Virus.Win16.Gollum

Class Virus
Platform Win16
Description

Technical Details


This is a parasitic virus that “stays resident” under Windows and
Windows95, hooks disk file access and infects DOS EXE files. This is
multipartite virus, because it affects two different platforms – Windows
and DOS. The virus does not infect neither Portable Executable (PE) nor New
Executable (NE) Windows EXE files, but stays in Windows as a VxD driver to
intercept and infect DOS EXE files. So, the virus does not infect Windows
files, but Windows memory, and it does not infect DOS memory, but does
infect DOS EXE files.


When an infected DOS EXE file is executed, the virus only drops its VxD
(the GOLLUM.386 file), registers it in the Windows SYSTEM.INI file, returns
to the host program and does not perform any other action. When Windows is
starting, it loads this virus VxD, the virus takes control, hooks V86
interrupts chain and then infects DOS EXE files. The GOLLUM.386 dropper has
6592 bytes of length, while infecting it adds 7167 bytes to DOS EXE files.

Infected DOS EXE File


The virus in DOS EXE file is encrypted by NOT (XOR 0FFh) instruction. So,
when an infected file is executed, the virus takes control and decrypts
itself. The loop of decryption command contains a silly anti-debugging
trick, and one should be careful while analyzing the virus code.


The virus then looks for Windows SYSTEM.INI file. There are five names that
are used by virus:


C:WINDOWSSYSTEM.INI
C:WINSYSTEM.INI
C:WIN31SYSTEM.INI
C:WIN311SYSTEM.INI
C:WIN95SYSTEM.INI

If there are no such files, the virus does not drop its VxD and returns to
the host program. Otherwise it creates the GOLLUM.386 file (virus VxD) in
the Windows directory and inserts into the SYSTEM.INI file the command that
loads this VxD:

DEVICE=GOLLUM.386

This command is inserted into [386Enh] section – the virus searches for
string “[386” and writes that command to there:

SYSTEM.INI before and after infection
… …
[386Enh] [386Enh]
mouse=*vmd DEVICE=GOLLUM.386

mouse=*vmd


The virus does not drops its VxD twice – it scans the SYSTEM.INI file for
the string “GOLLU” and terminates infection routine if this string is
found.

Virus in VxD File


Virus VxD (the GOLLUM.386 file) has LE (Linear Executable) format. DOS EXE
stub in this file contains a short routine that switches to standard text
video mode and displays the text:

GoLLum!

The LE part of this file contains the installation routine that gets and
stores startup path (to use in infection routine), hooks INT 21h (V86
interrupt chain), INT 21h handler, infection routine and virus DOS EXE
code. The INT 21h virus handler intercepts three calls: Load and Execute
(4B00h), Terminate (4C00h) and Change Directory (3Bh).


When a file is executed, the virus only saves its name and returns control.
The infection routine gets control on Terminate call. At first the virus
checks the file name. It infects the files only on C: drive and does not
infect the files SCAN*.*, F-PR*.*, TB*.* (SCAN, F-PROT, ThunderByte-related
programs) as well as files with name that contains ‘V’ letter or digits.
The virus also does not infect the files with length less than 7167 bytes.


The virus then opens the file, reads and checks its header. The virus
checks the EXE stamp (MZ at file beginning) and NewExe flags, but fails and
in some cases infects NewExe files as DOS EXE. That may corrupt files. To
prevent duplicate infection the virus compares the CRC field (offset 12h in
EXE header) with two bytes – 52h 43h (ASCII “RC”).


The virus then infects the file in a standard way that is used by majority
of DOS viruses – it writes its code (DOS and VxD parts) to the end of the
file and modifies EXE header (entry point and stack initial values, module
size and identificator “RC”). To avoid code/data access violation while
writing VxD part the virus copies it from GOLLUM.386 in startup path that
was stored while installing virus VxD.


The infection routine is complete, and the virus closes the file as well as
restores file attributes and file date and time stamp.

Trigger Routines


While installing on June 4th the virus sends a system message with the text
that forces Windows to display this text as a system error message:

GoLLuM ViRuS by Griyo/29A
Deep down here by the dark water lived old Gollum, a small slimy
creature. I dont know where he came from, nor who or what he was. He
was a Gollum -as dark a darkness, except for two big round pale eyes
in his thin face.
J.R.R. ToLkieN … The HoBBit
Press any key to continue

On selecting a directory (INT 21h Change Directory call) the virus gets the
system timer and depending on its value (with probability 1/256) creates
the GOLLUM.EXE file in the current directory and copies its VxD GOLLUM.386
to there. When this EXE file is executed under DOS, the DOS stub routine
displays:

GoLLum!

To avoid detection by anti-virus integrity checkers the virus deletes their
databases: ANTI-VIR.DAT, CHKLIST.TAV, CHKLIST.MS, AVP.CRC, IVB.NTZ.


The virus also contains the strings:


GoLLuM ViRuS for Microsoft Windows by GriYo/29A
GPTrap_DDB