The only source of the virus are infected with MS Office documents. MS_Word.PsycloneX.barik written in Microsoft Visual Basic and compiled into macro-format Word. Infects a machine with an editor MS Word 97 (version 8.0), Word 2000 (version 9.0) or in Word 2003 (version 11.0 - software company Microsoft has implemented it [version] is compatible with all previous versions of its Word, that was the reason for performance below the virus).
Viral code is written in the macro-sections of files (code sections that contain information about oformoenii file: types of fonts, margins, etc.) using current in their free back-space, as well as extending these areas. Written to the file as a macro-"project" " NEWVIR "and contains in its code next 11 macros information about each of these macros will be discussed later when describing the harmful procedures, produced by a virus. When you run an infected document, if the user is ignored warning built into the Word macro security (see the description of the macro-virus MS_Word.Saver ), it is automatically run the virus (includes proceduresAutoOpen ). First, the virus accesses the registry, reads from the location of the template editor settings Word - file Normal.dot. Location of the file: in Word 97 : C: \ Program Files \ Microsoft Office \ Templates \Normal.dot in Word 2000 : might be different because it depends on the version of Windows-system, which is installed by MS Office. in Word 2003 : C: \ Documents and Settings \% current user name% \ Application Data \ Microsoft \ Templates \ Normal.dot When writing the virus code in this file and then connect to the configurations Word'a viral functions (included procedure FileTemplates ) nominal size of the file Normal. dot increases from 26 624 to 43 008 bytes of byte or 27 136 43 520 bytes per byte . These changes are the values of the nominal size for MS Word 97 (explanation: Normal.dot may be one of the two nominal sizes, depending on certain system conditions). Changed size of the corresponding configuration file for the editors to tell MS Word 2000/2003 difficult because Experiments on the test machine were carried out only with Word 97, but it is clear that the increase in size for infected the Normal.dot file and will be 16,384 bytes. Infected file Normal.dot, the virus searches the directory specified by Windows. This virus looks like the directory C: \ WINDOWS (this location is the most common) and not the other way. As a result, if the system is installed in any other directory than the one specified, the virus apparently can not function properly, since its activity creates in the directory next 2 file (includes procedure NEWVIR ): C: \ WINDOWS \ PCSB . inf C: \ WINDOWS \ Dte.inf first file, PCSB.inf , removed a virus from his body and has a size of 3076 bytes . Is a component of the virus, written as a sequence of logical instructions in the language of Microsoft Visual Basic.Contains the basic functionality of the virus. The second file, Dte.inf , has a size of 9 bytes and contains the encrypted digital code in the form of data - the date and time when the virus has infected the file Normal.dot.Later the virus accesses the file, so depending on the current date and time to carry out various malicious actions.
The virus infects files documents made in the formats DOC, and RTF; configuration files (DOT-file) does not touch (the only exception is the above file called Normal.dot).
When you start Word'a (again included viral treatment AutoOpen ) infection routine newly created and existing documents are open is a virus, as follows: - if you create a new document and fill and then to save the user uses the option to Save , the document is automatically saved under the name "Dokument1.doc" into the "default" - C: \ My Documents. However, no evidence to specify the path and file name on the screen is not issued, and the file is infected when it is closed (enabled procedure FileSave ); - if the open file option peresohranyaetsya via Save As , then closing and re-saving the original file, they will both be infected (included procedures FileSave and FileSaveAs ); - if the file is saved or peresohranyaetsya in a format other than DOC (eg, RTF, TXT HTML, etc.), the virus will still save the file in a format DOC (includes procedureFileTemplates ), and the name and expansion will leave the one selected by the user. When closing the file will also be infected - for the virus and keeps it in DOC-format. The exception here again is a DOT-format - after saving the file will not be infected. As a result of these manipulations will be readable after saving only files with the DOC, DOT and RTF; readability files saved with other extensions, such as, for example , TXT or HTML, you just need to replace their extension to DOC; - if the document has an attribute "read only" (read-only), the virus can not infect it. Each document virus infects only one time, checking it (the document) contents the presence of his copy (check carried out on three fragments of viral code). While infecting a file the size increased on average by 16.3 kb. The virus terminates at the close of Word'a.
As mentioned above, the file PCSB.inf contains the basic procedures of the virus, including malicious. Each of the procedures for the virus author has signed commentary in Russian. Reading from the file produced by viral procedures ViewVBCode .
Malicious procedures produced by the virus, are as follows: Congratulations if you're here, so something else can, so go ahead, you are appreciated ... Regards AUTHOR **** ********************************** This is a harmless comment is addressed, it is obvious to anyone who finds this file. Disconnecting which must ... malicious procedure. The virus disables in Word the following: - built-in protection against viruses, then Word is not responding to the discovery of contaminated instruments and warning about the dangers of user - from the submenu Word'a (at least 97 and 2000) are blocked by such procedures : Tools -> Templates andVisual Basic ; ? -> About ... . These are made by disabling the virus procedures ToolsMacro and HelpAbout. Obviously, this has been done to conceal the presence of virus in the system for viewing and editing the contents of the template with the settings editor. To disable the Word 2000 macro security changes made by the appropriate value " Level "in the registry key [HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ 9.0 \ Word \ Security] For Word 2003, the virus can not carry off, as This principle of protection in MS Office applications in 2003 some other conservation bodies to be ... This procedure is used to create the original file C: \ WINDOWS \ PCSB.inf , that the virus may continue to for some reason reused. If the pattern is not infected, remember the date of infection to the right place ... This procedure is used to create the original file C: \ WINDOWS \ Dte.inf , when the system is not the Normal.dot template is infected, following the introduction of the virus in this file overwrite Dte.inf not performed. comment to be malicious process, which, however, does not work because of some bugs in the code of the virus. In the absence of errors would have to be this: if you work with documents in the time period from 6:00 pm to 8:00 am, the virus appends the contents of each open a Word document the following text: We have to work during business hours.Barik! Closing Documents virus automatically saves the original contents with the specified text. Checking what is necessary, in order not to die and reproduce Procedure relating to the verification of contamination and documents are open. In this line a long time I fucked with AntiVirus has not added a variable to deceive What is the relationship of the author of the virus associated with antivirus and what they were doing - I do not know, but the purpose specified in the procedure code and its performance in particular is in serious doubt. The same procedure also contains these comments: And you say tchotchke-PeckaExpect a new release! We still povoyuem ... Viral routine with the exotic name of Pig (pig) contains two sub-programs: Reading from the date of infection have virus checks how much time elapsed since the exposure system, decoding and reading data from a file C: \ WINDOWS \ Dte.inf . If the infection has passed since the month to activate the virus by the end of a 30-day period, the virus completely blocks the Word'a: trying to open, create and then save or print documents call (procedures are utilized FilePrint ,FilePrintDefault , HelpAbout , NEWVIR and Pig ), they (the documents) are automatically closed, and the screen is given a false message, "error":
Incidentally, the same message the virus also produces before the completion of a 30-day period in the event that the user attempts to request information through a submenu ? -> About ... .
As mentioned above, the virus reads the date and time of its installation file C: \ WINDOWS \ Dte.inf , which creates only one time - initially, when infected system. This flaw can be used to unlock Word'a in if you have a car there is no anti-virus program. Deleting the file Dte.inf , you thereby, exclude the possibility of blocking the virus to work with documents.
The code of the virus (the infected files) contains the following technical lines and lines copyrights "copyright":[Host Extender Info] & H00000001 = {3832D640-CF90-11CF-8E43-00A0C911005A}; VBE; & H0000000097/2k.Extra Word - Psyclone X My first virus for the Year 2k
I do not recommend to treat infected with the virus files (as well as other macro viruses), anti-virus program DrWeb, since he always poorly prolechivaet macro-section files, leaving the bulk of the macro virus code intact. The discovery of these "cured" of files on a clean machine involves the emergence of macro-prevention protections Word-and Excel-editors of the presence of macros in the document suspicious fragment. A typical user can not determine that the start code of the virus has already been removed from the file and finds that he is dealing with a "virus", and the new, not detektyaschimsya any of the anti-virus programs, for obvious reasons.
At the time of this description of anti-virus software detected a virus and its components under the following nomenclature names: Anti Kaspersky AntiVirus : the infected files: Virus.MSWord.Pcsb (treats) files in the infected template Normal.dot: parallel Virus.MSWord.Onex and Virus.MSWord.Pcsb (heals file) file PCSB. inf : Virus.MSWord.Pcsb (be removed) Antivirus BitDefender Professional : the infected files: W97M.Nid.C(treats) files in the infected Normal.dot template: W97M.Nid.C (heals file) file PCSB.inf : ignore malicious code as Anti- DrWeb : the infected files: W97M.Barik (treats) files in the infected Normal.dot template:W97M.Onex (heals file) file PCSB.inf : W97M.Barik (be removed)
How to restore protection in Word 97 from viruses, see here: MS_Word.Saver . For Word 2000, you must perform the same steps.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 01.08.2005
Date of last change: 03.10.2006
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment