|
|
|
| Date | : March 11, 1999 |
| Tel. | : 137-0150, 135-6253 |
The virus is very nasty; upon starting certain anti-virus programs (even Doctor Web if the user has not timely renamed its executable module drweb.exe) it deletes all files in all logical drives.
At present, the virus is trapped only by one scanner, Doctor Web! It escapes detection by other scanners through an ingenious infection strategy: the virus does not modify the program beginning, but attaches itself at the middle of a file in a randomly chosen area of one of the program functions that is most likely to be called under specific circumstances. Upon starting such an infected file, the virus may never get control if the "host" function is not called by the program itself. The virus may hibernate "for years" in the file until the program or its user executes some action (for example, press F1) which initialises the transfer of control to that particular program function in which the virus is "residing."
Such a file infection engine has thus far been employed only in advanced polymorphic viruses of the Zhengxi family, which appeared in St.Petersburg in 1995. The only scanner that eradicates these viruses today is Doctor Web, in which Igor Daniloff has incorporated a sophisticated deep scanning technique. Doctor Web easily suppressed the Zhengxi epidemic in the incipient stage and the viruses of this family failed to proliferate far and wide.
Probably, for this reason, other anti-virus designers, due to serious hurdles, did not pay proper attention to the Zhengxi viruses, regarding them as exclusively library specimens. Until now only a few scanners have, in principle, the power to trap these viruses. Moreover, these viruses are detected only when they prepend themselves to a file (which does not always happen, and this means, that such a detection is unreliable) or when the scanner applies redundant scanning (which slows down scanning by tens of times; consequently, no one takes recourse in such a scanning technique). Nonetheless, Doctor Web reliably traps all these viruses, most importantly, in the standard scanning mode.
Let us recall that Doctor Web (more precisely, its architect, Igor Daniloff) has a wild "fascination" for complex polymorphic viruses. This was repeatedly observed in international anti-virus comparative tests. This overscrupulousness, in particular, about the exotic Zhengxi viruses spurred Igor Daniloff to timely respond to the new virus challenge. Doctor Web 4.04 (both its traditional 16-bit and 32-bit beta versions) released on February 16, 1999 is capable of detecting this new virus. No other scanner thus far recognises these viruses. In this context, it seems somewhat premature to expect modern scanners to exhibit a widened ability to prepare a "medicine" within 48 hours.
We strongly recommend all our subscribers and authorised dealers to upgrade to Doctor Web Version 4.04 (or higher). And you should rename the executable module of Doctor Web in your machine to prevent the virus from doing havoc on starting this scanner.
You can download the beta version of DrWeb for Win32 v4.04 free from
Below we reproduce Daniloff's brief description of the new virus. For more details see DialogueScience's Internet server at http://www.antivir.ru/inf/win95sk.htm
DialogueScience Information Service
E-mail: antivir@DIALS.ru
http://www.antivir.ru
Win95.SK.7977 is a very hazardous resident polymorphic virus, which infects PortableExecutable files (executable files of Windows 95/98), HELP files of Windows 95/98, and writes a copy of itself to ARJ, HA, RAR, and ZIP archived files.
While infecting PE-files, the Win95.SK.7977 virus does not modify the start address of a program. Instead it scans the program start section to find certain specific byte strings. Such strings are contained, as a rule, in all programs written in high-level compiler languages (Pascal, C++,...). Moreover, program functions usually begin with certain instructions (for example, "PUSH EBP; MOVE EBP,ESP").
On detecting the desired bytes, the virus verifies whether or not the detected program function is 168-byte long (there should not be any RET instructions within 168 bytes). Upon successful determination, the virus stores the address of this function (the address of the detected byte string) and continues the search. After completion of such a scanning, if at least one suitable function for infection is found, the virus chooses an address at random from the addresses of the functions it has detected.
If no suitable function is found, the virus chooses the program start address and installs at a chosen place the first 168 bytes of its polymorphic code, which decrypts the main virus code. The term "polymorphic" means that the program is composed of a random instruction sequence, which is chosen afresh every time a new file is infected. Therefore, to detect this virus the scanner must scan a greater portion of the program code in search of what is unknown.
Infected HELP file creates and starts a program of random name of 380 bytes in drive C: via macrocommands. This program, knowing the name of the file that generated the program as a parameter, decrypts the encrypted virus body in it and passes control to the decrypted virus code. This decrypted code installs a resident copy of the virus code in the memory if such a copy is not in the memory.
The virus infects a new file (executable, archive, or Help) only after a lapse of one minute after infecting the previous file.
Win95.SK.7977 is a merciless brute. Upon starting a program of name beginning with "ADIN" or "AVPI", or on opening a file of name beginning with "_AVP", "AVP", "VBA", or "DRW", the virus deletes all files in all logical drives, "hangs" up the system through the Fatal_Error_Handler function.
|
Press-release list |
|
Home page | |
|
Free download |
|
Commercial info |