The main source of spread of the virus are, as usual, the file-exchange network. The virus can enter the directory of the installed software on the machines file-sharing software distributions in the infected software, sent to you or friends. Unfortunately, most people stubbornly ignore the anti-virus programs or simply do not update the antivirus database, which "wakes up" the virus in their cars. As a result, infected computers are becoming breeding grounds for viruses to tens or even hundreds of other computers. Potential hazards can also be CD / DVD-discs recorded on such "clean" vehicles, because it is clear that among them are recorded on the (disk) files and will be infected. It is not excluded also the possibility of catching the virus in the event that you use for transport / storage flash drives (USB Flash Memory Storage) or floppy disk.
Win32.Parasite and is a resident polymorphic virus-crypt (encrypted virus that uses a complex mechanism of variability in the structure of the code in the bodies of them becoming infected files) - a parasite that uses the body to spread Windows-based applications (eg PE-files containing their title tag "PE"; these include the program with 32-bit code written in high level languages, such as, for example, C + + Builder, Borland Turbo Pascal (Delphi) and others that are created to run on Windows). Has capacity for all existing to date Windows-systems.
The virus can not exist as a standalone program (ie, as a working file containing only the viral code), becausemade in the form of a logical software unit (does not contain a header and, accordingly, the so-called "entry points" - a place in the code header file from which you are reading the start address of the program and begins its execution), implemented in the Windows-based applications and uses headlines infected files to them for management and launch. Affects the system files with the extension "EXE" (programs and self-extracting archives / installers) and "SCR" (screen savers for your desktop.)
virus code is a set of 2 components: 1. dropper (activator main program) with a size of about 1.5-2 kb; written in lower-level (language, machine instructions) - Assembler. This component is used to decrypt the main viral component, followed by its recovery, installing and running the system for execution, as well as the ability to run an infected program file. 2. The main component that produces search and file infection. Is a DLL-file (DLL Windows), written in high level language - Borland C + + (version 1999 release). In the body of an infected file, the component is contained in a compressed and encrypted form: first packed utility "UPX", and on top of her crypt encrypted code, which contains the key to the dropper component of the virus. When an infected file on a clean machine takes control of the virus dropper code (of its kind - sub-"master"), which decrypts the main component and copy it to disk as a temporary file (see below) and then executes it. Having received management system queries the main component parameter has% windir% and% temp%, thus determining the location of the directory with Windows system and temporary files (subdirectories " TEMP "). Typically, these are: for Windows 9X/ME : C: \ WINDOWS and C: \ WINDOWS \ TEMP respectively for Windows 2K/XP: C: \ WINDOWS and C: \ Documents and Settings \% UserName% \ Local Settings \ TEMP respectively , where% UserName% - the name of the service catalog tekschego user. The main component copies its code to TMP-file: for Windows 9X/ME : C: \ WINDOWS \ TEMP \ *. tmp for Windows 2K/XP (2 files with different names): C: \ WINDOWS \ Temp \ *. tmp C: \ Documents and Settings \% UserName% \ Local Settings \ TEMP \ *. tmp as the "star" file is assigned a random name, consisting of 7 characters, which may include numbers, as well as large and small letters, for example: dha71C1.tmp jjb8244.tmp etc.
Obviously, for Windows 2K/XP number of TMP-file and the location of each will depend on the number of users infected machine.
This TMP -file (it has a size of 176 128 bytes ) manages all the processes of the virus. Compressed file utility "UPX"; start code UPX-compressed by the virus to complicate zater unzip the file, when restoring old tired pieces of code and extracting the file its original size was 410 624 bytes. In this part of the code with malicious functionality is only about 74 kb of the total file size, while all other logical blocks contain the various consumables maintenance procedures for the language C + + Borland, built by the compiler when creating a program of the virus.
The main component of the virus takes control at every Windows startup and remains resident in the memory until the end of the system. This is done by a specially created virus entry in the registry key below, which includes an option called " PINF "and its value, which is written for masking Key in hex-encoded] The object is selected to run malicious TMP -file located in the directory or the system temporary files (for Windows 9X/ME), or in temporary files directory of the current user (for Windows 2K/XP). With this method activation, viral DLL-file with the extension "TMP" will be loaded automatically by the system when it starts each time you in the process address space sistenogo Explorer.exe, as it is a modular component.
After you run an infected file on a clean machine virus begins to search all PE EXE / SCR-system files in the following folders: Windows 9X/ME to : C: \ WINDOWS \ *. exe C: \ WINDOWS \ *. SCR C: \ WINDOWS \ SYSTEM \ *. exe C: \ WINDOWS \ SYSTEM \ *. SCR for Windows ... \ *. Exe C: \ WINDOWS \ SYSTEM32 \ dllcache \ ... \ *. Scr then checks them for originality and relevance of certain specific conditions, and then copies its code from running an infected file is found in all the program files. Viral code appended to the file.So he can take control when an infected file, the virus corrects the title of the original program: changes "entry point", replacing the original start address of a reference to the start address of the code, which is located at the end of the file, and information about the source (original) address of the infected program encrypts and writes at the end of its code. As a result of such manipulations, the file after the infection is as follows:
The principle of the infected files will be discussed in detail hereinafter.
Before the infection of each file to hide its presence in the car, the virus reads the (file) attributes, modification date and time, infects a file, and then assigns these input data back. This technique makes it difficult visual search izenennyh files. The size of files after the infection is increased by approximately 178 kb - there is no exact value, because virus appends its code to a number of official information regarding the changes made to them in the code of the infected file. After infection with the system folder and its subfolders virus at the time of the search process stops and the infected file to be less noticeable. The process of infection in two ways: 1.The virus randomly selects a few directories on one of the logical drive machine scans are in their subdirectories to the third level of nesting, identifies all the files to be infected, checks them for originality, the presence of PE-header as well as some additional specific conditions, and then infect these files. 2. Virus monitors system calls to an interrupt int 21h (program call DOS), reads the location of a running program file, and then infects all the files in the current directory and all nested in folders to a third level of nesting. The virus then waits for the closing of the current program and also infects it. In this case, before closing the program, the virus can load into its address space a TMP -component, as in the case of a system process Explorer.exe. For a complete virus code contains only the infected files, the virus looks for these files in the subdirectories of the above system and copies of their own code in the infected files. The virus also can create a virtual memory system log at the time of the system and stored therein the names and locations on the disk a number of files from the infected to continue to also use them as a "donor" of the code in the implementation process of infection of new files. Each file is infected by only 1 time (virus checks its presence in the file, the victim of a specific signature code that corresponds to the site dropper component). Under Windows 2K/XP may have been a progressive appearance of system messages in the form
, Which is associated with the system checking the originality of its component files located in subdirectories identified (in particular, in the \ WINDOWS \ and \ WINDOWS \ System32 \).
The virus infects files on internal hard disks and removable media, recordable (floppy disks, flash drives). He also looks for and infects files on all available records for the network drives. The virus mistakenly believes network printers, network drives and also tries to infect them, which, for the output data to the printer, the printer can start printing junk character (the contents of the virus code) instead of the requested user data.
The potential risk of losing data due to stream errors made by the virus.
When an infected file first gets control of the virus dropper code, which checks the following conditions: - the presence of virus in the key register system - the presence of TMP-file in the prescribed manner, and its activity. After this test, if all conditions are met, the dropper- component decrypts and reads the end of the file start address of the original program and launches it for execution, and then quits:
If conditions are not fulfilled (for example, when an infected file on a clean machine), the first is the installation of the virus into the system, but after this and start the original program from the infected file.
The procedures associated with running an infected file, the virus contains a number of errors, because of which frequently occur following negative things: 1. When an infected file, the virus code hangs, resulting in crashes and an infected program. 2. When you load the original program in memory, it freezes almost immediately after opening because of the conflict caused by the incorrect conclusion of the current copy of the virus. In the second case, as shown by experiments carried out with the virus in the test machine may hang not only the current program, but the system as a whole (in the first place, this applies to Windows 9X/ME). In this machine does not respond to any commands, except for a double pressing Ctrl + Alt + Del (reboot). This incident could become a real cause of the loss of any unsaved data stream for all active at the time of system hang-up programs, and any unsaved documents open. Moreover, in most cases, infected files, which start "failed" due to the fault came to an end of the virus remain inoperable until their treatment - basically, as noted, these are the components of massive programs that require significant system resources and having a size of several hundred kb and more.
At the time of this description of antivirus software has detected a virus nomenclature under the following headings: Anti-Virus Kaspersky AntiVirus : Virus.Win32.Parite.b (cures infected files) Antivirus BitDefender Professional : Win32.Parite.B (cures infected files) Anti- DrWeb : Win32. Parite.2 (cures infected files) after the treatment process, some programs are unusable and must be reinstalled. The reason is the built-in programs such procedure to check the originality of their own code, which is to count the so-called CRC-value (checksum) of certain portions of code files and comparing the values obtained with the original. These programs include, for example, Nero Burning ROM (software for recording CDs and DVD-ROM drive), firewall ZoneAlarm Pro (the program is the protector of the Internet traffic) and some other view of the fact that the disinfected files contain in their titles a number of modified virus bytes, then the above program when it is run immediately issued a message on the discrepancy between the values of the checksum to the original and complete their work. It should be noted that a number of viral copies may be present in the files with the extensions "CHK" (the latter are the files backed up some versions of Windows in cases where the bad clusters on the hard disk system application Scandisk). As for the average user to carry out the treatment of the virus would be extremely difficult, because in the treatment of under active Windows virus can infect the thread already disinfected the files (not to mention the fact that the virus scanner itself may be infected), the best solution virus problem, in my opinion, is to move the hard drive to other uninfected machine, connect it to it as a minor, followed prolechivaniem all the information contained therein. At the same TMP -files created by a virus, you can simply remove.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 02/26/2005
Date of last change: 30.05.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment