|
|
Virus Algorithm
Analysis
by
Lorz
To my mind the most suitable object for keeping and analyzing the virus is a file containing the virus body. In practice to analyze the file virus it is convenient to have several infected files of different, but not too large, size. Except that it is desirable to have infected files of all kinds (COM, EXE, SYS, BAT, NewEXE) that this virus can infect. If it is necessary to analyze the part of RAM, then with the help of some utilities, it is rather easy to simply mark the area where the virus is and copy it to disk. The most suitable form of keeping a boot virus is an image file of the infected disk. To create this file it is necessary to format a diskettes, infect it with virus, copy that diskettes image (all sectors, starting from 0 and off to the very last one) to file and, if necessary, to compress it.
The infected files or image files of infected diskettes should better be emailed to anti-virus programs developers, or at least with conventional mail on diskettes. However if this might take a lot of time, which, as we know, never waits, confident enough users may try to figure out the virus and create the anti-virus on their own.
While analyzing virus algorithm the following has to be found out:
In solving those problems one should not to without a disassembler or debugger (for example, AFD, AVPUTIL, SoftICE, TurboDebugger debuggers or Sourcer or IDA disassemblers).
Both debuggers and disassemblers have their strong sides and drawbacks - everybody chooses what's best for him. Small uncomplicated viruses may quickly be "cracked" by the standard DEBUG DOS command; but it is impossible to analyze highly sophisticated and bulky polymorphic Stealth viruses not having a disassembler. If it is necessary to find a fast method of restoring all infected files, it is sufficient to trace the beginning of virus using a debugger are to the point where the virus restores the loaded program before passing control to it (in fact this particular algorithm is most commonly used when curing viruses). If it is required to receive an detailed feature of virus operation, or a well documented listing, then hardly anything will help except for Sourcer or IDA disssemblers with their capability to restore cross references. Apart from that it is necessary to remember that first of all some viruses can successfully block the attempts to trace them, second of all while working with debugger there is some probability that virus might take control.
Analyzing a file virus it is necessary to find out, which files (COM, EXE, SYS) are targeted by virus, into which area(s) of file is the virus code saved - to the top, end or middle of file, how completely a file can be restored, in what place does the virus keep the information to restore.
Analyzing a boot virus, the main problem is to find out the address(es) of sector(s) in which the virus saves the original boot sector (if, of course, the virus saves it at all).
For a resident virus it is also needed to determine the code fragment, creating a resident copy of the virus, and to calculate possible addresses of entry points to the interrupt vectors intercepted by the virus. It is also necessary to determine, in what way and where in RAM does the virus reserve place for its resident copy: whether the virus records itself at fixed addresses in DOS and BIOS system areas, decreases memory size reserved for DOS (a WORD at [0000:0413]), creates a special MCB block for itself or uses some other method.
There are special cases, when analysis of the virus may turn out to be a problem too complicated for user to handle, for example the analysis of the polymorphic virus. In this case it is better to turn to an expert program code analyst.
To analyze macro viruses it is necessary to obtain the source texts of their macros. For not encrypted non-Stealth viruses this is achieved with the help of the menu item Tools/Macro. However if the virus encrypts its macros or uses Stealth technique, it is necessary to use special macro viewing utilities. Such utilities may be found among the products of virtually any anti-virus development company, but they are for internal use only and are not distributed outside the company.
An present-day there are known several shareware program for macro viewing. They are Perforin, LWM, HMVS, but so far not all of them support the Office97 formats.
Virus Incorporation to the Top of File
+--------+--------------------+ Incorporating into the top of file
| File | by first method
+--------+--------------------+
+-------------------------------+
V
+ - - - -+--------------------+---------+
| Free | File | |
+ - - - -+--------------------+---------+
+--------+--------------------+---------+- - +
|Virus | File | | |
+--------+--------------------+---------+- - +
+-----------------------------+ Incorporating into the top of file
| File | by second method
+-----------------------------+
| +----------+
+--------+ |
V V
+ - - - -+-------------------------------+
| Free | File |
+ - - - -+-------------------------------+
+--------+-------------------------------+- - +
|Virus | File | |
+--------+-------------------------------+- - +
Virus Incorporation to the End of File
DOS COM file DOS EXE file New EXE file
+----+----+ +---------+ +---------+
+--|JMP | | +----|Header | |DOS stub |
| +----+ | | +---------+ +---------+
| |Program | | |Program | |New EXE |
| |code and | | |code and | +----+header |
| |data | | |data | | +---------+
| +---------+ V | | | |Program |
| |Virus | Entry +---------+ | |code and |
+->| | address |Virus | | |data |
+---------+ --------->| | V | |
+---------+ Entry +---------+
address |Virus |
--------->| |
+---------+
Boot Virus
Not infected disk
0 1 2 . . . (sector No)
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|.....| | | | | | | | |
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|
+-- Boot sector or Master Boot Record
Infected disk (replaced boot/MBR)
0 1 2 . . .
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
|88888| | | | |.....|88888|88888|88888|
+-----+-----+-----+--- --+-----+-----+-----+-----+-----+---
| | | | ... |
+-- Virus top | +---+-----+-----+
| +-- The rest of virus
|
+-- Original Boot or Master Boot Record
Infected disk (modified address of active boot sector)
0 1 2 . . .
+-----+-----+-----+--- --+-----+-----+-----+-----+---
|....8| | | | |88888|88888|88888|
+-----+-----+-----+--- --+-----+-----+-----+-----+---
| ^ | | ... |
+-- Modified -------+ +-----+-----+
Disk Partition Table +-- Main virus code
Boot Virus Operating Algorithm
Virtually all the boot viruses are memory resident. They infiltrate the computers memory after a boot up from an infected disk. In this process the system loader reads the contents of the first sector of the boot up disk, places the obtained information into memory and assets control to it (i.e. to the virus). After that the instructions of the virus start executing, and do the following:
- as a rule, lower the amount of free memory (a word at the 0040:0013 address), the virus copies is code to the freed space and reads its remainder from the disk (if any). Furthermore some viruses "wait" for the DOS to load and restore this word to its original value. As a result they become placed not outside DOS, but as separate blocks of DOS memory.
- intercept the necessary interrupt vectors (usually INT 13h), read the original boot sector into memory and pass control to it.
Letter on a boot virus behaves like a resident file virus: it intercepts the OS calls to disks and infects them, also depending on some circumstances undertakes destructive actions or creates video or sound effects.
There exist nonresident boot viruses - upon boot up they infected the MBR of hard disks and of diskettes is present in the drives. Then those viruses pass the control to the original loader and stop influencing the computers opera
Macro Virus
Not infected document The virus in document or sheet or sheet +----------------+ +----------------+ |File header | |File header | +----------------+ +----------------+ |System data | |System data | |(directory,FAT) | |(directory,FAT) | +----------------+ +----------------+ |Text | |Text | | | | | +----------------+ +----------------+ |Fonts | |Fonts | +----------------+ +----------------+ |Macros | |Macros | |(if present) | |(if present) | +----------------+ + - - - - - - - -| |Other data | |Virus macros | . . . +----------------+ | | |Other data | | | . . . +----------------+ +----------------+
Operating Algorithm of the Word Macro Viruses
most of the known Word viruses (versions 6,7 and Word97), when started, move their code (macros) to the global macros area of the document ("common" macros), using the commands of macro-copying such as MacroCopy, Organizer.Copy, or with the help of the macro editor - the virus calls its, creates a new macro, inserts its own code inside the macro, and then saves this macro with the code in the document.
On exit from Word to the global macros (including the macros of the virus) are automatically saved to a DOT file of the global macros (this file is usually called NORMAL.DOT). therefore with the next start of the Microsoft Word editor the virus becomes active at the moment when Word loads the global macros, that is immediately.
Then the virus re-defines (or already contains itself) one or several standard macros (for example, FileOpen, FileSave, FileSaveAs, FilePrint) and therefore intercepts the commands of file operations. When such commands are executed, the virus infects the file, which is being worked upon. To do this the virus converts the file to the Template format (making possible other changes in the file format, that is converting it to some other non-Template format) and then saves its macros, including the Auto-macro) to the file.
Therefore is the virus intercepts the macro called FileSaveAs, then every DOC file becomes infected, if it was saved through the macro, intercepted by virus. If the FileOpen macro becomes intercepted, then the virus records itself into the file while it is being read from disk.
The second way of virus incorporation into the system is used very seldom - it is based on the so- called "Add-in" files, which are the internal services of Microsoft Word. In this case NORMAL.DOT remains unchanged, and Microsoft Word when started loads the macros of the virus from file (or file), defined as Add-ins. This method virtually completely repeats the method of infection of global macros, excluding only the fact that the macros of the virus are saved not to the NORMAL.DOT to file, but to some other file.
Viruses may also incorporate into files, residing in the STARTUP directory, Word automatically loads template files from this directory, but no viruses of this kind are known so far.
The methods of incorporating, described above, are in some ways similar to the methods of DOS TSR viruses. Nonresident viruses are analogous to macro viruses, which do not move their code to the system resources area - to infect other document files they either look for them with the help of the built in file functions of Word, or scan the list of recently edited files (Recently used file list). Then such viruses open the document, infect it and then close it.
Operating Algorithm of the Excel Macro Viruses
Methods of propagation of the Excel viruses (including Excel97) as a whole are similar to the methods of the Word viruses. They differ in some macro copying commands (for example, Sheets.Copy) and in the absence of NORMAL.DOT - instead of this file the Excel viruses use the files from the STARTUP directory of Excel for their purposes.
One should mentioned that there are two possible options of placement of the macro virus code in the Excel spreadsheets. The vast majority of such viruses saves their code in the VBA format (Visual Basic for Applications), however there are viruses, saving their code in the old format of Excel version 4.0. Essentially such viruses are not different from VBA viruses, with the exception of the difference of format of placements of the virus code in the Excel spreadsheets.
In spite of the fact, that more advanced technology is used in the new versions of Excel (starting from version 5), the possibility of executing macros from the old versions of Excel has been supported to maintain compatibility. For this reason all the macros written in the format of Excel 4 may be run in all the subsequent versions, although Microsoft does not recommend using them and does not include the necessary documentation into the Excel package.
Operating Algorithm of the Viruses for Access
Because of Access being part of the Office97 pro software, the viruses for Access are the same macros written in Visual Basic, as are other viruses, infecting the Office97 applications. However in this case instead of auto macros there are automatic scripts in the system, which are called by the system doing different events (for example, Autoexec). These scripts can afterwards call different macro programs.
Therefore when infecting the Access databases the virus has to replace some auto script and copy its macros to the target database. Script infecting without the use of additional macros does not seem possible, because the scripting language is rather primitive and does not contain all the necessary functions.
To cure Access databases is more difficult, then to remove other macro viruses, because with Access it is necessary to disarm not only virus macros, but also auto scripts. Because scripts and macros to the most part of job in Access, incorrect deleting or deactivating of some elements may result in database unusability.
- LORZ l0rz@mailcity.com