Details Anarchy.6093 This is a very dangerous memory resident multipartite virus infecting COM, EXE and Word 6/7 DOC files. This is the first known parasitic virus that infects both COM/EXE files and Word documents. The virus contains the text: JAN FAKOVSKIJ,USSR,1997 JANKA DYAGILEVA The virus infects executable COM and EXE files in a standard way – writes itself to the end of the file and modifies file header (entry point address, e.t.c.). While infecting DOC files the virus parses the OLE2 file structure, converts document to template, creates the macro area and writes to there the AUTOOPEN macro. In DOS executable files the virus is polymorphic one – the code of virus is encrypted and polymorphic decryption loop restores it before virus installation routine takes control. While installing memory resident the virus uses quite complex way to detect its TSR copy to prevent duplicate installation. The virus opens the file with name “JANKA DYAGILEVA”. If DOS returns error flag (there are no such file), the virus installs itself memory resident. If the virus is already installed, it emulates presence of that file, and next virus copies do not installs themselves memory resident. The virus also looks for “COMSPEC=” and “WinDir=” strings in environment area and infects COMMAND.COM or/and WIN.COM. If MS Windows is not active, the virus then allocates a block of system memory, copies itself to there and hooks INT 21h, 2Fh. If the virus is run under MS Windows, the virus checks specific addresses in XMS memory and looks for Virtual Memory Manager (VMM32.VXD). If its code presents there, the virus patches it to hook not only DOS INT 21h calls, but also Windows95 file access calls. Then the virus uses that hook to hide infected files. This routine is not bugs-free – the virus halted my Win95 test computer on testing, and replicated itself only under DOS. The virus then infects COM, EXE and DOC files that are executed (COM/EXE) and opened. The virus also hooks file creation and infects them on closing. The virus is stealth on reading from infected COM and EXE files and on FindFirst/Next DOS calls. On writing to infected COM and EXE files the virus disinfects them. The virus disables its stealth routines when archivers ARJ, ZIP, RAR and RAR20 are active, or anti-viruses AIDSTEST.EXE, WEB.EXE, DRWEB.EXE are run. This is one of the first known viruses that support not only standard DOS file names, but also long ones (extended DOS functions to access long-named files). When infected document is opened, the virus AUTOEXEC macro takes control. That macro creates a temporary EXE file with its code inside, and executes it. That file then looks for “COMSPEC=” and “WinDir=” strings in environment area, infects COMMAND.COM or/and WIN.COM and exits. The AUTOEXEC macro then deletes this EXE dropper and returns control to MS Word. On May 9, April 8, 30 the virus erases random selected hard drive sector with a text in Russian. On writing to disk file the virus scans data buffer for some data (the text in Russian “Lybertsy” and “B.Eltzyn”(?) and erases random selected disk sector, if there is any of these strings.

Leave a Reply

Your email address will not be published. Required fields are marked *