|
|
Todor.199 Viruses Information
| Name: |
Todor.199 |
| Category: |
Viruses |
| Description:
|
Details
Todor.1993
When an infected program is executed, control is passed to the virus code. The majority of the virus body is encrypted, so at the first time the virus decrypts its body. It uses not difficult method to do this, the method based on the most popular virus encryption instruction - XOR instruction. The virus decryption routine XORs the next virus body word (2 bytes) with the key that is changed by ROR operation for next encrypted word.
Then the virus sets the new Disk Transfer Address, INT 24h vector address (Fatal Error Handler) and starts to infection. As the first file to infection the virus searches for the file which is pointed by ENVIRONMENT string "COMSPEC=". This string points to COMMAND.COM file at the most of cases, and so the COMMAND.COM file infected. Then the infector searches for the EXE files and then for the COM files of current directory and tries to infect them. It doesn't infect the files twice. The virus uses the standard way while searching, it calls to FindFirst/Next ASCII DOS functions (INT 21h, AH=4Eh/4Fh). It stops the searching after the 8th file was found and infects the 5 files only. In all the infected files are the COMMAND.COM files and 5 files from the 8 first files of the current directory.
The Features
The virus hooks INT 24h (Fatal Error Handler) on its work time but that is not all that the virus does to avoid the DOS error messages upon writing to the files of write protected disks. The virus tries also to create and delete a temporary file on the selected directory before searching for the files for infection. If the error occurs while this file creation the virus takes this disk as write protected and do not infect the files of this disk.
The virus stores, clears and restores the file attributes while infection. It needs to store/restore the file data and time for the 'good virus tone'. Yes, the virus does this, but it corrects the second part of the file time. The infector sets the file seconds to 22. The virus checks this value while searching for files and do not infects the files with 22 seconds in file time. It looks like a good indicator of infected files butall The standard DOS command DIR shows me all the information about the files except the files seconds. Another DOS utilities which I have do not show this also, and only the Microsoft Windows File Manager displays the full and true information:
todor.exe ... x:xx:22pm
The virus checks the file header before infection. If the header contains the string "(C)Todor" at the offset 32 the virus skips this file and do not infect it. But the infected files do not contain that string. What is this? The virus author's protection against the own child? This infector do not infect the file which contain the string "LZ9" in the header at offset 28, i.e. all the files which are compressed by LZEXE packer.
The virus also checks the file length while infection. The length of EXE file must be equal to the length of EXE module, this value is calculated from the EXE header fields. And so the virus does not infect the EXE files that contains the internal overlay code or data. The virus checks the COM file length, this value must be greater than 11000 bytes.
Then the infector stores and modifies the file beginning. It changes the EXE header fields which contains the initial values of the CS, IP, SS, SP registers, the new EXE start address point to the virus code. The virus writes several assembler instructions into the COM file beginning. Those instructions pass the control to the virus body when the infected file executed: MOV SI,offset Virus / PUSH SI / RET. It is ordinary instructions but their 10 bytes of length opcodes are selected from 8 different variants which have as constant 5 bytes only.
Another virus feature is the virus destructive function. The virus checks the system date and on every month after August (inclusive) and on every day after 15th (inclusive) it encrypts the random selected logical sector of the current logical drive. The encryption algorithm is not difficult but the probability that this sector is the FAT sector or the sector of the root directory is very high. This makes the virus very dangerous, because it can destroy a lot of information by encryption of one sector. But the big logical disks ( >32M ) owners can not worry because this virus uses the old INT 25h / INT 26h format while absolute disk reading/writing, and so this virus can destroy only the disk with size lesser than 32M.
This virus also contains the text string which encrypted:
*.exe *.com COMSPEC=(C)TodorLZ9
The Self Encryption Routine
This virus uses the easy en/decryption method: the next virus word is XORed with the key and then this key is ROLed/RORed 1 time. It is an ordinary algorithm but the analysis of assembler instructions that execute this algorithm are not ordinary because this infector generate polymorphic self encryption routine. That routine can be divided on three blocks of code: PUSH-block, registers loading block and the encryption block.
PUSH-block PUSHes into the stack seven machine registers: PUSH AX, BX, CX, DX, DI, DS, ES. However those seven PUSH instruction (seven opcode bytes) are sparse between 'dummy' assembler instructions like NOP, CLC, STD etc in random order. The virus must to POP those registers in reverse order before it returns control to host program, and it do this by exchanging the POP instructions inside the virus code after decryption.
The register loading block loads the virus base offset into the machine SI register, and copies the value of CS register into the ES and DS registers. Those instructions are variable also, they can appear in several forms. The one of this forms contains a bug, but we will speak about this later.
The opcodes of the encryption block also are variable. The register that contains the key selected from DX or BX registers, the instruction of decryption can be random rearranged.
In the last analysis the number of the variant of the decryption routine (without the number of possible keys) is about
15
2.3x10 .
Bugs
Practically all the program contain the bug(s). The virus is the program, and it can contain the bugs. I found several algorithm and programming errors during analysis the virus code.
The first striking bug was found in the algorithm of COM file infection. The virus checks the COM file length before appending to the file, but it do this incorrect. As a result the length of infected COM file can be greater than 64K. Running this file can hangs the computer up. However the virus code contains the instruction which checks this condition, but those instructions never been called! It looks as the source virus code contains an error: the code and the label presents but this label never be exiled.
The second bug was placed into the algorithm of generation the decryption routine. One of variant of the decryption routine contains one superfluous POP instruction. As a result such infected file will hangs up on execution. This incorrect routine generated with probability 1/6, and approximately every 6th infected file will hang the system up.
Another bugs are appears in another viruses also, those are the 'standard virus errors'. One of this errors consist in incorrect detection COM and EXE files. The virus verifies the file before infection for the file name extension only but not for the inside file format ('MZ' or 'ZM' at the EXE file beginning). As a result the COM files with the .EXE extension will be infected as EXE, and the EXE files with the .COM extension will be infected as COM files. Those files will hangs up immediately when the host program takes the control.
The last error that I found during analysis consist in order of writing to infected file. The virus modifies the file beginning at the first time and then appends the decryption routine and encrypted code to the file. If the write error appears during this procedure the file will be irreparable destroyed. The 'good' virus appends its body to the file at the first moment and only then modifies the file beginning. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Uruk Famil
Trojan.Win32.AnnoyingSave
Darth.20
YZ Famil
Etop.70
Hooks.93
Win32.Melde
Worm.Linux.Chees
Win32.Drol.5337.
USTC.91
|
|
