This is a very dangerous Win32 virus-worm. The virus itself is Windows PE EXE
file about 23Kb in length (compressed by UPX, with a decompressed size about
52K), and written in Microsoft Visual C++. It spreads via the local network, and
infects Win32 EXE applications (PE EXE files) there. While infecting, the
virus moves a file beginning to the file end, then writes itself to the
beginning of the file. As a result, when an infected file is started, the virus
code takes control.
The virus uses Win9x specific calls, and can work on Win9x machines only.
Because of its network “nature,” the virus may infect files on NT machines, but
they can’t be run in there.
When an infected file is run, the virus obtains its code from an infected host file and
drops it to the Windows system directory with the DDRAW32.DLL name (this file is a Win32
PE application with a “pure” virus code). The virus then spawns this “pure code”
DLL file, disinfects a host file and spawns it, returning control to the host program.
If an error occurs above, the virus displays a “Fatal error” message.
When run, the DDRAW32.DLL virus file activates the main virus routines. There are
1. Registry routine. This one creates a Registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce = %SystemDir%DDRAW32.DLL
If a REGEDIT application is run, this routine temporarily removes this key, thus realizing the “stealth” mechanism.
2. Network infecting routine. This one sleeps for about four minutes, then it
enumerates network resources (shared drives), then infects files in there.
While infecting a shared drive, the virus first checks whether it is write-enabled. In the case where the drive is shared for full access, the worm starts the Win32 file-infecting routine on that drive. This routine scans all directories on the drive, and
infects PE EXE files there.
If a drive is mapped for limited access, the virus tries to login with the “guest”
name and with different passwords. It seems that the virus tries to guess
the true password, and then starts the infecting routine if log-in is
The virus also tries to gain access to a remote machine in four ways: to get access to
this machine “as-is”, then tries to get through hidden admin shares C$ , D$
3. This is a payload routine. The infected machines first store the run time and
date in the system registry (see below). Depending on the time interval from the first
run, they activate the payload routine that terminates active processes according to the following list:
Msgsrv32, Mprexe, Explorer, Taskmon, Internat, Systray, Mmtask, ddraw32
They then extract, from the virus code, the “Win95.CIH” virus to RUN.EXE file, and execute
it. The “Win95.CIH” destruction routine is patched so that it is immediately
executed. As a result, CIH’s Flash BIOS and FAT destruction routines are
4. Networking. This routine listens to all already-infected machines in the
network. At the same time, if the payload routine is activated, the virus-networking
routine sends a special “payload now” message to all other infected machines. As
a result, when any infected machine accesses the payload, all other machines
in the local network receive a “payload now” message, and start the payload. So, all
infected machines in the network are crashed at the same moment.
In addition to its Registry stealth routine, the virus also hides its DDRAW32.DLL
file. To do this, it hooks memory-process searching functions, and returns a “no
process” message in the case an infected process is being searched.
The virus alters the following registry keys:
The virus also contains the text string: