Virus Database

Win32.Orez

Description Win32.Orez

This is not a dangerous polymorphic Windows virus. The known virus version "pure" code is 5780 bytes in length, but while infecting files it increases their length by 6279 bytes. The virus has bugs and in some cases corrupt files while infecting them - when run they are terminated with standard Windows error message.
When the virus code is activated, it looks for PE EXE files (Windows executable files) and writes itself to the end of the file. Depending on the file structure the virus either increases the size of last file section and writes its code to there, or overwrites data in the last section (see infection routine description below). To infect files the virus searches for them in the Windows directory. The virus then gets names of files that are listed in the Windows Start Menu, and infects them too. The virus gets their names by parsing LNK files in directory that is pointed in the system registry key:
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersStart Menu

The virus counts files while infecting them and does not infect more than ten files on one run.
The virus has a payload routine that is activated depending on the system date. On Friday that falls on 13th of month the virus displays the MessageBox:
VirusInfo - Ready for infection
The Axelle Bailey/iKx/ Virus - OreZRatS [Ikx] (C) 1999
Greets to: Reptile and SSR for the ideas
Bozo for the motivations
In honor of Axelle Bailey and

On October 9th the virus runs several threads that in endless loop display the messages:
A kiss to!
A kiss to Axelle Bailey !

The virus also contains the text strings:
Dedicated to Federrico ;)
CCALLBACK

Infection
The virus has three interesting features in its infection engine. The first of them looks similar to the "Win95.SK" virus - it writes its code to the Relocation (Fix-up) section by overwriting its data, and zeroes the reference to relocation info in the PE header. Usually Windows applications do not use data from this section, and programs affected in this way do work with no side effect.
If the last section in victim file is relocation section, the virus overwrites relocation data with virus code. In case the last section is not relocation, the virus increases its size for its code. It seems that the virus intends to keep the file length with no changes in case its code fill in relocation section, but file length is increased anyway because of a bug.
The second feature of the virus also looks similar to the mentioned about "Win95.SK" virus - this is Entry Point Obscuring technology used to make virus detection and disinfection procedure more complex. Using this way of infection the virus does not modify the program's entry address to get control when an infected file is executed, but locates a place to patch victim's code with Jump_Virus instruction. In this way the virus code gets control not at the moment the infected program starts, but only in case the patched program's branch takes control.
To locate the code to patch the virus scans the Import data and looks to "ExitProcess" function imported by the victim file from the KERNEL32.DLL, then scans victim's code section for "CALL ExitProcess" instruction, and then writes Jump_Virus code to the place the victim calls ExitProcess. In case such function is not found, the virus looks for the "exit" function imported from MSVCRT.DLL (Microsoft Visual C++ run-time library) and patches corresponding instruction in victim file. If no such imports found, the virus scans 500 bytes of file's entry routine, looks for CALL or JMP routine, and replace it with its Jump_Virus patch.
So, the virus code usually is activated when patched program's "Exit" routine is executed, and the control is passed to the Jump_Virus instruction. This instruction passes control to virus polymorphic decryptor.
The polymorphic decryptor is the third virus feature it is necessary to pay attention. The code of the decryptor may be found in infected files not as a one block of code, but as a set of instructions at different addresses in the file, linked with "Jump_Next" opcodes. To sparse its decryption loop instructions the virus gets program's code section and scans it for standard C/C++ routines footer followed with a nonused bytes to align next routine by paragraph (16 bytes alignment). The virus detects such "caves" in code segment, makes a "map" of them and then, when its polymorphic engine starts, fills them with polymorphic decryptor code.
In case the virus cannot locate enough "caves" in code section, it writes the decryption loop to the end of its encrypted code.
It is also necessary to note that the polymorphic engine uses a randomizer that is initialized by PE header TimeStamp field. As a result while infecting the same file the virus will create the same decryption loop.

Check other viruses! Be aware! Use Antiviral Software

Quake.960.a

Description Quake.960.a

It's a not memory resident not dangerous encrypted virus. It searches for a COM- and EXE-files and infects them by a standard manner. This virus is not memory resident but it can leave the small memory resident program in memory. This program hooks INT 8 (timer) and sometimes 'shakes' the screen. This virus also contains the text strings:
[Quake-O]
By Dark Angel of PHALCON/SKISM '92
Assistance by Demogorgon on Quake-O routines
.. *.exe *.com

Quandary

Description Quandary

It is a harmless memory resident stealth boot virus. The code of the virus is partly encrypted. The virus hooks INT 13h and writes itself to the MBR of the hard drive and boot sectors of the 1.44M floppy disks. The virus checks the disks for some program (boot driver? some other boot virus?), and infects these disks without alteration of the original boot sectors.

Home