| Description:
|
Details
Win32.Bolzano family
(This text was written with the help of Peter Szor)
These are benign non-memory resident parasitic Win32 viruses. They search for PE EXE files (Windows executable files) in a directory tree and write themselves to the end of the file by increasing the size of last file section. Some virus versions have bugs and often corrupt files while infecting them.
Bolzano.4096.a,b,c,d,e,f
The "true" length of viruses in this sub-family (the length of code and data) is about 2Kb, but while infecting files, they increase file length by 4096 bytes (1000h hexadecimal).
These virus versions search for files on the current drive only.
Starting from the "b" version, The "Bolzano" viruses open the NTLDRWINNTSYSTEM32NTOSKRNL.EXE files (WinNT system files), scan their code and patch routines that are responsible for WinNT access permission and self-checking.
The virus patch in NTLDR disables CRC-checking when NT loads the NTOSKRNL.EXE file, that is protected by checksum. The NTOSKRNL routines are patches so that they always allow any user all access to the system, not depending on a user's access privileges. This allows the virus to infect any EXE file on the NT system, not depending on a current user's written-access permission for these files.
Starting from the "b" version, The "Bolzano" viruses also delete all files in the Windows Internet directory:
WINDOWSCookies*.*
WINNTCookies*.*
Bolzano.2664,2676,2716
In addition to what is described above, these viruses search and infect files on all available drives in the system. They use the "Entry Point Obscuring" (EPO) methods and while infecting, they do not modify a program's entry address. To receive control, they randomly scan selected offsets of the file CODE section, look for CALL commands and replace them with "CALL VirusEntry" code. As a result, the virus gains control only in the case where the patched file code receives control.
The number of patched CALLs depends on the virus version and varies from 5-10 (in these variants), up to 64 (in next virus versions).
Bolzano.3100,3120,3164,3192
In addition to the above, these viruses encrypt themselves and use a polymorphic code in the decryption loop.
Bolzano.3628,3904
In addition to the above, these viruses patch two more routines in the Windows NT system files. The new NTOSKRNL patch allows any application to write to any file independent of access permission. The second patched file is MSV1_0.DLL, the virus patches a routine there that is responsible for password validation. As a result of this patch, any text string is accepted as a valid password in an affected system.
Bolzano.5396
In addition to the above, this virus has a more complex polymorphic engine; checks file names while infecting them and does not infect: _AVP*, ALER*, AMON*, AVP3*, AVPM*, N32S*, NAVA*, NAVL*, NAVR*, NAVW*, NOD3*, NPSS*, NSCH*, NSPL*, SCAN*, SMSS*
This virus also affects the mIRC client. To do that, it creates an infected dropper with a random name in the MIRC directory and overwrites the SCRIPT.INI file in there. The new SCRIPT.INI contains a small routine that sends an infected dropper to users joining an infected channel. |
