Kaspersky Threats

Class

Platform

Description

Technical Details

Etap is a very complex parasitic {high-polymorphic:Poly} Win32 virus that uses the entry-point obscuring technique. The virus infects Windows executable files (Win32 PE EXE). When run the virus searches for these files and infects them.

Replication

The virus searches for Win32 PE executable files in the current directory and in the directories located in the three levels above the current directory. It also searches for executable files on available network drives and on removable media. If a directory’s name begins with “W” it infects the exe files contained within. The virus doesn’t infect files if their names begin with the following:

 F-
 PA
 SC
 DR
 NO

‘Etap’ also spares files with names containing the letter ‘V’ and depending on random counter values.

While infecting files the virus rebuilds and encrypts its body and writes it to one of the host file’s sections. Then, it searches for and replaces one of the ‘alls’ to the “ExitProcess” function in the host’s code section with the ‘call’ to the viral code.

Payload

Depending on the system date and whether the infected host file imports the Windows library User32.dll file the virus may display messages, such as:

On May, 14th:
“Free Palestine!”

or

On March, June, September, December, 17h:
“Metaphor V1 by the Mental Driller/29a”, or
“Metaphor 1b by the Mental Driller/29a”

The latter message’s letters may be randomly selected.

Class	Virus
Platform	Win32
Description	Technical Details Etap is a very complex parasitic {high-polymorphic:Poly} Win32 virus that uses the entry-point obscuring technique. The virus infects Windows executable files (Win32 PE EXE). When run the virus searches for these files and infects them. Replication The virus searches for Win32 PE executable files in the current directory and in the directories located in the three levels above the current directory. It also searches for executable files on available network drives and on removable media. If a directory’s name begins with “W” it infects the exe files contained within. The virus doesn’t infect files if their names begin with the following: F- PA SC DR NO ‘Etap’ also spares files with names containing the letter ‘V’ and depending on random counter values. While infecting files the virus rebuilds and encrypts its body and writes it to one of the host file’s sections. Then, it searches for and replaces one of the ‘alls’ to the “ExitProcess” function in the host’s code section with the ‘call’ to the viral code. Payload Depending on the system date and whether the infected host file imports the Windows library User32.dll file the virus may display messages, such as: On May, 14th: “Free Palestine!” or On March, June, September, December, 17h: “Metaphor V1 by the Mental Driller/29a”, or “Metaphor 1b by the Mental Driller/29a” The latter message’s letters may be randomly selected.

Virus.Win32.Etap

Technical Details