Virus Database

Win95.ZMorph

Description Win95.ZMorph

These are Win9x viruses infecting PE EXE files (Windows executable files). The viruses have a significant feature - polymorphic engine that is used by viruses to hide their code in infected files. This polymorphic engine modifies virus code so that there is no any piece of virus code continuously stored in infected file, in any encrypted and "clear" form.
Instead of "standard" method of appending virus code to the file as a continuous sequence of [encrypted] code instructions, data areas, e.t.c., the virus addition to infected files looks like a chain of routines of random size, randomly stored at the end of the file; each routine passes control to the next one, and all these routines are polymorphic:
ã=============¬
¦Infected file¦
¦code and data¦
L=============- <--------¬
¦------¬ ¦ Routine3 ---------¦--¬
¦L------ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ ¦ ¦ ¦
¦ --------¬ ¦ ¦ ¦
¦ L-------- ¦ Routine1 -----¬ ¦ ¦
. . . ¦ ¦ ¦
. . . ¦ ¦ ¦
-----¬ ¦ ¦ ¦
¦ L----- ¦ <----- ¦ ¦
¦----¬ ¦ Routine2 --------- ¦
¦L---- ¦ ¦
¦ -----¬¦ ¦
¦ L-----¦ e.t.c <-----------
L--------------

These routines by using arithmetic instructions of different types (which are totally polymorphic) construct "clean" virus code double-word by double-word, and store them on stack. At the end of this process the "clean" and complete virus code is stored in stack, and the last routine jumps to there to the "real virus" code.
Because of such method of storing virus code while infecting, the files length grows by large values - up to 30Kb. The size of virus addition to the file may be approximated as "real virus" size multiplied by six (in case of 5200 bytes virus the victim files size grows by about 32K).
ZMorph.2784
This is a memory resident Win9x virus. It switches its code to system driver mode (Ring0), allocates a block of driver's memory, copies itself to there and hooks two events: port 8888h reading (is used for "Are-you-here" call to detect already installed TSR virus copy), and IFS API (files access functions). The virus then returns control to the host file, and virus TSR copy is then active as VxD system driver, intercepts file access functions and infects PE EXE files that are accessed.
The virus does not manifest itself in any way. It contains the text:
KME.Z0MBiE-4.b
ZMorph.5200
This version of the virus can be found in two variants: as infected PE EXE files, and as a virus "installer" - RUNDLL16.EXE file in the Windows system directory.
The virus does not perform any harm action except scanning Windows memory for AVP Monitor and some another Windows resident anti-virus protection, and disabling it by patching Monitor's code.
The virus contains an encrypted text in Russian, and virus author's "signature":
z0mbie.cjb.net
When an infected file is executed, the virus polymorphic code gets control, restores original virus code to the stack and jumps to there - to the virus installation routine. The virus installation gets necessary Windows functions addresses by scanning KERNEL32.DLL image in Windows memory (this was is usual for most of Win32 viruses) and performs two actions: installs virus code into the Windows system directory, and leaves virus resident copy in Windows memory.
Ring0 component
To install itself memory resident the virus switches its code to system driver mode (Ring0), allocates a block of driver's memory, copies itself to there and hooks two events: port 8889h reading (is used for "Are-you-here" calls to detect already installed TSR virus copy), and IFS API (files access functions). The virus then returns control to the host file, and virus TSR copy is then active as VxD system driver, intercepts file access functions and infects PE EXE files that are accessed.
RUNDLL16 component
While installing its copy in Windows system directory the virus creates the RUNDLL16.EXE file in there, writes to this file its image in PE EXE file form, and spawns it. The RUNDLL16.EXE registers itself in the system as Service Process (invisible task), and registers its file (RUNDLL16.EXE) as auto-run file. To do that the virus creates the registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun rundll16 = rundll16.exe
The virus process then sleeps for several minutes, then scans subdirectory trees on all fixed drives from C: till Z:, "touches" EXE files there, and as a result forces Ring0 component to infect them.
Infection
As a result of installation the virus code presents in Windows memory in two copies: first one is system process that scans all drives and infects files on them; the second copy is active as system VxD driver that intercepts file access functions, and infects PE EXE files that are accessed.
While infecting a file the virus parses its internal PE format, increases size of last section, runs its polymorphic engine and writes the result of it to the end of the file. The virus then modifies necessary PE header fields, including program startup address.
ZMorph.Bistro
This is improved virus version that was found on the Internet(?) in October 2000. This virus uses more complex infection and polymorphic routines, as well as has more bugs and often causes standard Windows message about an error in application.
When run the virus infects: the EXPLORER.EXE file in Windows directory; then randomly selects and infects one of files in Windows directory (SCANREGW.EXE, CDPLAYER.EXE, NOTEPADE.EXE, MPLAYER.EXE, RUNDLL32.EXE); then .EXE and .SCR files in Windows directory with subdirectories; then .EXE and .SCR in PATH directories; then looks for .EXE and .SCR files on local and remote drives and infects them too.
The infection goes in background, so the virus does not slow down the machine. Each of infection routines is activated randomly, so the virus infection routines listed above may be activated in different sequence.
The virus also fills gaps between its routines (blocks of code, see generic description above). The virus fills these gaps with a random selected byte, or with "still trying to disasm me?" text, or with similar text in Russian.
The virus also is able to change entry routines in files that are affected. The virus follows assembler instruction at entry and replaces some of them with their synonyms (for example, "MOV Reg1,Reg2" instruction can be replaces with two instructions: "PUSH Reg2; POP Reg1").
To infect EXPLORER.EXE (that is locked for writing by Windows) the virus creates copy of that file with EXPLORER.AB name, infects it and adds an instruction to WININIT.INI file that will force Windows to replace EXPLORER.EXE with infected copy on next Windows startup.
The virus pays attention to ZIP and RAR archives and looks for EXE files in them. If a file is found, the virus renames it in archive with ".EX_" extension (the result looks like "filename.EX_"), and creates its copy in archive with "filename.EXE" name.
The virus pays attention to anti-virus programs, utilities: NOD, DRWEB, AVP, ADINF, SPIDER, F-PROT, VIRSTOP, HIEW and anti-virus data files: data files .AVC, .VDB. In case one of such files found, the virus corrupts the file, it writes several text strings to the middle of the file:
[RSA encrypted. (c) V.Bogdanov//KasperskyLab]
When a .DOC, .MP3, .JPG, .XLS the virus in one case of 100 also corrupts them in the same way.
The virus also uses anti-debugging tricks and patches ant-virus memory resident monitors: AVP95, AVPG, GK95, SPIDER.

Check other viruses! Be aware! Use Antiviral Software

Mgn.2048.a

Description Mgn.2048.a

These are harmless memory resident encrypted parasitic viruses. They were received from Magnitogorsk city (Russia). The viruses hook INT 8, 13h, 21h and write themselves to the end of COM and EXE files that are executed or closed, the COMMAND.COM file is infected by the algorithm of the "Lehigh" virus. The viruses disinfect the infected files that are opened, they also do not infect the files when the Num-Ins-Ctrl keys are pressed at the same time. Therefore the simplest way to cure a computer infected by such viruses is to process by any anti-virus program all COM and EXE files in all directories on all disks having Num-Ins-Ctrl pressed, and then to reboot the computer.
The viruses contain the string "COMMAND". "Mgn.2560.c" replaces the 50h disk type with the 51h in the Partition Table (these disk types are used by Disk Manager utility). "Mgn.2048" hourly "overturn" the screen. "Mgn.2048.b" contains the text:
Shadow & Safe

"Mgn.2560.a,b,c" periodically display:
+--------------------------------------+
ƒ Mr. Lozinsky ! ƒ
ƒ Just read documentation on your ƒ
ƒ AIDSTEST (1-Oct-90 version) we ƒ
ƒ release new virus. Create improved ƒ
ƒ versions of AIDSTEST, please ! ƒ
ƒ(C) TinySoft&Electronics,Inc. 3-Nov-90ƒ
+--------------------------------------+

"Mgn.3000" sets the screen colors to white/blue/red (the colors of Russian national flag).

MGTU.273

Description MGTU.273

This is a dangerous very primitive nonmemory resident parasitic virus. It searches for all .COM files in the current directory, using FCB from PSP, then it writes itself to the end of the file. The virus does not manifests itself in any way. It contains the text in Russian - "This program is written in MGTU by a student of group IU4" (MGTU - Moscow college).

Home