Class
Virus
Platform
Multi

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Multi

No platform description

Description

Technical Details

This is a multipartite virus that infects both MS Word documents and Windows95 VxD drivers. The virus uses several steps in its infection way - starting from infected document or VxD it makes three steps to infect the files of the same format as its original host file: Word document -> PE EXE dropper -> VxD driver -> Word document and so on.

When an infected file is opened by Word, the virus drops its PE part to the disks and executes it. This dropper looks for Windows95 VxD drivers and infects them. Next time when Windows loads its drivers, the virus "stays resident", hooks system calls and infects documents that are opened.

+---------+     +---------+     +---------+      +---------+
|Infected | --> |PE EXE   | --> |+---------+ --> |+---------+  -->
|document |     |dropper  |     ||VxD      |     ||+---------+ -->
|         |     |         |     ||drivers  |     |||Documents| -->
|         |     |         |     ||         |     |||         |
|         |     |         |     ||         |     |||         |
+---------+     +---------+     +|         |     +||         |
+---------+      +|         |
+---------+

"Overlay" Way of Infection

In both VxD files and Word documents the virus uses a quite clever way to store its data and code. In both types of files the virus puts into the actual document/driver's body just a virus loader - a small program that loads and executes the main virus code. In infected Word documents this loader is a short macro written in Word Basic (as well as all other Word macro viruses), in VxD it is a small 32-bit program.

The main virus code is placed out of actual body of Word document and VxD - while infecting the virus just appends this main code to the end of the file and makes no necessary fixes to "link" it with data/code of host file. It looks like an overlay data/code - this code is not linked with host file structure in any way, and there are no references to this overlay from code and data in main file (except virus loader).

Infected Windows95 VxD:         Infected Word document:
+------------+                  +------------+
|Original    |                  |Original    |
|VxD code    |                  |document's  |
+------------+                  |data        |
|Virus loader| <- 32-bit        +------------+
+------------+    program       |Virus loader| <- macro program
|The rest of |                  +------------+ <- end of legal document data
|VxD code    |                  |Extra data  | <- virus main code/data
|and data    |                  |            |
|            |                  +------------+ <- end of disk file
|            |
+------------+ <- end of legal VxD code
|Extra data  | <- virus main code/data
|            |
+------------+ <- end of disk file
When Windows loads such VxD it pays no attention to extra data/code and does not load it into the memory. When Word is opening infected document it also does not load these extra data to the memory, moreover, it ever cuts these data while closing a document. The only way for the virus to access such overlay is to open infected document/VxD as a disk file, seek to the overlay and read it, and the virus does that.

While infecting different objects the virus increases their lengths by different numbers because of different structures of "overlay" data. The length of documents is increased by 17245 bytes, VxD drivers have plus 12288 bytes at their end after infection, the length of virus dropper RUNME.EXE is 16208 bytes.

Opening an Infected Document

The most widespread way of getting infection nowadays is not receiving infected programs, but infected documents. So, with 100:1 a user will get and open an infected document, not an infected VxD (does somebody exchanging VxDs, except programmers?).

In infected documents the virus macro loader is named AutoOpen - this is auto-macro and it is automatically executed by Word when the document is opened. This macro allocates a block of memory (HeapAlloc Word function), opens the host file (document), seeks to the overlay data (main virus code), reads it and drops to the newly created C:RUNME.EXE file (by CreateFileA, SetFilePointer, ReadFile, WriteFile, CloseHandle functions).

Then the virus macro executes the C:RUNME.EXE file (by Word "Shell" instruction), and the C:RUNME.EXE virus dropper takes control, locates and infects Windows drivers.

Infecting VxD Drivers

First at all, when the RUNME.EXE is executed, the virus code checks the Windows version and immediately exits, if Windows version is 3.xx or less (I wander, is that check really necessary - RUNME.EXE is 32-bit PE-program, so it is not able to run it under old Windowses).

The virus then locates Windows directory, jumps to SYSTEM subdirectory, look for and infects the set of VxD files, if they are there:

EISA.VXD, FILESEC.VXD, ISAPNP.VXD, LOGGER.VXD, LPT.VXD, LPTENUM.VXD,
MSMOUSE.VXD, MSSP.VXD, NWSERVER.VXD, NWSP.VXD, PARALINK.VXD, PCI.VXD,
SERENUM.VXD, SERIAL.VXD, SPAP.VXD, SPLITTER.VXD, UNIMODEM.VXD, VFD.VXD,
VGATEWAY.VXD, WSIPX.VXD, WSOCK.VXD
While infecting VxD files the virus parses and modifies their internal structures, writes its loading code into the middle of the file and appends its main code as extra data to the end of the file.

Windows VxD drivers have LE EXE internal file format (Linear Executable). This format is quite complex to understand - it is much more complex than DOS EXE file format, more complex than Windows NewEXE file format. It looks similar to Portable Executable (PE) format, but absolutely different.

It would take lots of pages to describe all details that the virus does while infecting VxDs. In short: it reads LE Entry Table and Object Tables, looks for VxD code section and patches it. LE files have section (pages) structure. If code/date do not cover section, the section is just filled with zero bytes up to its limit. The virus uses that feature, and just increases the length of actual code in section and appends to there its loader's code (214 bytes), if there is enough free space in section.

To prevent duplicate infection the virus only uses file's date and time stamp - it sets new date&time for files while infecting them, and checks it before infection. This date/time is January 4th 1997, 4:28am. If somebody changes this stamp for infected VxD files, the virus will infect them twice and more times.

The virus does not look for other VxD files than listed above, neither when RUNME.EXE dropper is active, nor at any time after. The virus also does not erase RUNME.EXE after infecting VxDs, so a user is able to run this file manually, if he likes this name.

Infecting Documents

When Windows95 is loading infected VxD, the virus loader (in similar way as the loader in infected documents) allocates block of memory, seeks to the end of host file to read its "overlay", read it as data and then executes as a program (vivat Windows95 kernel protection!). The virus installator takes control, hooks IFS API and intercepts OpenFile calls.

When any file is opened, the virus compares file name extension with ".DOC", reads the file header and checks it for OLE2 stamp, then parses internal OLE2 formats, creates at the end of document new macro named AutoOpen, writes its macro loader to there and appends as "overlay" its main code. The virus also converts the Microsoft documents to Template format - the same as ordinary Word macro viruses do.

The virus does not infect documents with file length that is not aligned to sector (after infecting documents stays not aligned) - this fact the virus uses to separate infected and not infected documents. The virus also does not infect documents with length above than 800Kb - the virus infection routine is just not able to parse formats of large documents (in such documents additional fields appear). The virus checks internal identificator in documents and infects them only if they have format of PanEuro Word 6/7.

The MS Word should cut virus overlay code at the end of document (but leave AutoOpen macro) while saving infected file, and in my experiments with Word 7.0 it did. Despite on this the documents with DOC file name extensions were immediately re-infected by virus. In case of non-DOC extension, the documents stays semi-infected - they have virus macro AutoOpen, but they do not have virus "overlay" data. As a result the virus is not able to spread itself when such documents are opened.

The virus infection algorithm is not bugs-free. In case a template already has macro(s), the virus corrupts documents internal structure, and these macro(s) stay invisible. Second, that is impossible to remove virus AutoOpen macro from infected documents by using Word environment (Tools/Macro/Delete or Organizer) - the Word fails to do that and crashes with standard Windows error message:

This program has performed illegal operation
and will be shut down.

Last Notes

Because of its way of VxD drivers infection the virus is not able to infect WindowsNT system, but while experimenting with virus under Windows95 there were no problems discovered (except troubles with Word templates, that was described above). The virus does not manifest itself in any way and does not cause any system error messages when running under Windows95.

It seems to me that VxD infection routine has a bug (the virus does not parse correctly LE Object Table), and the virus will corrupt "non-standard" VxD drivers, but all VxDs from virus' list are "virus-compatible" and running Windows95 with infected VxDs (ever twice infected) causes no problems. Maybe because of this possible bug the virus author did not include call to VxD infection on their opening, but Word documents only.

The virus has several text strings, some of them seems to be the traces of debug-mode version of the virus:

can not find DDB fixupp
can not infect this file
not valid vxd file
successfuly infected
infecting file
Other strings contain the names of Windows functions that are used while infecting VxD drivers:
KERNEL32.dll CreateFileA ExitProcess GetFileSize GetFileTime
GetProcessHeap GetVersion GetWindowsDirectoryA HeapAlloc ReadFile
SetFilePointer SetFileTime WriteFile lstrcatA lstrcpyA CloseHandle
The rest of visible text strings are virus author's comments in English and in some corrupted hacker-like style:
HZDS virus (the world 1st direct VxD infector and the 2nd Word 6/7 infector)
(c) Navrhar (DESIGNeR in english), Slovakia, 21-oct-97
Diz virus haz been written in Banska Bystrica city, Slovakia.
W l¢0m   0  h  HZD$ v¡  s g    ¡ gZ      !
G    Z: Vyv0j  ,      ,   s y &pount; m   & Ugly &pount; s  , MG&pount;,  ¡gh m     0k  .
$p ¢¡ l G    Z: Æ  h0  0� Æ   ¢hy.6 93 (¡ w       0    1s ,      h  h0 0
l0 gs  0 y0  -   �0       ly)
M  y � ¢ks g0 s  0  0: HZD$, Vl  0 M.(D¡¢   0 )
$p0 s0     y *-Z1   ( h    s  VX-æ¡    v  )
The translation for last block of text looks like follows:
Welcome to the HZDS virus greetings area !
Greetz: Vyvojar, Ender, Nasty Lamer & Ugly Luser, MGL,
Nightmare Joker,
Special Greets: Author of Anarchy.6093 (i wanted to be 1st, but the honor
belongs to you - unfortunately)
Many fucks goes to to: HZDS, V1ado M.(Dictator)
Sponsored by *-Zine (the best VX-zine ever)

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.