This is a multi-platform virus infecting Win32 systems. The virus infects Win32 executable files, MS Word documents, and spreads via e-mail through IRC channels as well as infecting the local network. The virus also has Backdoor ability.
The virus is about 70K in size, and there are several other components embedded in it: Win32 EXE “helper” (additional application), Word template, Word macro component source, as well as several script programs:
The virus can be found in several forms:
While spreading via e-mail through the network and IRC channels, the worm names its copies as: CRACK.EXE, PACKED.EXE, SETUP.EXE, NETX.EXE, and INIT.EXE.
PE EXE Virus Component – Infected PE EXE Files
Infecting PE EXE files
While infecting a PE EXE file, the virus increases the size of the last file section, encrypts itself with a polymorphic routine and writes itself here. The polymorphic code is of average complexity.
To gain control when an infected file is run, the virus patches the file entry code with a short semi-polymorphic code that immediately passes control to a polymorphic decryption loop when an infected file is run.
Infected File Run
When an infected file is run, the virus polymorphic code gains control, decrypts the main virus code and transfers control here. The virus then creates four files in the Windows system directory:
the first three files contain the same code – a 60K virus helper (see below)- which is a PE EXE file and is executed as a typical Windows application. These files are used by other virus components to infect Word documents, as
The PACKED.EXE and MMSYSTEM.BIN are then infected by the virus in the same way other EXE files are infected (see above). As a result, the size of these files is increased up to 130K (60K of helper plus 70K of complete virus code), and the code of the helper is duplicated here (the helper is
The COMMDLG.VBS file contains VBScript that spreads the virus on the Internet via e-mail messages.
System Registry Keys
The virus then modifies the system registry keys. It creates the following keys:
and deletes the following key:
modifies the following keys:
where %SystemDir% is the name of the Windows system directory.
The “1” causes the system to run the virus helper when each EXE file is run (see below). The “2” activates a VBS component that sends affected e-mail upon Windows startup. The “3” seems to be some virus ID stamp. The “4” enables AUTORUN.INF file auto-processing. The “5” allows a backdoor component to obtain system passwords (the virus code doesn’t contain a routine for that, but it can be downloaded and installed, see below). The “6” is another virus ID stamp that is used by the MS Word virus component to locate the exact directory where other virus components are located.
If the virus fails to install itself to the Windows system directory, it drops its files to the Windows temporary directory and creates/deletes/modifies exactly the same keys with the exception of “3”.
The virus then infects up to five EXE and up to five SRC files in the current directory. The virus uses the masks “GOAT*.EXE” and “GOAT*.SCR” to locate the files, so the virus is a “research” one and cannot infect files
Despite the fact that this virus version infects GOAT* files only, it checks a file for an anti-virus name and skips infection. The virus detects anti-virus programs according to the first four characters of the name:
The virus also does not infect WinZip self-extractors.
The virus deletes the following anti-virus data files:
This virus component contains the texts:
Virus Helper Run
The virus helper is activated upon any EXE file run (caused by the System registry key “1”, see above). As a command line, the helper obtains the EXE file name expected to be executed and the command line. The helper pays attention to both the EXE file name and command line arguments.
When any one of mIRC, PIRCH or vIRC client is executed, the virus affects them. It makes a copy itself in the current directory with the name CRACK.EXE and creates a corresponding script file or files that send the infected CRACK.EXE file to a user. The file either enters the IRC channel (in the case of a vIRC client), or sends a text to the channel with the word “crack” in it (mIRC, PIRCH).
Script files created by the virus:
In case a user attempts to execute the REGEDIT.EXE or an anti-virus program, the virus simply terminates that request. The list of these file names is as follows:
When a file is executed corresponding to one of the three “virus-file” names: CRAC*, PACK*, MMSY*, or a file with the name SETU*, the virus terminates the file and displays a fake error message:
In the instance the command line contains a reference to a .DOC file, the virus appends its PACKED.EXE file to the end of file. This addition will be used later to spread the virus from the affected Word documents.
The virus helper also drops two more files for migrating to the MS Word environment:
The NORMAL.DOT template contains a virus “loader” that obtains the complete virus macros from the IMPMORI.DRV file.
The virus helpers also disables the macro-virus protection in the system registry, as well as looks for anti-virus memory resident programs and terminates them:
HTML pages are also affected by the virus. In the instance that a .HTM file is found in the current directory, the virus copies itself here with the name SETUP.EXE and appends a “Download” link to the HTM file. Clicking on this link results in a standard “File Download” window.
Depending on the random counter, the virus helper also sets the volume label “W32Moridin” to the current drive.
Infecting a Network
The virus helper feature is not finished, as it also spreads the virus over the local network if there are shared drives for full access. The virus helper enumerates them and tries to affect them in two ways.
1. The virus copies itself here with the name NETX.EXE and creates the auto-executed file AUTORUN.INF here with a command that activates a virus copy in the NETX.EXE file.
2. The virus looks for the Windows directory on the drive. If there is a directory with a “Windows”-like name, the virus copies itself here with the name INIT.EXE and registers that copy in the WIN.INI file in the auto-run section.
Infecting Remote Machines
In addition to intranet infection, the virus also tries to infect the remote machines in one more way. The virus looks to see whether one of the below-listed Internet applications is run:
In this case, the virus obtains the IP address of the host (the machine the infected computer is connected to), and then scans the host subnet (usually the C class subnet) for NetBus backdoor presence. If there is a machine infected by NetBus, the virus sends its copy here and forces NetBus to execute it.
The virus helper also has its own Backdoor routine with just four commands implemented:
The virus uses two mail systems to spread itself: MS Outlook and Pegasus. The first method is realized in the VBS virus component, and the second in the MS Word virus macro program.
To spread itself via e-mail messages, the virus COMMDLG.VBS file connects to MS Outlook, obtains all addresses from the Address Book and sends its copy (the PACKED.EXE file) here attached to the message. The message has a randomly selected Subject, Body and Signature:
The Signature is selected from the following variants:
It is completed in the computer owner’s name and organization name. The virus obtains these data from thesystem registry.
The virus’ VBS file is run upon each Windows restart. To prevent duplicate sendings, the virus creates the registry key:
and exits the e-mail spreading routine if this key already is present in the registry.
The macro component in the infected MS Word document looks for the Pegasus mail client installed in the system. The virus selects an address from the Pegasus database and sends an active document here. The message has one of the following texts:
Infecting MS Word
The virus affects MS Word being run from the NORMAL.DOT file (see above). A short macro program in here obtains the main virus macro from the IMPMORI.DRV file in the Windows system directory and transfers it to NORMAL.DOT.
The main virus macro contains three routines: sending a virus copy via e-mail using Pegasus (see above); infecting other MS Word documents; extracting and spawning a PE EXE component from the document.
MS Word documents are infected when they are opened by Word. The virus simply copies its code here and spawns ADVAPI33.EXE with the document file name in the command line, causing the appending of the EXE virus code to the end of the document.
To extract the EXE code from the Word document, the virus macro opens the document as a binary file, goes to the end of the file, reads the virus EXE component, saves it to a disk file with the name W32MORI.EXE to the Windows directory and executes this file. So, the EXE virus component gains control from the infected Word document.