Virus.Win32.RemEx

Class Virus
Platform Win32
Description

Technical Details

The virus is quite large in size – it is written in Microsoft Visual C++
and is about 125K. The original virus code occupies about 14K, GZIP
routines – 20K, C run-time libraries – 40K. Other data areas are occupied
by virus/C++ data, resources, etc.

The virus has quite an unusual structure: the infected files have code and
data segments, as well as three resources that contain compressed
executable files. The first resource contains the standard NT4 PSAPI.DLL
that is used by the virus to access processes in the system memory.

The second resource is the original virus code itself (including the same
compressed PSAPI.DLL in the resource). This copy of virus code is used as
the original data to install the virus into the system and to infect EXE
files.

The third resource is the host file that is extracted and decompressed,
when the virus needs to run the host program.

System Registry: while installing its SYS driver to the system the virus
uses the standard NT API calls. This causes the system to register the
virus drivers in the system registry – the
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRemote Explorer is
created.

Temporary files: while compressing/decompressing files the virus needs
temporary ones. It creates them in the Windows temporary directory with
the random names ~xxxdddd.TMP (where ‘x’ are letters and ‘d’ are digits).

Resume

The virus is the first native “memory resident” NT infector, so it might
look as some super-virus. Actually the virus was written by some
middle-level developer who had access to the NT DeviceDevelopmentKit
documentation.

The virus does not hook any NT event, does not use any network protocols,
does not try to access the passwords, and does not spread its copy over the
global network. Moreover, the ordinary DOS parasitic viruses have the same
network spreading abilities like this virus has – they also can infect
files on remote shared drives, stay in the system memory, etc.

This is just a standard parasitic virus, but with NT service infection
ability. It is not more complex than some other already known Windows
viruses, and definitely not more complex than the well-known BO trojan
(BackOrifice).

This virus is not a shock at all – it is long awaited WindowsNT-service
virus.