The main source of spread of the virus are, as usual, the file-exchange network. The virus can enter the directories installed on the machines file-sharing programs like under the guise of "good" programs, and just in the infected software software distributions, you sent your friends or acquaintances. Unfortunately, most people stubbornly ignore the anti-virus programs or simply do not update the antivirus database, which "wakes up" the virus in their cars. As a result, infected computers are becoming breeding grounds for viruses to tens or even hundreds of computers. Potential hazards can also be CD / DVD-discs recorded on such "clean" vehicles, because it is clear that among them are recorded on the (disk) files and will be infected. It is not excluded also the possibility of catching the virus in the event that you use for transport / storage flash drives (USB Flash Memory Storage) or floppy disk.
Win32.HLLP.HiDrag.mellissa is a "semi"-resident (hereinafter referred to as you will understand why I call it resident only half) Windows-program (called PE EXE-file that contains the label in its title "PE" , these include the program with 32-bit code written in high level languages, such as, for example, C + + Builder, Borland Turbo Pascal (Delphi) and others, created to run on Windows). Has capacity for all existing at the date of Windows. It is written in Borland Delphi v6.0.
The program code Win32.HLLP.HiDrag.mellissa partially protected crypt code, which stands at start of the virus using a specially built-in procedure decryption. In addition, the program is compressed using the compression utility "UPX" version 1.25, and on top of the compression processed some utility, code optimizer, resulting in a standard method raspakovochnym decompress the body of the virus from UPX-compression is impossible.
schematically the structure of the virus code is as follows ( neither this nor the subsequent schemes proportions between sections of code depending on their size are not included):
The installation procedure of the virus into the system depends on the version of Windows, under which the infected file is launched. First when you start an infected program gets control of the virus code that checks for the next section of the registry keys: [HKEY_CURRENT_USER \ Software \ Mellissa \] This section may be present in the registry entries only when Windows is already infected with the virus. If the virus is run on a machine for the first time, it creates this partition keys and writes the following values:[HKEY_CURRENT_USER \ Software \ Mellissa \] "ITS" = "% name%. exe" "LK" = "Named Mellissa. Ukraine ( Chernivtsi) " "sts" = "%% letter" where % name% - a name taken from the infected file is launched (for example, if an infected file called Program.exe, then the viral component file will be named Program.exe), % latter of % - small or big letters. Then the virus checks the version of Windows-systems and, depending on it, highlights from running an infected file their code with additional section (see diagram above) and copy it in the next two files: for Windows 9X / ME : C: \ WINDOWS \ SYSTEM \ % name%. exe C: \ WINDOWS \ SYSTEM \ ls32.exe for Windows search procedure for the virus and infect files, but ls32.exe - recovery run an infected program. Under normal conditions, after the installation takes control viral component% name%. exe , which begins to search and infect files. He remains in memory until the first restart. When Windows is booted virus can not run automatically, and takes control only when the system or user to contact one of the infected files. The principle of distribution "responsibilities" between the viral components % name%. exe and ls32.exe is as follows: % name%. exe - gets control of ls32.exe if you run any of the infected files. To use % name%. exe should run the following conditions: - it is located in the System subdirectory \ SYSTEM \ (for Windows 9X/ME) or \ System32 \ (Windows 2K/XP for); - his name corresponds to the % name% , recorded The virus in the registry key, - the system must attend the program window with the title Mellissa (this window is invisible to the user creates a component ls32.exe when referring to % name%. exe ); Only when these conditions % name%. exe is loaded for execution. Upon completion of his work referred to the program window is closed. ls32.exe - gets control when you start any of the infected files.To use this component must be carried out following conditions: - it is located in the System subdirectory \ SYSTEM \ (for Windows 9X/ME) or \ System32 \ (Windows 2K/XP for); - his name ls32.exe ; - must be present in the system software window (also invisible to the user) with the title HIDRAG MUST DIE Onlyls32.exe starts the restore and run an infected file, then closes the window with the title " MUST DIE HIDRAG", creates a window with the heading" Mellissa "and runs the component % name%. exe (also read his name from the value of % name% , recorded in the created registry key). After that it exits.
Unlike options Win32.HLLP.HiDrag , " HiDrag.mellissa "infects only files with the extension" EXE ", which are Win32-programs, program installers (for software distribution - ProgramInstaller) or self-extracting archives (SFX - Self Extraction program). When searching for files infected with the virus begins to bypass the disk C:.For this reason, the system catalog can be quite a long time to stay clean in case of Windows installed on the disk, etc. - for example, D: or E:. However, this variant are rare and therefore I would consider a generic version when the system is installed on drive C:.
was contaminated to be not all the files, but only those that satisfy the following conditions: - the file has the extension "EXE"; - file size is 110 kb or more (maximum amount satisfying this condition viral, I was not able to ascertain, but the 7.5 MB file is also infected) - the file should be Win32-application (PE-file - checked by internal format, the virus immediately throws DOS-program, as well as Win16-application, that is NewEXE-files) - in the header file should be a signature, which is in the visual view the code as text file looks like . rsrc(he has a place in almost all Win32-applications that associated with structural features of their title, exceptions are only those files that are compressed specific utilities compression - for example, "FSG", some manufacturers install packages, as well as some Win32-application developed by Microsoft). Under Windows 9X/ME virus tries to infect the C: drive all or at least most of these EXE-files. As for Windows 2K/XP, is there a virus takes into account the fact that some system files in the subdirectories are checked for originality and, if infected, the system immediately warns the user that "Some system files are modified. Do you want to keep these unrecognized files? ". Therefore, the virus infects the system directory only EXE-files that are located on the 4th level of nesting or deeper (5th, 6th, etc.), ie: C: \ WINDOWS [corresponding to 1 - th level of nesting] \ [subdirectory level 2] \ [subdirectory level 3] \ [subdirectory level 4] \ [subdirectory level 5] \, etc. When searching for and infecting files the virus is working cycles that follow one after the other during each such cycle is checked and the infected files 5. The virus is strictly observes a sequence of directories and subdirectories encircled on disk, so that an erroneous re-check the same files. Later, when the virus is re-loaded into memory, it also checks all the files, but faster, because the checks - they are infected or not - that's why it verifies the initial portion of the presence of a particular piece of code that corresponds to his own.If a match is found, the file is infected and passed. The principle of infecting files, used in this embodiment, the virus is very complex. If you find the right file, the virus (a component of % name%. exe ) remembers his attributes, modification date and time, as well as original size and CRC-value (checksum byte certain portions of code) and then opens the infected files for editing (even if it contains the attribute "read only" - read-only).Then writes to the beginning of your original code (ie the first 8179 bytes of the virus body, shifting this value to the original program code down) and then proceeds to reconstruction code infects programs. Describe the procedure words meaningless, so I painted a miniature circuit - I hope that it helps to understand the principles of infection for people, little versed in the programming (as I specified above, the dimensional proportions of the scheme are not included):
The virus code (8719 bytes) is a kind of unfinished, ie, it provides an opportunity lengthening of the last section (on the scheme - additional section of the virus) and then placing it in the data to be read the virus as their own. That is why, dragging a portion of the resources of the infected program code, the components of the virus ls32.exe and % name%. exe are able to use icons and information lines from other programs. A very original way, taking into account the fact that the virus does not need to change this part of the data that they are correctly read from his code - this sequence is similar for all resources Win32-program (even processed with tools such as, for example, "UPX" .) As a result, the viral components of % name%. exe and ls32.exewill look, among other system files perfectly harmless programs - for example:
or
etc. As can be seen from the scheme, the virus reordered sections also cause them to program, some of which are encrypted. Since the program scheme of the changes is complex, and its volume depends primarily on the size infects programs, the virus once reserved for it until about 5 kb of space in the Supplementary section. Analysis of infected files showed that this amount is more than sufficient for all required records at the sizes of the infected object is 5-7 MB. Making the initial reconstruction of the file, the virus checks the growth of it (the file) about the size of the original (ie pre-infection). If the difference is greater than 9004 bytes (Why choose a value - it is difficult to say), what is obvious to virtually all of the files, the virus produces a secondary reconstruction, which is to compress the unused space between logical sections of code, the infected file.Description: when compiling any programs between logical sections of its code contains a number of so-called free space "Unused bytes of code." These bytes do not contain any code (blank) and are associated with "holes" - imagine that you have a box (this is our file), which consist of the book (it's logical sections of the program), then in the box are the gaps between the books and walls of the box (this is the "hole"):
before infection (left) and after infection (right)
So, the virus deletes the portion of the byte "holes" or, if necessary, some "holes" in its entirety to achieve the required margin in 9004 bytes. The minimum size of infected programs (110 kb), was obviously not chosen by chance - the number of "hole" of space in these files ensures the possibility of infection with the virus followed by reconstruction of the code within the allowable growth in 9004 bytes.
Then, in the infected file is the final account of program schemes its reconstruction, after which the scheme is encrypted, and virus infected file stores instead of the original and gives it the attributes of the source, date and time of modification, thereby masking produced in the file changes.
Procedure to restore virus infected files are accessed is no less complex than the above procedure infection.When an infected file management gets situated in his early copy of the virus, which verifies who appeals to her - so a copy of the virus or infected program just want to run it. To do this, it (a copy of the virus from running the file) checks in the software window titled HIDRAG MUST DIE If this box is not found, then it is perceived as an easy start program, then the copy of the virus creates a window, and then passes the component ls32.exe data on its location, and then quits and, accordingly, the work of an infected program. In turn, ls32.exe , received a call from the infected file is found in the system and software box with the title "MUST DIE HIDRAG ", reads the location of the file and then performs the following: - finds an infected file, it reads its attributes, date and time modifications and stores that data in system memory as a variable A; - opens a file for editing and remove from him the first 8179 bytes (ie virus code - treats file) - reads and decrypts the file from the cured program in its reconstruction scheme, keeping these in system memory as a variable in, and then deletes the file section of the scheme of reconstruction (which he no longer needed) - reading data from a variable B, the virus decrypts and puts in the correct order section of the infected file (restores the file to its original working state) then peresohranyaet recovered file and assigns it the attributes of the source, date and time of modification, reading the data from the variable A; - CRC-checks the amount of the recovered file, comparing it with the value of CRC, which was recorded before infecting a file (this also read from variable B). If the values match, then the virus starts to execute the program restored. If the CRC-values do not match (for example, the file has been infected with the virus once infected by a virus, etc. file, or restored file is simply the original virus program - file-like ls32.exe and % name%. exe ), the virus only restores the original size of the infected file, assigns it the attributes of the source, date and time of modification, but not executes it - the code of this file, as you can imagine, is not a business, and the virus will not load it for execution to avoid errors in the system processing of the incorrect file. At the end of recovery and launch a disinfected file, the virus closes the window with the title " MUST DIE HIDRAG ". It should be noted that virus-infected files can not be recovered and started to run with media that are not available for recording - for example, CD-ROM or DVD-ROM, and floppy / USB-flash drive, which has a write lock jumper is switched to the "write lock".
The algorithm works " HiDrag.mellissa "includes infection, and treatment and rehabilitation programs are not only under normal conditions, but also in cases where violations occur in his work. Unusual situations may be 2: Precarious Situation 1 - after installing the system in viral components % name.exe% and ls32.exe% had been removed (for example, by attempting to remove a virus from a user machine). In this case, when an infected file virus code that is inside the file, creates its own components % name.exe% and ls32.exe% , after which governs the value of % name.exe% in the viral way (and, accordingly, the component % name.exe% ) in the name of running an infected program. Further, all viral procedures based on the standard scheme. Untypical situation 2 - both viral component ( %% name.exe and ls32.exe% ) were damaged as a result of any user attempts to run them (see last paragraphs of Section 3.2), or as a result of damage obtained by infection by any other file with a virus. This turn of events is very problematic for " HiDrag.mellissa ", since the infected files, no one to pass control ( ls32.exe% broken, but the algorithm does not provide the virus overwrites the component in case of injury). Then copy the virus from running an infected file is trying to use some weird search engine so an infected file, which will be used for a short time in the role of componentsls32.exe% and % name%. exe at the same time. In this case of an infected file is found only temporary launch copies of the virus, but not the infected program. Launched by the user is treated and infected program is executed, though with some delay, as if the machine is just "thought" when it (the program) is opened.However, this mechanism does not always work, and the virus from the infected file can simply complete their work not trying to find a way to restore and run an infected program. Then run an infected file can be obtained either from the nth attempt to access it, or even impossible as long as the user manually removes the damaged file ls32.exe (why in some situations, it happens - is unclear). Also, in case of failure of this mechanism, a copy of the virus from infected file, stupidly trying to call to execute a non-working componentls32.exe , so that the screen freezes the window system command interpreter (the virus refers to its components from the command line on Windows, but with his usual work this window you can barely see over the fast flicker, as it almost instantly closes):
The system displays a standard error message (below is an example of such a message in Windows 2K/XP):
Running an infected program is again impossible as long as the user manually removes the damaged filels32.exe (why does not work here so the search engine of the infected file - also not clear).
If only the component has been corrupted %% name. exe , then any component ls32.exe will serve as both components simultaneously, or the role of % name%. exe will be temporarily assigned to the infected file is launched (the same situation may be in the above case with the two non-working components), which caused the launch of the program may be deposited at relatively long time. In addition to the errors associated with the violation of the virus through direct outside interference in his work, there are also some internal errors that occur in a normal mode of operation "vredonostsa." Here are those that have been identified in the study of the virus: - When searching for files to infect the virus must equally likely to infect files on drive C:, and on the other drives on the computer, but due to some error in most cases, preference given drive C:. As a result of this program, located on the other drives the machine can be quite a long time to stay clean; - sometimes when you run an infected file, the virus forgets to run component % name%. exe , resulting in the search procedure and file infection is passed on to the component ls32.exe , or simply is running - if an infected file is executed at a time when the component is % name%. exe is already loaded for execution, it could cause erroneous conclusion of this component, and even his subsequent removal from the disk - sometimes forgets when the virus going around infect a suitable directory on the parameters and the file remains clean until the next cycle of infecting files. In the tests, the number of missing files, the virus was about 1-2 on dozens of infected files - in one of the tests incorrectly checked the virus EXE-file for his (file) header signature . rsrcand infected him, although this should not have occur (this signature is absent). The size of the infected file is increased to 9004 bytes are not, and about 5 times. But the most interesting thing was that when you run this file, the virus is completely normal restored it and run - the file will remain fully operational. In spite of all the identified gaps and errors in the tests I did not find any files that would be lost after infection performance.
Uploaded to the execution, the virus searches the registry keys the next section: Control Panel \ Cursors If you find this section he is looking for in this section setting, in which the present value of the following snippet:Cursors \ appstart.ani File appstart.ani is a system file, animated mouse cursor is, according to the specified record in the system subdirectory of C: \ WINDOWS \ Cursors \. The presence of this file is typical of most versions of Windows. But, nevertheless, the virus checks the file, but no more. Anything with it and does not affect the operation of the mouse or change the form of an animated cursor. In addition, according to some unspecified conditions, the virus can change the value of % letter% in its key to a great or small letters, and can and no change - set, for example, the variable value "q" or "R" in the early installation of the system and no longer change the value. What is a virus check / carry out the above things - is unclear. In some cases, the system shuts down virus time to properly close the program window with the heading " Mellissa"and it is available for visual examination. Fragment of record, present in the viral vein Ukraine (Chernivtsi) , points to the sad and painful fact that some talented programmers Chernivtsi can not find a use for their knowledge (or simply do not want to?), but how to create malicious programs. Alas, in recent years, such cases occur more often, which may lead to very dire consequences ...
Obviously, the virus has already spread beyond the mass, not only of Chernivtsi, Ukraine but also because at the time of detection is not only detected the Romanian antivirus BitDefender Professional, which was sent to study.
At the moment Win32.HLLP.HiDrag.mellissa found under the following nomenclature title: Anti-VirusKaspersky AntiVirus : Virus.Win32.Assill.a (from 14.10.2006 has correctly restore files after their treatment)Antivirus BitDefender Professional : Win32.Assill.A (included in the anti-virus database 10/05/2006, does not cure the infected files, and removes only) Anti- DrWeb : Win32.HLLP.Jeefo.13200 (treats files, but not quite correctly restores them) Kaspersky Anti-Virus, from 14.10.2006, is correctly heals and restores all the files - some samples of infected files that antivirus marred by reconstruction (these are compressed program files, in particular, treated utility compression "UPX"), were sent to the Laboratory of Antiviral Eugene Kaspersky and error recovery procedure file after their treatment has been corrected. After the treatment machine antivirus DrWeb some programs are unusable and must be reinstall it. This fact is not associated with any damage to the code, caused by a virus. The reason is the built-in programs such procedure to check the originality of their own code, which is to calculate the CRC-value of certain pieces of code files and comparing the values obtained with the original. These programs include, for example, Nero Burning ROM (software for recording CDs and DVD-ROM drive), firewall ZoneAlarm Pro (the program is the protector of the Internet traffic) and some other view of the fact that the code is cured DrWeb'om files is slightly different from baseline (before infection), the above program when it is run immediately issued a message on the discrepancy between the values of the checksum to the original and complete their work. antivirus BitDefender Professional Engineers did not bother to include a procedure for treating information about this virus, so antivirus can only delete infected files. To remove the virus from the machine, we recommend the following procedure: run the set on an infected computer anti-virus (if it is infected, the virus will cure it) and then in turn removed from the memory processes % name%. exe and ls32.exe , if they active. For this purpose you can use the Task Manager.Then you must remove yourself and components of the virus. Then close all open programs (new in any case, do not run because it can lead to reinfection of the system) and run the virus scanner in a mode of treatment.It should be noted that a number of viral copies may be present in the files with the extensions "CHK "(the latter are the files backed up by some versions of Windows in cases where the bad clusters on the hard disk system application Scandisk).
No comments:
Post a Comment