Virus analysis for beginners - we analyze Virus.Win32.MTV
I finally found the time not just to analyze the malware, but also to write another article on this topic. Let's start, perhaps. Today we will analyze the virus Virus.Win32.MTV.4608.a, which was discovered back in 2000. Let the date of detection of the virus does not bother you - never analyze the virus even such old. You can take it at vx.netlux.org.
Required tools: any disassembler or debugger of your choice.
So, load our test file into any disassembler or debugger. We see quite a pleasant code for analysis - no packaging, no obfuscation, no anti-debugging - everything is clearly visible. Immediately struck by the line: "Copyright 1989-2000 Borland Inc. Borland C ++ run-time library ”, which determines the language and version of the compiler in which this virus was written. We begin, directly, the analysis of the functionality of the virus in great detail. Program execution begins at the following location:
00401000> MOV ESI, Virus.004032A8
00401005 MOV ECX, 2D
0040100A> MOV AL, BYTE PTR DS: [ESI]
0040100C XOR AL, 3
0040100E MOV BYTE PTR DS: [ESI], AL
00401010 INC ESI
00401011 ^ LOOPD SHORT Virus.0040100A
')
This cycle performs the decoding of string constants located at 0x004032A8 size 0x2D bytes. After decryption we get this:
Further the following code will be executed:
It is easy to see that the program determines its location on the disk, opens its own file for reading, finds out its size and loads it into a specially allocated area of ​​memory. What for? Let's understand further. And now we note that for any unfavorable event for a program, it displays a message box and shuts down Windows:
Now pay attention to the following place:
004010CD CMP EAX, 1200
004010D2 JE Virus.004011D2
Here the program compares its physical size with the constant 0x1200 and, depending on this operation, continues its execution in various ways. The size of the current file is also 0x1200. You can make the assumption that this instance of the program is the source file of the virus, which will later be confirmed. See what happens if the file size is different from 0x1200:
First, the program creates a temporary file, and then decrypts a certain area of ​​memory in the following cycle:
00401152> MOV AL, BYTE PTR DS: [ESI]
00401154 XOR AL, 3
00401156 MOV BYTE PTR DS: [ESI], AL
00401158 INC ESI
00401159 ^ LOOPD SHORT Virus.00401152
Encryption is a simple byte XOR. What area of ​​memory does the program decode? This area is the buffer in which the program has previously recorded the contents of the current executable file, and the decryption begins at an offset of 0x1200. You have not guessed what is happening? We look further - after this, the program writes the decrypted data into a temporary file and launches the latter for execution, passing the current command line parameters. Now we can safely say that this program infects executable files in the most primitive way, encrypting their contents and dumping the resulting encrypted data into an overlay of its own file, which is written instead of the program to be infected. And when it starts, the virus decrypts the overlay, saves it to a temporary file and launches the source program for execution. Simple and trite.
We now find out what happens next:
Then the program starts another stream and waits for the completion of both the source program and the thread created. What happens in the created thread?
The program determines whether a copy of the virus is already running on the system by checking the existence of the global identifier “MTV-2” - if it exists, then a copy of the virus is already running, otherwise this identifier is created, after which another virus function is called. Let's see what she does:
As expected, this is a recursive crawl of folders on the disk that infects all the executable files found. I was interested in two points here. The first - the function proceeds to processing the next file only after 5 seconds due to the WinAPI delay by the Sleep function. From this it follows that the virus will go through all the files very, very slowly and hang on the task list all the time. Well, the following code:
004013C6 PUSH Virus.004032D6
004013CB CALL JMP. & KERNEL32.GetSystemTime
004013D0 CMP WORD PTR DS: [4032DC], 0D
004013D8 JNZ SHORT Virus_Wi.004013E6
004013DA PUSH Virus.004031A6
004013DF CALL JMP. & KERNEL32.DeleteFileA
If today is the 13th of any month, then the function deletes all found files ... This is where all the poor functionality of this virus ends.
Conclusions: today we have disassembled a virus simple in the device and fast in writing, the creation of which does not require special knowledge and can be done by almost any novice programmer. At the same time, the functionality of the virus is also extremely poor. It can be seen that the programmer had no craving for creativity - everything was aimed at quick results. Although ... I absolutely can not understand for what purpose this virus, in general, is intended? After 10 years of malware has taken a big step in its development.
Required tools: any disassembler or debugger of your choice.
So, load our test file into any disassembler or debugger. We see quite a pleasant code for analysis - no packaging, no obfuscation, no anti-debugging - everything is clearly visible. Immediately struck by the line: "Copyright 1989-2000 Borland Inc. Borland C ++ run-time library ”, which determines the language and version of the compiler in which this virus was written. We begin, directly, the analysis of the functionality of the virus in great detail. Program execution begins at the following location:
00401000> MOV ESI, Virus.004032A8
00401005 MOV ECX, 2D
0040100A> MOV AL, BYTE PTR DS: [ESI]
0040100C XOR AL, 3
0040100E MOV BYTE PTR DS: [ESI], AL
00401010 INC ESI
00401011 ^ LOOPD SHORT Virus.0040100A
')
This cycle performs the decoding of string constants located at 0x004032A8 size 0x2D bytes. After decryption we get this:
Further the following code will be executed:
It is easy to see that the program determines its location on the disk, opens its own file for reading, finds out its size and loads it into a specially allocated area of ​​memory. What for? Let's understand further. And now we note that for any unfavorable event for a program, it displays a message box and shuts down Windows:
Now pay attention to the following place:
004010CD CMP EAX, 1200
004010D2 JE Virus.004011D2
Here the program compares its physical size with the constant 0x1200 and, depending on this operation, continues its execution in various ways. The size of the current file is also 0x1200. You can make the assumption that this instance of the program is the source file of the virus, which will later be confirmed. See what happens if the file size is different from 0x1200:
First, the program creates a temporary file, and then decrypts a certain area of ​​memory in the following cycle:
00401152> MOV AL, BYTE PTR DS: [ESI]
00401154 XOR AL, 3
00401156 MOV BYTE PTR DS: [ESI], AL
00401158 INC ESI
00401159 ^ LOOPD SHORT Virus.00401152
Encryption is a simple byte XOR. What area of ​​memory does the program decode? This area is the buffer in which the program has previously recorded the contents of the current executable file, and the decryption begins at an offset of 0x1200. You have not guessed what is happening? We look further - after this, the program writes the decrypted data into a temporary file and launches the latter for execution, passing the current command line parameters. Now we can safely say that this program infects executable files in the most primitive way, encrypting their contents and dumping the resulting encrypted data into an overlay of its own file, which is written instead of the program to be infected. And when it starts, the virus decrypts the overlay, saves it to a temporary file and launches the source program for execution. Simple and trite.
We now find out what happens next:
Then the program starts another stream and waits for the completion of both the source program and the thread created. What happens in the created thread?
The program determines whether a copy of the virus is already running on the system by checking the existence of the global identifier “MTV-2” - if it exists, then a copy of the virus is already running, otherwise this identifier is created, after which another virus function is called. Let's see what she does:
As expected, this is a recursive crawl of folders on the disk that infects all the executable files found. I was interested in two points here. The first - the function proceeds to processing the next file only after 5 seconds due to the WinAPI delay by the Sleep function. From this it follows that the virus will go through all the files very, very slowly and hang on the task list all the time. Well, the following code:
004013C6 PUSH Virus.004032D6
004013CB CALL JMP. & KERNEL32.GetSystemTime
004013D0 CMP WORD PTR DS: [4032DC], 0D
004013D8 JNZ SHORT Virus_Wi.004013E6
004013DA PUSH Virus.004031A6
004013DF CALL JMP. & KERNEL32.DeleteFileA
If today is the 13th of any month, then the function deletes all found files ... This is where all the poor functionality of this virus ends.
Conclusions: today we have disassembled a virus simple in the device and fast in writing, the creation of which does not require special knowledge and can be done by almost any novice programmer. At the same time, the functionality of the virus is also extremely poor. It can be seen that the programmer had no craving for creativity - everything was aimed at quick results. Although ... I absolutely can not understand for what purpose this virus, in general, is intended? After 10 years of malware has taken a big step in its development.
Source: https://habr.com/ru/post/136103/
All Articles