|
|
|
| Date | : August 20, 1998 |
| Tel. | : 137-0150, 135-6253 |
Please note that Dr.Web v.4.01 is unable to sense Win95.Inca infection in some PE executables. The 32-bit beta of Dr.Web for Win32, however, easily identifies this virus in any file types. We are now preparing the release of Dr.Web v.4.02, which will detect all polymorphic variants of Win95.Inca.
In fact, the new add-on for Doctor Web version 4.01 helps you to locate Win95.Inca in your system. You can also do this manually, by checking the contents of \WINDOWS\SYSTEM. If this folder contains a file named FONO98.VXD, your system has definitely been hit by Win95.Inca.
To prevent viral epidemic and to facilitate an early detection of malware, we recommend that you daily scan your file system by using ADinf, a disk integrity checker. If you're using ADinf, it will certainly detect infection by Win95.Inca.
After this "assembly", the virus employs a "typical" (for this type of viruses) algorithm to obtain certain addresses of KERNEL32.DLL functions. Then, it creates a DOS executable file, C:\W95INCA.COM, which a virus dropper. Its polymorphic 16-bit code is generated at an earlier phase (when the host PE file is infected), and the virus makes no extra effort creating a polymorphic copy. Win95.Inca closes the newly created dropper, launches it, and [after some delay] deletes it. Then, the virus returns control to the infected PE host. All these actions are performed by the virus portion contained in the PE host, so an infected PE executable can be considered a dropper.
When launched, C:\W95INCA.COM determines the Windows home folder (by reading the WINDIR variable) and tries to create the FONO98.VXD file in \WINDOWS\SYSTEM. If this attempt is successful, the virus unpacks (by using a simple algorithm) its 32-bit VxD driver contained within the 16-bit DOS code, and writes it to FONO98.VXD. Then, Win95.Inca opens SYSTEM.INI, locates the "[386Enh]" section and inserts a line, "device=fono98.vxd", immediately under the section name. After this (or if "device=fono98.vxd" is already contained in SYSTEM.INI, or if FONO98.VXD already exists in \WINDOWS\SYSTEM, or if the virus fails to locate the Windows home folder), the virus exits to DOS.
During next reboot, the system loads and activates FONO98.VXD, which immediately deletes HSFLOP.PDR, a system VxD driver, from \WINDOWS\SYSTEM\IOSUBSYS. Then, Win95.Inca extracts [from its own body] and loads into memory three different polymorphic copies:
Win95.Inca's IFSMgr hander controls "open file" operations. When an EXE or SCR file is opened, the virus checks its internal format. If the file is a Portable Executable, the virus infects it by adding a randomly named code section to the PE header and placing the polymorphic code into the newly created section.
When an archive file (LHA, LZH, PAK, ZIP, ARJ or RAR) is opened, the virus appends [to the archive] its 16-bit polymorphic code (COM worm) and modifies the archive header to indicate that the worm is unpacked (in the "store" format), and assigns it a 4-character random name and the COM or EXE extension (for instance, AAAA.COM or ABCD.EXE).
When MIRC32.EXE (Internet chat) is started, the virus appends to MIRC.INI two lines, "[fileserver]" and "Warning=Off". The virus also creates (overwrites) the files SCRIPT.OLD, SCRIPT.INI, INCA.EXE and REVENGE.COM.
INCA.EXE contains the 16-bit polymorphic worm code. REVENGE.COM contains 231 bytes of a trojan code that overwrites CMOS memory. SCRIPT.INI contains an mIRC worm. Any attempt to run MIRC32.EXE with SCRIPT.INI launches INCA.EXE. Then, SCRIPT.INI (mIRC worm) and INCA.EXE (virus dropper) will be sent over to other computers involved in chat sessions. If [in the course of a chat session] a remote chat user types "el_inca", SCRIPT.INI will launch REVENGE.COM. By typing "ancev", the remote user will gain access to drive C [of the infected computer]. If the remote user types "_29A_", MIRC32.EXE will terminate.
Win95.Inca's Int 13h handler controls boot sector on drive A. The handler tries to infect the floppy by replacing the original loader with a polymorphic code. It also writing its copies onto the floppy disk.
If the system boots from this disk, the virus loader places the virus code into memory, and "intercepts" Int 1Ch (timer) and Int 21h. The Int 21h handler has only one objective: to create (as soon as possible) FONO98.VXD in C:\WINDOWS\SYSTEM and to register it under "[386Enh]" of SYSTEM.INI; i.e. it performs essentially the same function as the dropper C:\W95INCA.COM. The difference is that C:\W95INCA.COM attempts to determine the Windows folder by reading the WINDIR variable, whereas the Int 21h handler tries to drop the virus into a predefined folder, C:\WINDOWS\SYSTEM. After completing such attempt (regardless of its result), the virus "releases" Int 21h and harmlesses its copy in memory.
The virus contains a signature, "El Inca virus".
The size of Win95.Inca's VxD driver is 15327 bytes.
Formally, all Win95.Inca infected objects can be considered as virus hosts or droppers (except for the VxD driver). This VxD driver loads its copy into memory, and it is this driver that infects all other objects. However, it doesn't infect "its own kind", i.e. VxD drivers. The VxD driver is only an infection carrier, not an infected object.
DialogueScience Information Service
E-mail: antivir@DIALS.ru
http://www.antivir.ru
|
Press-release list |
|
Home page | |
|
Free download |
|
Commercial info |