English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Virus.Win16.Apparition.a

Detected Jul 24 1998 20:00 GMT
Released Jul 24 1998 20:00 GMT
Published Jan 12 2000 13:21 GMT

Technical Details

This is a memory resident parasitic (polymorphic?) Windows EXE files infector, 87438 bytes of length, written in Borland's Object Pascal for Windows. The virus installs itself into the system and periodically searches for EXE files and writes itself to the beginning of files.

The virus has a very unusual structure. The main part (about 60K) is the virus code (virus routines and Pascal runtime library), text strings, icon and other data used by the virus while installing and spreading. The next block (3.5K) contains a packed (with LZ method) MS Word template - Word macro virus. The third block (21K) contains packed (by LZ) virus source code (!!!). After unpacking, that 46K source helped a lot to complete virus analysis. And the last block (3K) contains resources file that is used when the virus runs Borland Pascal compiler (see below).

While infecting a file the virus moves the file down by 87438 bytes and then writes its code to the beginning of the file. To return control to the host file, the virus creates a temporary file, writes to this file clean host file code and executes it. This way to spread is usual for DOS viruses written in high level languages - Pascal or C.

The virus also scans the files for

DEC BP
DEC BP
assembler instruction (4D4Dh) while infecting them, and replaces this code with INT 83h call (CD83h). When active, the virus hooks INT 83h. The only code in virus INT 83h handler decreases BP register by two - the same as DEC BP, DEC BP commands do. I do not know what is the reason to do that, but patched in this way files will work under infected system only.

Before infecting the virus checks the file header and infects only EXE file that have NE (Windows) or PE (Windows95) internal format, so the virus infects both NewEXE Windows and Windows95 executable files. Under Windows 3.11 this virus works without any side effect, but I didn't try to run it under Windows95.

Installation

When an infected file runs, the virus allocates blocks of system memory and reads its code from infected file to these blocks (to use these data while infecting other files). It then drops to the Windows startup directory the 87438 bytes VIDACCEL.EXE file containing virus code and then registers this file in Windows WIN.INI file in [windows] section as "load by default" application - the string "load=VIDACCEL.EXE" appears, or "VIDACCEL.EXE" is appended to the end of "load=" string. As a result, Windows will load and execute the infected VIDACCEL.EXE on the next startup.

To stay "memory resident" the virus creates a hidden window that dispatches system events including timer calls and runs standard messages dispatching loop. On timer calls the virus, depending on its internal flags, searches for EXE files in subdirectory trees on all disks and infects them. To do all that the virus uses standard Pascal library calls only - no system programming at all.

In details, when the virus installs itself into the system, the Pascal runtime library creates and registers a window class (by system calls REGISTERCLASS, CREATEWINDOW and SHOWWINDOW) and sets HIDDEN parameter for this window. The virus then sets new Windows system timer (SETTIMER call), sets timer delay to 10 seconds and registers a handler (wmTimer) that gets control on timer events. To stay in memory the virus initializes the main messages dispatching loop (GETMESSAGE, TRANSLATEMESSAGE, DISPATCHMESSAGE) and stays within this loop up to termination request (wmClose) when Windows exits.

Timer Handler

When the virus timer handler gets control (once per 10 seconds), it launches its four routines in sequence - one routine is executed per one timer event. The first routine maps drives - it accesses all disks from C: till Z: and stores write-able ones. To do that the virus creates temporary file \WR.TST on a disk and deletes it. If this operation failed, the virus does not access files on this disk.

The second routine scans the directory tree on selected disk and searches for files. When an EXE file is found, the virus checks its length and date. If the file length is less than 300K and above than 16384 bytes, and the file date is not equal to 1234h (Feb 7, 1990), the virus saves the file name to infect it when infection routine (fourth one) will get control.

While searching files the virus pays special attention for several file names - OWINDOWS.TPW, BPC.EXE and NORMAL.DOT. If Pascal for Windows files are found (OWINDOWS.TPW and BPC.EXE), the virus stores their paths to use in its mutation engine (see below). When NORMAL.DOT file is found, the virus overwrites it with a silly Word macro virus that contains three macros: FileOpen, AutoOpen and WWUpdated. The first macro infects Word documents on opening, the second macro installs virus on Word startup, the last one is virus ID-macro.

Mutation

The third routine that is called by timer handler is the virus mutation engine. I could not make the virus to complete that routine, but it seems that the virus attempts to modify and recompile its source code! I never seen such way of polymorphism. The virus is not encrypted, but it attempts to rebuild itself, and that would be not possible to detect that virus by using a mask - in different samples there will be different offsets and pointers to data and code, and different version of Borland Pascal compiler will "mix" that code too.

To do that the virus unpacks and writes to disk its source code, processes it and inserts junk(?) do-nothing Pascal instructions into the text. The virus gets junk commands from strings:

Begin if then Repeat Until or True Until True End
While And False do While False do
Procedure Word Boolean Real Char integer string pointer wri
= <> > < and or xor
Then the virus creates temporary resources and PIF files (MAIN.RES and TMP~~TMP.PIF) and runs Borland Pascal compiler (by using PIF). As a result there is TMP$XTMP.EXE file containing virus code. The virus then appends to that file packed Word macro virus, compresses (LZ-method) and appends new source file, as well as last block with resources file (see virus structure above).

The result of this mutation engine is an EXE file with similar (but not the same) executable code and data, as well as with similar packed source code inside. The virus then renames the file to VIDACCEL.EXE (virus dropper) and moves it to Windows startup directory.

WIN.INI Section and Trigger Routines

While installing the virus creates a section in WIN.INI file, the name of section is [The Apparition]. This section describes several virus parameters. The virus creates, reads and modifies following parameters:

"Running NOW=" - "Yes" means that the virus is already active. When infected file is executed for next time, the virus checks that parameter and does not re-infect the system. While installing itself into the system, the virus sets it to "Yes", while exiting - to "No".

"BootInfected=" - "1" means that the VIDACCEL.EXE file is already dropped, and the virus will not re-drop it.

"DieMonth=" and "DieDay=" - they point to the trigger date. On this date the virus will search for all files (except WIN386.SWP and 386SPART.PAR) on all disks and delete them. The virus inits these strings while infecting the system - it sets them to current date increased by month.

"AtomID=" and "IDAtom=" parameters are used to perform system calls.

Following parameters are accessed by virus only for reading, that means that these strings may be entered only by user:

"Die=" - this parameter locks the trigger routine.

"NoRun=" - if this parameter is set to "1", the virus will not infect the system.

"NoInfect=" - if this parameter is set to "1", the virus will not infect the files.

"ShowDotsOn=1", "ShowDialog=666", "Logging=YES" - debug parameters.

If "Logging" is set, the virus creates the WINAPP.LOG file in Windows directory and writes following strings to there:

Started.               - when run
Loaded OK.             - allocating memory and reading virus code done
InfectBoot = start     - before dropping VIDACCEL.EXE
InfectBoot = done      - after dropping VIDACCEL.EXE
Running application    - before running host file
Application finished   - after running host file
Terminate requested            - when corresponding button is pressed, if
Paused                           virus windows is visible (see below)
Resumed
Remove from memory requested
!!! Destruction requested !!!
Executing PIF :                - while executing Borland Pascal via PIF
PM Failed : No compiler        - while executing mutation engine
PM started
PM is using temp dir
PM Failed : Out of diskspace
PM Failed : 1st compile failed
1st compile OK.
PM Failed : Source file too big
PM : Compression started,  bytes
PM : Compression completed,
PM : Constants updated
PM : 2nd compile failed
PM : I/O Error
PM : Linked OK
When "ShowDotsOn" is set, the virus displays MessageBoxes (header/message) to ask user about operation:
!!! VIRUS WARNING !!!
Do you really want to run program infected by virus ?
!!! WARNING !!!
Overwrite NORMAL.DOT, confirmed ?
!!! THE APPARITION WARNING !!!
Infect [filename] Confirmed ?
When "ShowDialog" is set to "666", the virus makes its window visible, and it appears on the screen:
+--------------------------------+
 -     THE  APPARITION      * 
+--------------------------------
 File   Help                    
+--------------------------------
     The Apparition for Windows 
      UltraGluk ALL-IN-ONE      
                                
 Status :                       
 Last   :                       
 Total  :                       
                                
 +------------+  +-----------+  
  Terminate       Pause     
 +------------+  +-----------+  
 +---------------------------+  
      !!! DESTRUCT !!!        
 +---------------------------+  
+--------------------------------+
"File" menu contains four items:

"Check" - the virus displays the MessageBox:

Double FUCK!!!
Press CTRL+ALT+DEL Twice to Install Printer!!!
"Infect" - the virus runs file browser to select the file. If the virus is infecting some other file, it displays:
Error!
Infection engine is busy.
If the file is already infected, the virus displays:
You MAZDAI!
File is already infected, I WANNA new file to infect!
Both "Remove" and "Teminate" (mistyping in virus code) remove virus from the system. In case of "Remove" the virus also displays the MessageBox:
WINAPP
About to remove from memory, confirmed?
"Help" menu contains one item - "About". When pressed, the virus displays MessageBox with the text inside:
About The Apparition
Win-Apparition
Written by Lord Asd
Last modified : 25 Dec '96
This beta version of The Apparition was tested only
under Win 3.10 and may work incorrectly under
other Win versions and OS/2 Warp

"Status :" string is followed with a string that indicates current virus status:

Completing task...
Wait...
Locked.
Upgraded OK.
Paused by operator.
Mapping drives...
Scanning tree (Level x)...
Spreading...
Idle.
PM : Loading...
PM : Unpack...
PM : Mutation...
PM : 1st compile
PM : FAILURE
PM : Compression...
PM : Updating...
PM : 2nd compile
PM : Linking...
"Last :" string is followed with latest infected file name. "Total :" string contains the number of files that were processed while scanning disk tree.

On "Terminate" button the virus removes itself from memory. On "Pause" button the virus paused its timer handler and replaces "Pause" button with "Resume". On "DESTRUCT" button the virus displays two MessageBoxes:

WARNING
Are you sure you want to delete all files from your disks?
!!! DANGER !!!
Destroy all data on all available devices, confirmed?
and then erases all files on all disks.

The virus also displays other MessageBoxes and contains more text strings. MessageBoxes are:

Warning
Destruction locked.
System error
System stack failure, error code 0xC6 at 0004:2F16
Error
Unexpected disk operation failure, error code 0x0x
Error
Out of memory.
Error
Unknown disk error.
!!! VIRUS WARNING !!!
This program is infected by The Apparition for Windows and will not start.
Text strings are:
APPARITION _PSEUDO_ICON MAIN_MENU ABOUTDLG UNTITLED WINAPP
COMMDLG KERNEL KERNEL GDI USER KEYBOARD KERNEL USER KEYBOARD
WINAPP.EXE
All files *.* Executable files (*.EXE) *.EXE Infect file EXE
ApparitionInstalled
hInstance=
*** PERMUTATION START HERE ***
*** PERMUTATION STOP HERE ***
Function Begin End
\TMP$XTMP.T01 \TMP$XTMP.T02 \TMP$XTMP.EXE \MAIN.RES
!!! CODE SIZE !!!
VSize=
cs_const=
!!! DECOMPRESSED SRC SIZE !!!
XSrcSize=
xss_const=
!!! COMPRESSED SRC SIZE !!!
CSrcSize=
css_const=
ApparitionInstalled
AboutDlg
Apparition
ApparitionInstalled
THE APPARITION
Running
THE APPARITION
KERNEL USER GDI KRNL386 KRNL286
MICROSOFT PIFEX
WINDOWS 286 3.0
WINDOWS 386 3.0
Portions Copyright (c) 1983,92 Borland
OW1 OW2
TurboWindow Error code = %d. Continue?
Application Error
(Inactive %s)
TPWinCrt
Runtime error 000 at 0000:0000.
Main_Menu Apparition THE APPARITION Times New Roman Terminate
Apparition Last None Pause Total
!!! DESTRUCT !!! Initializing... Status

Text added: Jan-06-1997


Bookmark and Share
Share
Virus

Viruses replicate on the resources of the local machine.

Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:

  • when infecting accessible disks, a virus penetrates a file located on a network resource
  • a virus copies itself to a removable storage device or infects a file on a removable device
  • a user sends an email with an infected attachment.

Aliases

Virus.Win16.Apparition.a (Kaspersky Lab) is also known as:

  • Win16.Apparition.a (Kaspersky Lab)
  • Win.Apparition.a (Kaspersky Lab)
  • Virus: Apparition.a (McAfee)
  • Win/Apparit-A (Sophos)
  • WIN.APPARATI-1 (ClamAV)
  • Win/Apparition.a (Panda)
  • W16/Apparition.87438 (FPROT)
  • Virus:Win16/Apparition.87438 (MS(OneCare))
  • Win.Apparition (DrWeb)
  • a variant of Win.Apparition.89021 virus (Nod32)
  • Win16.Apparition.A (BitDef7)
  • Win16.Apparition.A (VirusBuster)
  • Win95:Apparition-C (AVAST)
  • Virus.Win16.Apparition.e (Ikarus)
  • Apparition (AVG)
  • A.EXE <<< WIN/APPARATI-1 (AVIRA)
  • WIN/APPARATI-1 (AVIRA)
  • Apparition.A (NAV)
  • Win/Apparition.A-D (Norman)
  • Apparition.a (NAI)
  • NE_APPARITION.A (PCCIL)
  • Win16.Apparition.a (Rising)
  • Virus.Win16.Apparition.a [AVP] (FSecure)
  • NE_APPARITION.A (TrendMicro)
  • Win16.Apparition.a (VirusBusterBeta)