| Description:
|
Details
Worm.Bumerang
This is a very dangerous Win32 virus-worm. The virus itself is Windows PE EXE file about 23Kb in length (compressed by UPX, with a decompressed size about 52K), and written in Microsoft Visual C++. It spreads via the local network, and infects Win32 EXE applications (PE EXE files) there. While infecting, the virus moves a file beginning to the file end, then writes itself to the beginning of the file. As a result, when an infected file is started, the virus code takes control.
The virus uses Win9x specific calls, and can work on Win9x machines only. Because of its network "nature," the virus may infect files on NT machines, but they can't be run in there.
Virus Routines
When an infected file is run, the virus obtains its code from an infected host file and drops it to the Windows system directory with the DDRAW32.DLL name (this file is a Win32 PE application with a "pure" virus code). The virus then spawns this "pure code" DLL file, disinfects a host file and spawns it, returning control to the host program.
If an error occurs above, the virus displays a "Fatal error" message.
When run, the DDRAW32.DLL virus file activates the main virus routines. There are four:
1. Registry routine. This one creates a Registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce = %SystemDir%DDRAW32.DLL
If a REGEDIT application is run, this routine temporarily removes this key, thus realizing the "stealth" mechanism.
2. Network infecting routine. This one sleeps for about four minutes, then it enumerates network resources (shared drives), then infects files in there. While infecting a shared drive, the virus first checks whether it is write-enabled. In the case where the drive is shared for full access, the worm starts the Win32 file-infecting routine on that drive. This routine scans all directories on the drive, and infects PE EXE files there.
If a drive is mapped for limited access, the virus tries to login with the "guest" name and with different passwords. It seems that the virus tries to guess the true password, and then starts the infecting routine if log-in is successful.
The virus also tries to gain access to a remote machine in four ways: to get access to this machine "as-is", then tries to get through hidden admin shares C$ , D$ and E$
3. This is a payload routine. The infected machines first store the run time and date in the system registry (see below). Depending on the time interval from the first run, they activate the payload routine that terminates active processes according to the following list:
Msgsrv32, Mprexe, Explorer, Taskmon, Internat, Systray, Mmtask, ddraw32
They then extract, from the virus code, the "Win95.CIH" virus to RUN.EXE file, and execute it. The "Win95.CIH" destruction routine is patched so that it is immediately executed. As a result, CIH's Flash BIOS and FAT destruction routines are immediately activated.
4. Networking. This routine listens to all already-infected machines in the network. At the same time, if the payload routine is activated, the virus-networking routine sends a special "payload now" message to all other infected machines. As a result, when any infected machine accesses the payload, all other machines in the local network receive a "payload now" message, and start the payload. So, all infected machines in the network are crashed at the same moment.
Stealth
In addition to its Registry stealth routine, the virus also hides its DDRAW32.DLL file. To do this, it hooks memory-process searching functions, and returns a "no process" message in the case an infected process is being searched.
Other
The virus alters the following registry keys:
HKLMSystemCurrentControlSetServicesClass
Id
Go
HKLMEnumNetwork
Cnum
Inum
The virus also contains the text string:
Bumerang |
