Virus.Win32.HIV

Class Virus
Platform Win32
Description

Technical Details

This is a dangerous per-process memory resident Win32 virus infecting PE EXE files (Windows applications) and MSI archives, “upgrading” itself from the Internet, and possessing E-mail spreading abilities. The virus is encrypted and uses “Entry Point Obscuring” technology to hide itself in infected files. The virus has about 6K of length.

The virus uses anti-debugging tricks and halts a machine if SoftICE or another debugger is detected in the system.

The virus also tries to disable the Windows file protection. To do that, it infects system files that are responsible for file protection: it overwrites the DEFAILT.SFC file with empty data (under Win98) or SFCFILES.DLL (under Win2000). This trick should work under Win98, and should not work under Win2000, where the system either blocks access to SFCFILES.DLL, or immediately restores it from backup.

Infection

To infect *.EXE files, the virus looks for them in the current directory, and writes itself to the file end. To get control, the virus does not modify the program start up address, but instead looks for standard program subroutines header/footer and patches a footer with a JMP_Virus instruction. As a result, the virus cannot activate at the moment an infected file is being run, but rather when an infected routine is executed (when the corresponding branch gets control).

The virus then stays in the memory as a component of the infected program, hooks several file access functions, and infects EXE files that are accessed by the infected program. So the virus is active in the Windows memory up to the moment an infected application is terminated.

In some cases, being run on an NTFS machine, the virus creates an additional NTFS stream (ADS) with the “:HIV” name (“filename.ext:HIV”) in infected files and writes the following “copyright” text there:

This cell has been infected by HIV virus, generation:

0xNNNNNNNN

where NNNNNNNN is virus “generation” number.

MSI archives

The virus also intercepts access to MSI archives, opens them, looks for PE EXE files in there and infects them by overwriting the program entry routine with code that displays the following message when run:

[Win32.HiV] by Benny/29A
This cell has been infected by HIV virus, generation: 0xNNNNNNNN

where NNNNNNNN is virus “generation” number.

HTML files infection

The virus also looks for *.HTML files in the current directory and replaces them with XML files by adding a .XML extension to them:

Clean file: File.html

Infected file: File.html.xml

The virus then hides infected XML files using a trick: it sets a registry key that causes Windows not to show extensions for XML files; changes the XML files icon; and places the standard HTML files icon there. As a result, infected HTML files (that actually are XML files after being infected) are displayed by Explorer as standard HTML files in the files list. So, an infected “File.html.xml” will be shown as “File.html” with a HTML file icon.

The script program written by the virus to infected HTML files gains access to an Internet zone and opens the file there:

http://coderz.net/benny/viruses/press.txt

In reality, this is not a TXT file, but rather a XML file that is processed by Internet Explorer as a standard Web page (despite the fact that the file has a TXT extension). The script program, in a PRESS.TXT file, downloads a MSXMLP.EXE file from the same site, and registers it in the auto-run Registry section:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HIV = c:MSXMLP.EXE

The MSXMLP.EXE file that is found in there is a standard Windows application with a new virus version in it. So, the virus author can “upgrade” the virus on infected machines, or install a Trojan.

Email spreading

The virus opens the WAB database (Windows Address Book), obtains e-mail addresses from there and sends messages that contain the following:

From: press@microsoft.com
Sent: 2010/06/06 22:00
Subject: XML presentation
Message:

Please check out this XML presentation and send us your opinion.
If you have any questions about XML presentation, write us.
Thank you,
The XML developement team, Microsoft Corp.

Attached file: press.txt

The attached PRESS.TXT file is the same XML script program as used by the virus while infecting HTML files. So, when a user activates PRESS.TXT, a virus copy is downloaded to the computer and registered in the system registry.

The virus saves that PRESS.TXT file in the C: drive root directory: C:PRESS.TXT.

While sending messages, the virus uses the MAPI library, so it does not depend on the Mail system installed on the computer.

The known virus version has a bug in the mailing routine, and fails to send messages.