Moridin 1.0] by Asmodeus iKX
Tia mi aven Moridin vadin
“The grave is no bar to my call”

Virus Helper Run

The virus helper is activated upon any EXE file run (caused by the System registry key “1”, see above). As a command line, the helper obtains the EXE file name expected to be executed and the command line. The helper pays attention to both the EXE file name and command line arguments.

When any one of mIRC, PIRCH or vIRC client is executed, the virus affects them. It makes a copy itself in the current directory with the name CRACK.EXE and creates a corresponding script file or files that send the infected CRACK.EXE file to a user. The file either enters the IRC channel (in the case of a vIRC client), or sends a text to the channel with the word “crack” in it (mIRC, PIRCH).

Script files created by the virus:

MIRC : SCRIPT.INI, SCRIPT.OLD
PIRC : EVENTS.INI
VIRC : DEFAULT.LIB

In case a user attempts to execute the REGEDIT.EXE or an anti-virus program, the virus simply terminates that request. The list of these file names is as follows:

REGE*, AVP3*, AVPM*, AVPC*, NOD3*, AMON*, SCAN*, SPID*, DRWE*

When a file is executed corresponding to one of the three “virus-file” names: CRAC*, PACK*, MMSY*, or a file with the name SETU*, the virus terminates the file and displays a fake error message:

WinZip Self-Extractor
WinZip Self-Extractor header corrupt.
Possible cause: bad disk or file transfer error

In the instance the command line contains a reference to a .DOC file, the virus appends its PACKED.EXE file to the end of file. This addition will be used later to spread the virus from the affected Word documents.

The virus helper also drops two more files for migrating to the MS Word environment:

NORMAL.DOT to MS Word templates directory
IMPMORI.DRV to Windows system directory

The NORMAL.DOT template contains a virus “loader” that obtains the complete virus macros from the IMPMORI.DRV file.

The virus helpers also disables the macro-virus protection in the system registry, as well as looks for anti-virus memory resident programs and terminates them:

AVP Monitor
Amon Antivirus Monitor
Norton AntiVirus Auto-Protect Trial Version
Norton AntiVirus Auto-Protect

HTML pages are also affected by the virus. In the instance that a .HTM file is found in the current directory, the virus copies itself here with the name SETUP.EXE and appends a “Download” link to the HTM file. Clicking on this link results in a standard “File Download” window.

Depending on the random counter, the virus helper also sets the volume label “W32Moridin” to the current drive.

Infecting a Network

The virus helper feature is not finished, as it also spreads the virus over the local network if there are shared drives for full access. The virus helper enumerates them and tries to affect them in two ways.

1. The virus copies itself here with the name NETX.EXE and creates the auto-executed file AUTORUN.INF here with a command that activates a virus copy in the NETX.EXE file.

2. The virus looks for the Windows directory on the drive. If there is a directory with a “Windows”-like name, the virus copies itself here with the name INIT.EXE and registers that copy in the WIN.INI file in the auto-run section.

Infecting Remote Machines

In addition to intranet infection, the virus also tries to infect the remote machines in one more way. The virus looks to see whether one of the below-listed Internet applications is run:

GetRight Monitor
Microsoft Outlook
ICQMsgAPI Window
WWW Links
PIRCH98
Sockets Window

In this case, the virus obtains the IP address of the host (the machine the infected computer is connected to), and then scans the host subnet (usually the C class subnet) for NetBus backdoor presence. If there is a machine infected by NetBus, the virus sends its copy here and forces NetBus to execute it.

Backdoor Routine

The virus helper also has its own Backdoor routine with just four commands implemented:

– opens and closes CD door
– downloads and spawns a file
– terminates itself (backdoor routine)
– displays a message, the message box headline contains the following text:

[W97-2K/Win32.Moridin 1.0] by Asmodeus iKX

Infected E-mail

The virus uses two mail systems to spread itself: MS Outlook and Pegasus. The first method is realized in the VBS virus component, and the second in the MS Word virus macro program.

MS Outlook

To spread itself via e-mail messages, the virus COMMDLG.VBS file connects to MS Outlook, obtains all addresses from the Address Book and sends its copy (the PACKED.EXE file) here attached to the message. The message has a randomly selected Subject, Body and Signature:

Subject: “Virus ALERT!”
Body: “There is a VBS-worm spreading over email, protect yourself!
Do not open any attachment called FREE-SEX.VBS”

Subject: “Utopia/Earth 2025 tutorials”
Body: “Hi everyone, check this game out! www.games.esite.com.
A couple of tutorials are attached to the message”

Subject: “This is how I look :)”
Body: “Here is some pictures of me, you like it? :)”

The Signature is selected from the following variants:

Regards,
Sincerely,
Have a nice day,

It is completed in the computer owner’s name and organization name. The virus obtains these data from thesystem registry.

The virus’ VBS file is run upon each Windows restart. To prevent duplicate sendings, the virus creates the registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionIkx
Moridin 1.0

and exits the e-mail spreading routine if this key already is present in the registry.

Pegasus

The macro component in the infected MS Word document looks for the Pegasus mail client installed in the system. The virus selects an address from the Pegasus database and sends an active document here. The message has one of the following texts:

Check this out!

BAAAAAAAM! You just got hit by an attachment, this is the attachment war! Hit someone, NOW!

Infecting MS Word

The virus affects MS Word being run from the NORMAL.DOT file (see above). A short macro program in here obtains the main virus macro from the IMPMORI.DRV file in the Windows system directory and transfers it to NORMAL.DOT.

The main virus macro contains three routines: sending a virus copy via e-mail using Pegasus (see above); infecting other MS Word documents; extracting and spawning a PE EXE component from the document.

MS Word documents are infected when they are opened by Word. The virus simply copies its code here and spawns ADVAPI33.EXE with the document file name in the command line, causing the appending of the EXE virus code to the end of the document.

To extract the EXE code from the Word document, the virus macro opens the document as a binary file, goes to the end of the file, reads the virus EXE component, saves it to a disk file with the name W32MORI.EXE to the Windows directory and executes this file. So, the EXE virus component gains control from the infected Word document.