|Detected||Jul 24 1998 20:00 GMT|
|Released||Jul 24 1998 20:00 GMT|
|Published||Jan 12 2000 13:21 GMT|
This is a memory resident parasitic (polymorphic?) Windows EXE files infector, 87438 bytes of length, written in Borland's Object Pascal for Windows. The virus installs itself into the system and periodically searches for EXE files and writes itself to the beginning of files.
The virus has a very unusual structure. The main part (about 60K) is the virus code (virus routines and Pascal runtime library), text strings, icon and other data used by the virus while installing and spreading. The next block (3.5K) contains a packed (with LZ method) MS Word template - Word macro virus. The third block (21K) contains packed (by LZ) virus source code (!!!). After unpacking, that 46K source helped a lot to complete virus analysis. And the last block (3K) contains resources file that is used when the virus runs Borland Pascal compiler (see below).
While infecting a file the virus moves the file down by 87438 bytes and then writes its code to the beginning of the file. To return control to the host file, the virus creates a temporary file, writes to this file clean host file code and executes it. This way to spread is usual for DOS viruses written in high level languages - Pascal or C.
The virus also scans the files for
DEC BP DEC BPassembler instruction (4D4Dh) while infecting them, and replaces this code with INT 83h call (CD83h). When active, the virus hooks INT 83h. The only code in virus INT 83h handler decreases BP register by two - the same as DEC BP, DEC BP commands do. I do not know what is the reason to do that, but patched in this way files will work under infected system only.
Before infecting the virus checks the file header and infects only EXE file that have NE (Windows) or PE (Windows95) internal format, so the virus infects both NewEXE Windows and Windows95 executable files. Under Windows 3.11 this virus works without any side effect, but I didn't try to run it under Windows95.
To stay "memory resident" the virus creates a hidden window that dispatches system events including timer calls and runs standard messages dispatching loop. On timer calls the virus, depending on its internal flags, searches for EXE files in subdirectory trees on all disks and infects them. To do all that the virus uses standard Pascal library calls only - no system programming at all.
In details, when the virus installs itself into the system, the Pascal runtime library creates and registers a window class (by system calls REGISTERCLASS, CREATEWINDOW and SHOWWINDOW) and sets HIDDEN parameter for this window. The virus then sets new Windows system timer (SETTIMER call), sets timer delay to 10 seconds and registers a handler (wmTimer) that gets control on timer events. To stay in memory the virus initializes the main messages dispatching loop (GETMESSAGE, TRANSLATEMESSAGE, DISPATCHMESSAGE) and stays within this loop up to termination request (wmClose) when Windows exits.
The second routine scans the directory tree on selected disk and searches for files. When an EXE file is found, the virus checks its length and date. If the file length is less than 300K and above than 16384 bytes, and the file date is not equal to 1234h (Feb 7, 1990), the virus saves the file name to infect it when infection routine (fourth one) will get control.
While searching files the virus pays special attention for several file names - OWINDOWS.TPW, BPC.EXE and NORMAL.DOT. If Pascal for Windows files are found (OWINDOWS.TPW and BPC.EXE), the virus stores their paths to use in its mutation engine (see below). When NORMAL.DOT file is found, the virus overwrites it with a silly Word macro virus that contains three macros: FileOpen, AutoOpen and WWUpdated. The first macro infects Word documents on opening, the second macro installs virus on Word startup, the last one is virus ID-macro.
To do that the virus unpacks and writes to disk its source code, processes it and inserts junk(?) do-nothing Pascal instructions into the text. The virus gets junk commands from strings:
Begin if then Repeat Until or True Until True End While And False do While False do Procedure Word Boolean Real Char integer string pointer wri = <> > < and or xorThen the virus creates temporary resources and PIF files (MAIN.RES and TMP~~TMP.PIF) and runs Borland Pascal compiler (by using PIF). As a result there is TMP$XTMP.EXE file containing virus code. The virus then appends to that file packed Word macro virus, compresses (LZ-method) and appends new source file, as well as last block with resources file (see virus structure above).
The result of this mutation engine is an EXE file with similar (but not the same) executable code and data, as well as with similar packed source code inside. The virus then renames the file to VIDACCEL.EXE (virus dropper) and moves it to Windows startup directory.
"Running NOW=" - "Yes" means that the virus is already active. When infected file is executed for next time, the virus checks that parameter and does not re-infect the system. While installing itself into the system, the virus sets it to "Yes", while exiting - to "No".
"BootInfected=" - "1" means that the VIDACCEL.EXE file is already dropped, and the virus will not re-drop it.
"DieMonth=" and "DieDay=" - they point to the trigger date. On this date the virus will search for all files (except WIN386.SWP and 386SPART.PAR) on all disks and delete them. The virus inits these strings while infecting the system - it sets them to current date increased by month.
"AtomID=" and "IDAtom=" parameters are used to perform system calls.
Following parameters are accessed by virus only for reading, that means that these strings may be entered only by user:
"Die=" - this parameter locks the trigger routine.
"NoRun=" - if this parameter is set to "1", the virus will not infect the system.
"NoInfect=" - if this parameter is set to "1", the virus will not infect the files.
"ShowDotsOn=1", "ShowDialog=666", "Logging=YES" - debug parameters.
If "Logging" is set, the virus creates the WINAPP.LOG file in Windows directory and writes following strings to there:
Started. - when run Loaded OK. - allocating memory and reading virus code done InfectBoot = start - before dropping VIDACCEL.EXE InfectBoot = done - after dropping VIDACCEL.EXE Running application - before running host file Application finished - after running host file Terminate requested - when corresponding button is pressed, if Paused virus windows is visible (see below) Resumed Remove from memory requested !!! Destruction requested !!! Executing PIF : - while executing Borland Pascal via PIF PM Failed : No compiler - while executing mutation engine PM started PM is using temp dir PM Failed : Out of diskspace PM Failed : 1st compile failed 1st compile OK. PM Failed : Source file too big PM : Compression started, bytes PM : Compression completed, PM : Constants updated PM : 2nd compile failed PM : I/O Error PM : Linked OKWhen "ShowDotsOn" is set, the virus displays MessageBoxes (header/message) to ask user about operation:
!!! VIRUS WARNING !!! Do you really want to run program infected by virus ? !!! WARNING !!! Overwrite NORMAL.DOT, confirmed ? !!! THE APPARITION WARNING !!! Infect [filename] Confirmed ?When "ShowDialog" is set to "666", the virus makes its window visible, and it appears on the screen:
+--------------------------------+ ƒ - ƒ THE APPARITION ƒ * ƒ +--------------------------------ƒ ƒ File Help ƒ +--------------------------------ƒ ƒ The Apparition for Windows ƒ ƒ UltraGluk ALL-IN-ONE ƒ ƒ ƒ ƒ Status : ƒ ƒ Last : ƒ ƒ Total : ƒ ƒ ƒ ƒ +------------+ +-----------+ ƒ ƒ ƒ Terminate ƒ ƒ Pause ƒ ƒ ƒ +------------+ +-----------+ ƒ ƒ +---------------------------+ ƒ ƒ ƒ !!! DESTRUCT !!! ƒ ƒ ƒ +---------------------------+ ƒ +--------------------------------+"File" menu contains four items:
"Check" - the virus displays the MessageBox:
Double FUCK!!! Press CTRL+ALT+DEL Twice to Install Printer!!!"Infect" - the virus runs file browser to select the file. If the virus is infecting some other file, it displays:
Error! Infection engine is busy.If the file is already infected, the virus displays:
You MAZDAI! File is already infected, I WANNA new file to infect!Both "Remove" and "Teminate" (mistyping in virus code) remove virus from the system. In case of "Remove" the virus also displays the MessageBox:
WINAPP About to remove from memory, confirmed?"Help" menu contains one item - "About". When pressed, the virus displays MessageBox with the text inside:
About The Apparition Win-Apparition Written by Lord Asd Last modified : 25 Dec '96 This beta version of The Apparition was tested only under Win 3.10 and may work incorrectly under other Win versions and OS/2 Warp
"Status :" string is followed with a string that indicates current virus status:
Completing task... Wait... Locked. Upgraded OK. Paused by operator. Mapping drives... Scanning tree (Level x)... Spreading... Idle. PM : Loading... PM : Unpack... PM : Mutation... PM : 1st compile PM : FAILURE PM : Compression... PM : Updating... PM : 2nd compile PM : Linking..."Last :" string is followed with latest infected file name. "Total :" string contains the number of files that were processed while scanning disk tree.
On "Terminate" button the virus removes itself from memory. On "Pause" button the virus paused its timer handler and replaces "Pause" button with "Resume". On "DESTRUCT" button the virus displays two MessageBoxes:
WARNING Are you sure you want to delete all files from your disks? !!! DANGER !!! Destroy all data on all available devices, confirmed?and then erases all files on all disks.
The virus also displays other MessageBoxes and contains more text strings. MessageBoxes are:
Warning Destruction locked. System error System stack failure, error code 0xC6 at 0004:2F16 Error Unexpected disk operation failure, error code 0x0x Error Out of memory. Error Unknown disk error. !!! VIRUS WARNING !!! This program is infected by The Apparition for Windows and will not start.Text strings are:
APPARITION _PSEUDO_ICON MAIN_MENU ABOUTDLG UNTITLED WINAPP COMMDLG KERNEL KERNEL GDI USER KEYBOARD KERNEL USER KEYBOARD WINAPP.EXE All files *.* Executable files (*.EXE) *.EXE Infect file EXE ApparitionInstalled hInstance= *** PERMUTATION START HERE *** *** PERMUTATION STOP HERE *** Function Begin End \TMP$XTMP.T01 \TMP$XTMP.T02 \TMP$XTMP.EXE \MAIN.RES !!! CODE SIZE !!! VSize= cs_const= !!! DECOMPRESSED SRC SIZE !!! XSrcSize= xss_const= !!! COMPRESSED SRC SIZE !!! CSrcSize= css_const= ApparitionInstalled AboutDlg Apparition ApparitionInstalled THE APPARITION Running THE APPARITION KERNEL USER GDI KRNL386 KRNL286 MICROSOFT PIFEX WINDOWS 286 3.0 WINDOWS 386 3.0 Portions Copyright (c) 1983,92 Borland OW1 OW2 TurboWindow Error code = %d. Continue? Application Error (Inactive %s) TPWinCrt Runtime error 000 at 0000:0000. Main_Menu Apparition THE APPARITION Times New Roman Terminate Apparition Last None Pause Total !!! DESTRUCT !!! Initializing... Status
Text added: Jan-06-1997
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: