| Description:
|
Details
Win98.Milennium
This text was written by Adrian Marinescu, GeCAD Software
This is not a dangerous parasitic Win98 direct action polymorphic virus. It uses several Windows APIs included only in Windows98 and WindowsNT 3.51 Service Pack 3 or higher, and will not work under Windows95. Due to infection-related bugs, it also doesn't work under WinNT and Win2000. So it is Win98 specific virus.
The infection mechanism used is a very tricky one - and a very stable under Win98, too. It makes this virus a very fast infector, but several infection related bugs unhide the virus presence in the non-Win98 systems.
When executed, the virus searches for PE executable files in the current directory and all the upper directories. During infection the virus uses two infection ways: increases the size of last file section for its code, or adds a new section called ".mdata".
At each 30 infected file the virus depending on the system timer (in one case of 10) displays the following message box:
+---------------------------------------------------+
| Win32.Milennium by Benny/29A |
|---------------------------------------------------|
| First multifiber virus is here, beware of me ;-) |
| Click OK if u wanna run this shit..' |
+---------------------------------------------------+
Technical details
When an infected file is executed, the polymorphic routine will decrypt the constant virus body. Next, the virus unpacks the API names using the following scheme: each API name is split in words, each word that appears twice is stored in a dictionary (for example SetFileAttributes and GetFileAttributes APIs are encoded like this:
Dictionary: Set, Get, File, Attributes
Encoding: 1, 3, 4, 2, 3, 4.
Any word that is not in the dictionary is stored "AS IS". After unpacking API names, it gets the addresses for all the used APIs. Then, it creates a thread and waits for it to finnish.
The main thread and fibers
The thread converts itself to a fiber and split the infection process in 7 pieces:
Fiber 1 - gets the current directory and searches for the following file types: *.EXE, *.SCR, *.BAK, *.DAT, *.SFX. Then it gives control to fiber 3. After receiving back the control, it deletes the file (if any) ANTIVIR.DAT from the current directory and goes to the upper directory.
Fiber 2 - checks if the code runs under a debugger and if yes, it makes the stack pointer zero. This will result in a debugger crash.
Fiber 3 - gets a file from the current search started in Fiber 1 and calls Fiber 4 to continue. When Fiber4 is completed, it calls Fiber7 and waits to receive back the control. Then it checks for more files in the current directory.
Fiber 4 - checks if the file size if less than 4Gb and then gives control to Fiber 5. After Fiber5 completes, it checks it the file is an exe file, if the target processor is Intel and if the file is not a DLL. Also, it pays attention to the Imagebase (only files with ImageBase = 400000h are infected - most applications are infectable from this point of view). Then it gives control to Fiber 6 and waits to receive it back.
Fiber 5 - Opens the current file, creates a mapping object for this file to make infection process easier. Next, it calls Fiber6 and sleeps till it gets back the control.
Fiber 6 - is closes the current file, restores the file time and date and, if needed, grows the current file to fit the virus code.
Fiber 7 - it calls the main infection routine.
File infection routine
When infecting a file, the virus scans its imports for one of the following APIs: GetModuleHandleA and GetModuleHandleW. This will be used by the virus to get the addresses of the APIs needed to spread. If the host file does not import one of the previous APIs, the virus will not infect it. Next, the virus adds its code - there's one chance in three to create a new section, called .mdata. Otherwise, it increases the size of the last section. Then it calls it's polymorphic engine to generate an encrypted image of the virus and the decryptor for it and writes generated code into the host file. |
