Virus.Win32.Parvo

Class Virus
Platform Win32
Description

Technical Details


This virus spreads under Win32 (Win95/98 and WinNT) and infects the PE EXE
files (Portable Executable). The virus has quite large size for a program
that is written in Assembler – about 15Kb. It is polymorphic virus.



The most interesting feature of this virus is its ability to send infected
EXE files to the Internet by using standard Email protocols (see also other
viruses that send infected messages via Email:
“Win.RedTeam”,
“Macro.Word97.Antimarc”,
“Macro.Word.Innuendo”,
“Macro.Word.ShareFun”).


Depending on the random counter the virus calls its second
Internet-accessing routine. This time the virus does not spreads its
copies, but just looks for the DialUp database and sends to virus’ author.


The virus code contains author’s “copyrights”:



– Parvo BioCoded by GriYo / 29A – Win32 Tech Support by Jacky Qwerty / 29A
– Thanks to Darkman / 29A and b0z0 / Ikx for their ideas and strategy
– Parvo is a research speciment, do not distribute
– c1999 29A Labs … We create life –


Many virus routines (infection, polymorphic) have the same features like
the “Win95.Marburg”
virus has. The virus writes itself to
the end of last file section; does not modify PE entry address but patches
the original program’s entry code with JMP_Virus instruction, or with a
block of junk code that at the end passes the control to virus code; e.t.c.


When the virus takes control, the polymorphic decryption loop and
additional lite decryption routine restore the virus code and pass the
control to the main virus routine.


The virus protects its code by using CRC method. It calculates the CRC of
its code and exits, if the CRC is not correct. It seems that this feature
is necessary for the virus because it sends infected files via the
Internet, so the CRC checking prevents corrupted copies execution.


The virus then scans Windows kernel and looks for file accessing,
searching, and other API functions that are used by the virus. While
looking for API functions the virus does not uses their names, but
checksums. To find necessary string in Windows kernel the virus just
calculates their CRCs one-by-one and compares the results with a table of
pre-calculated values that are saved in virus code.


To infect files on the disk the virus looks for them in current, Windows
and Windows system directories. The virus also affects the files in
directories, that contain the installed Internet browser and Email reader.
The virus gets these directories names from the System Registry.


The virus does not infect all files that are found, but only files with
specific names: IEXPLORE.EXE, INSTALL.EXE, NETSCAPE.EXE, NOTEPAD.EXE,
SETUP.EXE, WINZIP32.EXE, and some other. To compare file names the virus
also uses the checksum method as while looking for API functions.


To return control to the host program the virus creates its copy with a
random selected name, disinfects and executes it. The virus then waits for
host file exiting, so the virus code stays in memory up to the moment the
host program terminates. Although the virus code may stay in the memory for
a long time, the virus is not memory resident. It does not hook any system
events and does not intercept file opening/execution to infect them.


To send infected files to the Internet the virus connects the Internet by
using standard Windows functions, gets a random selected Email address,
send a hoax message to it and attaches to the message the infected EXE
dropper (see the text of messages below). To get a victim Email address the
virus goes to several newsgroups, reads random selected message and looks
for FROM string in there. When this ID text is found, the virus uses
followed address to send the infected message.


The infected file name is selected from three possible variants:
MSEFIXI.EXE, LSERIAL.EXE or HOTEENS.EXE. The messages (including headers)
are also selected from three variants:


Message 1 ————————————————————-


mail from: support@microsoft.com
from: support@microsoft.com
rcpt to: randomly selected address
to: randomly selected address
Subject: Present security risk using Microsoft Internet Explorer and
Outlook Express


A new and dangerous virus has hit the Internet.


DESCRIPTION:


When the email client receives a malicious mail or news message that
contains an attachment with a very long filename, it could cause the
email to execute arbitrary code automaticly on the client workstation,
thus infecting the machine.


Microsoft has been aware of this problem from the very beginning and
presents here a patch for the two of our products in which it exploits.


Outlook 98 on Windows � 95, Windows 98 and Microsoft Windows NT � 4.0
Outlook Express 4.0, 4.01 (including 4.01 with Service Pack 1) on
Windows 95, Windows 98 and Windows NT 4.0
Netscape Mail Clients


SOLUTION:


Customers using this products for Windows 95, Windows 98 or Windows NT
4.0 should execute the attached patch or download an updated patch
from:


http://www.microsoft.com/outlook/enhancements/outptch2.asp


Please patch your computer(s) as soon as possible and help us fight this
threat to the Internet.


Thank for your time.


Microsoft Support



Message 2 ————————————————————-


mail from:
from:
rcpt to: randomly selected address
to: randomly selected address
Subject: New and even larger serial number list out now!


Hi


Do you need a serial number for a unregistrated program of yours?


Do you feel like you have looked for it everywhere?


Even in the newest version of Phrozen Crews Oscar?


If you can answer -yes- to some of the above questions and are still
looking for a serial number, this might be the program you have been
waiting for.


We have collected serial numbers for many years and are now proud to
release the very first version of our serial number collection, which
contains more than 15.000 serial numbers.


Attached to this message is the very first version of our serial number
collection.


Yours,
Serial number collectors



Message 3 ————————————————————-


mail from:
from:
rcpt to: randomly selected address
to: randomly selected address
Subject: New and 100% free XXX site


Dear potential customer,


We have just opened a new erotic site with more than 10.000 .JPGs and more
than 1.000 .MPG/.VIV/.AVI/.MOV/etc.


We offer you the opportunity of a lifetime, we are giving away a months
access, without being charged, to our new site in exchange for your
opinion.


All you have to do is execute the attached advert, which will generate your
personal User ID, you dont even have to provide information as your
personal credit card number, etc.


And if you like our site, please tell all your friends about us.


http://www.hoteens.com/


HoTeens.com