Virus.Multi.Navrhar

Class Virus
Platform Multi
Description

Technical Details


This is a multipartite virus that infects both MS Word documents and
Windows95 VxD drivers. The virus uses several steps in its infection way –
starting from infected document or VxD it makes three steps to infect the
files of the same format as its original host file: Word document -> PE EXE
dropper -> VxD driver -> Word document and so on.


When an infected file is opened by Word, the virus drops its PE part to the
disks and executes it. This dropper looks for Windows95 VxD drivers and
infects them. Next time when Windows loads its drivers, the virus “stays
resident”, hooks system calls and infects documents that are opened.


+———+ +———+ +———+ +———+
|Infected | –> |PE EXE | –> |+———+ –> |+———+ –>
|document | |dropper | ||VxD | ||+———+ –>
| | | | ||drivers | |||Documents| –>
| | | | || | ||| |
| | | | || | ||| |
+———+ +———+ +| | +|| |
+———+ +| |
+———+

“Overlay” Way of Infection


In both VxD files and Word documents the virus uses a quite clever way to
store its data and code. In both types of files the virus puts into the
actual document/driver’s body just a virus loader – a small program that
loads and executes the main virus code. In infected Word documents this
loader is a short macro written in Word Basic (as well as all other Word
macro viruses), in VxD it is a small 32-bit program.


The main virus code is placed out of actual body of Word document and VxD –
while infecting the virus just appends this main code to the end of the
file and makes no necessary fixes to “link” it with data/code of host file.
It looks like an overlay data/code – this code is not linked with host file
structure in any way, and there are no references to this overlay from code
and data in main file (except virus loader).


Infected Windows95 VxD: Infected Word document:
+————+ +————+
|Original | |Original |
|VxD code | |document’s |
+————+ |data |
|Virus loader| <- 32-bit +------------+ +------------+ program |Virus loader| <- macro program |The rest of | +------------+ <- end of legal document data |VxD code | |Extra data | <- virus main code/data |and data | | | | | +------------+ <- end of disk file | | +------------+ <- end of legal VxD code |Extra data | <- virus main code/data | | +------------+ <- end of disk file

When Windows loads such VxD it pays no attention to extra data/code and
does not load it into the memory. When Word is opening infected document it
also does not load these extra data to the memory, moreover, it ever cuts
these data while closing a document. The only way for the virus to access
such overlay is to open infected document/VxD as a disk file, seek to the
overlay and read it, and the virus does that.


While infecting different objects the virus increases their lengths by
different numbers because of different structures of “overlay” data. The
length of documents is increased by 17245 bytes, VxD drivers have plus
12288 bytes at their end after infection, the length of virus dropper
RUNME.EXE is 16208 bytes.

Opening an Infected Document


The most widespread way of getting infection nowadays is not receiving
infected programs, but infected documents. So, with 100:1 a user will get
and open an infected document, not an infected VxD (does somebody
exchanging VxDs, except programmers?).


In infected documents the virus macro loader is named AutoOpen – this is
auto-macro and it is automatically executed by Word when the document is
opened. This macro allocates a block of memory (HeapAlloc Word function),
opens the host file (document), seeks to the overlay data (main virus
code), reads it and drops to the newly created C:RUNME.EXE file
(by CreateFileA, SetFilePointer, ReadFile, WriteFile, CloseHandle
functions).


Then the virus macro executes the C:RUNME.EXE file (by Word “Shell”
instruction), and the C:RUNME.EXE virus dropper takes control, locates and
infects Windows drivers.

Infecting VxD Drivers


First at all, when the RUNME.EXE is executed, the virus code checks the
Windows version and immediately exits, if Windows version is 3.xx or less
(I wander, is that check really necessary – RUNME.EXE is 32-bit PE-program,
so it is not able to run it under old Windowses).


The virus then locates Windows directory, jumps to SYSTEM subdirectory,
look for and infects the set of VxD files, if they are there:


EISA.VXD, FILESEC.VXD, ISAPNP.VXD, LOGGER.VXD, LPT.VXD, LPTENUM.VXD,
MSMOUSE.VXD, MSSP.VXD, NWSERVER.VXD, NWSP.VXD, PARALINK.VXD, PCI.VXD,
SERENUM.VXD, SERIAL.VXD, SPAP.VXD, SPLITTER.VXD, UNIMODEM.VXD, VFD.VXD,
VGATEWAY.VXD, WSIPX.VXD, WSOCK.VXD

While infecting VxD files the virus parses and modifies their internal
structures, writes its loading code into the middle of the file and appends
its main code as extra data to the end of the file.


Windows VxD drivers have LE EXE internal file format (Linear Executable).
This format is quite complex to understand – it is much more complex than
DOS EXE file format, more complex than Windows NewEXE file format. It looks
similar to Portable Executable (PE) format, but absolutely different.


It would take lots of pages to describe all details that the virus does while
infecting VxDs. In short: it reads LE Entry Table and Object Tables, looks
for VxD code section and patches it. LE files have section (pages)
structure. If code/date do not cover section, the section is just filled
with zero bytes up to its limit. The virus uses that feature, and just
increases the length of actual code in section and appends to there its
loader’s code (214 bytes), if there is enough free space in section.


To prevent duplicate infection the virus only uses file’s date and time
stamp – it sets new date&time for files while infecting them, and checks it
before infection. This date/time is January 4th 1997, 4:28am. If somebody
changes this stamp for infected VxD files, the virus will infect them twice
and more times.


The virus does not look for other VxD files than listed above, neither
when RUNME.EXE dropper is active, nor at any time after. The virus also
does not erase RUNME.EXE after infecting VxDs, so a user is able to run
this file manually, if he likes this name.

Infecting Documents


When Windows95 is loading infected VxD, the virus loader (in similar way as
the loader in infected documents) allocates block of memory, seeks to the
end of host file to read its “overlay”, read it as data and then executes
as a program (vivat Windows95 kernel protection!). The virus installator
takes control, hooks IFS API and intercepts OpenFile calls.


When any file is opened, the virus compares file name extension with
“.DOC”, reads the file header and checks it for OLE2 stamp, then parses
internal OLE2 formats, creates at the end of document new macro named
AutoOpen, writes its macro loader to there and appends as “overlay” its
main code. The virus also converts the Microsoft documents to Template
format – the same as ordinary Word macro viruses do.


The virus does not infect documents with file length that is not aligned to
sector (after infecting documents stays not aligned) – this fact the virus
uses to separate infected and not infected documents. The virus also does
not infect documents with length above than 800Kb – the virus infection
routine is just not able to parse formats of large documents (in such
documents additional fields appear). The virus checks internal
identificator in documents and infects them only if they have format of
PanEuro Word 6/7.


The MS Word should cut virus overlay code at the end of document (but leave
AutoOpen macro) while saving infected file, and in my experiments with Word
7.0 it did. Despite on this the documents with DOC file name extensions
were immediately re-infected by virus. In case of non-DOC extension, the
documents stays semi-infected – they have virus macro AutoOpen, but they do
not have virus “overlay” data. As a result the virus is not able to spread
itself when such documents are opened.


The virus infection algorithm is not bugs-free. In case a template already
has macro(s), the virus corrupts documents internal structure, and these
macro(s) stay invisible. Second, that is impossible to remove virus
AutoOpen macro from infected documents by using Word environment
(Tools/Macro/Delete or Organizer) – the Word fails to do that and crashes
with standard Windows error message:


This program has performed illegal operation
and will be shut down.

Last Notes


Because of its way of VxD drivers infection the virus is not able to infect
WindowsNT system, but while experimenting with virus under Windows95 there
were no problems discovered (except troubles with Word templates, that was
described above). The virus does not manifest itself in any way and does
not cause any system error messages when running under Windows95.


It seems to me that VxD infection routine has a bug (the virus does not
parse correctly LE Object Table), and the virus will corrupt “non-standard”
VxD drivers, but all VxDs from virus’ list are “virus-compatible” and
running Windows95 with infected VxDs (ever twice infected) causes no
problems. Maybe because of this possible bug the virus author did not
include call to VxD infection on their opening, but Word documents only.


The virus has several text strings, some of them seems to be the traces of
debug-mode version of the virus:


can not find DDB fixupp
can not infect this file
not valid vxd file
successfuly infected
infecting file

Other strings contain the names of Windows functions that are used while
infecting VxD drivers:

KERNEL32.dll CreateFileA ExitProcess GetFileSize GetFileTime
GetProcessHeap GetVersion GetWindowsDirectoryA HeapAlloc ReadFile
SetFilePointer SetFileTime WriteFile lstrcatA lstrcpyA CloseHandle

The rest of visible text strings are virus author’s comments in English and
in some corrupted hacker-like style:

HZDS virus (the world 1st direct VxD infector and the 2nd Word 6/7 infector)
(c) Navrhar (DESIGNeR in english), Slovakia, 21-oct-97
Diz virus haz been written in Banska Bystrica city, Slovakia.
W l¢0m 0 h HZD$ v¡ s g ¡ gZ !
G Z: Vyv0j , , s y &pount; m & Ugly &pount; s , MG&pount;, ¡gh m 0k .
$p ¢¡ l G Z: Æ h0 0� Æ ¢hy.6 93 (¡ w 0 1s , h h0 0
l0 gs 0 y0 – �0 ly)
M y � ¢ks g0 s 0 0: HZD$, Vl 0 M.(D¡¢ 0 )
$p0 s0 y *-Z1 ( h s VX-æ¡ v )

The translation for last block of text looks like follows:

Welcome to the HZDS virus greetings area !
Greetz: Vyvojar, Ender, Nasty Lamer & Ugly Luser, MGL,
Nightmare Joker,
Special Greets: Author of Anarchy.6093 (i wanted to be 1st, but the honor
belongs to you – unfortunately)
Many fucks goes to to: HZDS, V1ado M.(Dictator)
Sponsored by *-Zine (the best VX-zine ever)