|
|
Heathe Viruses Information
| Name: |
Heathe |
| Category: |
Viruses |
| Description:
|
Details
Heathen
This is a multi-platform virus infecting Word documents and PE EXE files. It has three instances of itself in different objects: as a macro in infected Word documents and templates, and stand-alone Windows PE EXE file, and as a small "startup" code in infected EXPLORER.EXE.
The virus code in the Windows executable file is a valid Win32 PE EXE file, but the virus, because of bugs, is not able to replicate under Win98 and WinNT, and replicates under Win95 only. The virus does not replicate under WinNT because in its macro state, it uses two "Callback" functions with numbers that are not supported by WinNT. Under standard Win98, it fails to infect EXPLORER.EXE because of an "unusual" descriptor of the Import table in this file.
When an infected document is opened by Word, the virus macro program activates and drops the PE part of the virus to the Windows directory. The virus then modifies the EXPLORER.EXE file so that upon the next reboot, it will load and execute this PE virus component, which will stay in the system memory until shut down, during which time the virus scans local and remote drives for Word documents and templates and infects them.
The virus does not infect any other Windows executable files except EXPLORER.EXE, however, it also creates additional infected files (its PE and DOC droppers) in the Windows directory. The virus does not infect other documents as usual macro-viruses do--upon opening and closing of these documents--rather, it only scans disks from C: through Z: in order to locate and infect all documents and templates there.
The virus has a dangerous payload that within a half of a year after infecting a computer deletes the system registry files: SYSTEM.DAT, USER.DAT, SYSTEM.DA0, USER.DA0.
The virus has an encrypted "copyright" string:
WG07 "Heathen" Copyright (C) 1995-1999 by WoodGoblin
The Virus in Word Documents
The virus in infected Word documents contains one macro AutoOpen and is activated when an infected document is being opened. This macro contains a block of data that is the PE virus code converted by UUE-like method to ASCII strings. The virus gets access to Windows API functions by using standard VBA (Visual Basic for Applications) functions, allocates a block of Windows memory, converts ASCII data back to PE EXE file image and jumps to Installation routine in there. The macro then waits for Installation routine completes, frees the allocated memory and exits.
The macro instance of the virus also disables the VirusProtection (Virus Warning) Word option. It seems that the virus tries to create a Windows ID object (mutex) to prevent duplicated installation, but fails because of a bug and will run Installation procedure each time infected documents are opened.
Installation into the System
When the macro instance of the virus extracts the PE component and jumps to it, the Installation virus routine takes control. It creates two virus droppers to the Windows directory (infected document and PE EXE file), and patches the EXPLORER.EXE. To do that the virus gets a set of KERNEL32 and OLE32 functions. The KERNEL32 functions are necessary to the virus to access disk files, the OLE32 functions - to access Word document streams, create them, read and write their data.
First of all the virus creates the infected HEATHEN.VDO (its Word document component) in the Windows directory. To do that the virus copies its host Word document to Windows directory with the HTMP.DOC name (this file will be deleted when the virus completes the installation process), opens this file as OLE2 storage (by using OLE32.DLL functions), creates new OLE2 document with the HEATHEN.VDO name, and moves macro stream from copy of infected host document to the newly created document. On copying the virus also uses OLE32 functions: opens WordDocument stream in the HTMP.DOC file, reads macros table from there, creates the WordDocument stream in the HEATHEN.VDO document, writes macros table to there, e.t.c.
As a result the infected Word document (HEATHEN.VDO) with only virus code inside is created in the Windows directory, and the virus continues installation with creating the HEATHEN.VDL infected PE EXE file in the Windows directory. This file also contains just a virus code - the virus writes its image from the memory (that was created by virus macro program) to this file.
The virus then affects the EXPLORER.EXE file. The virus does not write its complete code to this file, but just a 32 (20h) bytes "startup" program that loads virus image from the HEATHEN.VDL PE EXE file and runs it.
To load its main PE component the startup routine uses LoadLibraryA Windows API call by using its address stored when EXPLORER.EXE was being infected. To get this address the virus scans EXPLORER.EXE Import table, looks for LoadLibraryA function imported from KERNEL32, and saves this address in startup's code.
While infecting EXPLORER.EXE the virus uses several programming tricks.
The first one is the location the virus stores its startup code in the EXPLORER.EXE file. The startup program is written to the top of Fixup table, and infected file length does not grow. In usual situation when Windows starts up, the EXPLORER.EXE is loaded without using Fixup table, so this patch does not destroys this program functionality.
The second trick here is that the virus uses an undocumented Windows feature to load and execute by LoadLibraryA the Windows PE application instead of a valid DLL library - HEATHEN.VDL is the application, not a standard DLL. The Microsoft documentation says here only one short sentence: "do not use LoadLibrary to run .EXE file", but the application is loaded and executed as a library with no side effects.
The third tricks allows the virus to affect the read-only EXPLORER.EXE file - this application is run at the moment, and cannot be opened for writing. To avoid this trouble the virus copies the EXPLORER.EXE file with HEATHEN.VEX name, infects it and adds [Rename] instruction to the WININIT.INI file, for instance:
[rename]
C:WIN95Explorer.exe=C:WIN95Heathen.vex
This trick forces Windows to replace original EXPLORER.EXE with infected copy on next Windows startup.
At this moment virus installation into the system is complete.
Main Virus Thread
When the affected system starts next time, Windows replaces the original EXPLORER.EXE with infected one, runs it, and virus startup 32-bytes routine takes control. It loads and executes the main virus code from the HEATHEN.VDL file and the virus installs itself into the memory as a hidden Windows application.
The virus application creates and registers in the system its hidden class with "HeathenWC" class name, and run infection thread. This thread scans all drives from A: till Z: and stores their root directories names (C:, D:, E:, e.t.c.). Then the virus collects directories three on these drives, and stores them. The next is infection. The virus looks for .DOC and .DOT files in these directories and copies its macro code from the HEATHEN.VDO file (here the virus uses OLE32 functions as well while creating this HEATHEN.VDO file).
A very interesting feature of virus infection routine was found here. If the directory searching and infection process was interrupted by Windows shut-down, the virus stores the list of not-yet-processed directories in the ScanData stream in its HEATHEN.VDO document. On next startup the virus will not process again all drives from C: till Z:, but first of all will continue scanning directories from the same point where it was interrupted.
This virus feature allows the virus to look into all available drives. The virus thread has very low priority, and it is very possible that the virus will be not able to process all drives during one Windows session. Ever if it is interrupted, all drives will be scanned and infected anyway during next Windows sessions.
Another virus feature seems to be added to protect virus author from its creation: if the system date is set to May 14th, the virus infects only Word documents with names that begin with "_" character. It seems that on this date the virus author performed virus tests on its system.
Payload
While installing its thread in Windows memory the virus opens the HEATHEN.VDO file and checks its "WordDocument" creation date (i.e. the day the virus installed itself into this system). In 183 days (half of a year) after installing the virus adds to the WININIT.INI file a set of commands that will erase system registry files on next reboot:
[rename]
nul=System.dat
nul=User.dat
nul=System.da0
nul=User.da0
Where is Windows directory. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Anarchy.959
Win32.Asor
Pebbl
I-Worm.Mydoom.
RedLaugh.60
Paris.490
Late.24
Flat.1000.
Digger.100
Etop.70
|
|
