Win95.ZMorph

Win95.ZMorph

These are Win9x viruses infecting PE EXE files (Windows executable files). The viruses have a significant feature - a polymorphic engine that is used by viruses to hide their code in infected files. This polymorphic engine modifies the virus code so that there is not a single piece of virus code continuously stored in an infected file, in any encrypted and "clear" form.

Instead of the "standard" method of appending the virus code to the file as a continuous sequence of [encrypted] code instructions, data areas, e.t.c., the virus addition to infected files looks like a chain of routines of random size, randomly stored at the end of the file; each routine passes control to the next one, and all these routines are polymorphic:


 +-------------+

 |Infected file|

 |code and data|

 +-------------+           <--------+

 |+-----+      |  Routine3 ---------|--+

 |+-----+      |                    |  |

 |             |                    |  |

 |             |                    |  |

 | +-------+   |                    |  |

 | +-------+   |  Routine1  -----+  |  |

 . . .                           |  |  |

 . . .                           |  |  |

      +----+                     |  |  |

 |    +----+   |            <----+  |  |

 |+---+        |  Routine2  --------+  |

 |+---+        |                       |

 |       +----+|                       |

 |       +----+|  e.t.c     <----------+

 +-------------+

By using arithmetic instructions of different types (which are totally polymorphic) these routines construct "clean" virus code double-word by double-word, and store them on the stack. At the end of this process the "clean" and complete virus code is stored in the stack, and the last routine jumps to there to the "real virus" code.

Because of such a method to store the virus code while infecting, the files length grows by large values - up to 30Kb. The size of the virus addition to the file may be approximated as "real virus" size multiplied by six (in case of 5200 bytes virus the victim files size grows by about 32K).

ZMorph.2784

This is a memory resident Win9x virus. It switches its code to system driver mode (Ring0), allocates a block of driver's memory, copies itself to there and hooks two events: port 8888h reading (is used for "Are-you-here" call to detect already installed TSR virus copy), and IFS API (files access functions). The virus then returns control to the host file. The virus TSR copy is then active as VxD system driver, intercepts file access functions and infects PE EXE files that are accessed.

The virus does not manifest itself in any way. It contains the text:


 KME.Z0MBiE-4.b

ZMorph.5200

This version of the virus can be found in two variants: as infected PE EXE file, and as a virus "installer" - RUNDLL16.EXE file in the Windows system directory.

The virus does not perform any harm action except scanning Windows memory for AVP Monitor and some other Windows resident anti-virus protection, and disabling it by patching Monitor's code.

The virus contains an encrypted text in Russian, and virus author's "signature":


 z0mbie.cjb.net

When an infected file is executed, the virus' polymorphic code gets control, restores the original virus code to the stack and jumps to there - to the virus installation routine. The virus installation gets the needed Windows functions addresses by scanning the KERNEL32.DLL image in Windows memory (this is usual for most of Win32 viruses) and performs two actions: installs virus code into the Windows system directory, and leaves virus resident copy in Windows memory.

Ring0 component

To install itself memory resident the virus switches its code to system driver mode (Ring0), allocates a block of driver's memory, copies itself to there and hooks two events: port 8889h reading (is used for "Are-you-here" calls to detect already installed TSR virus copy), and IFS API (files access functions). The virus then returns control to the host file, and virus TSR copy is then active as VxD system driver, intercepts file access functions and infects PE EXE files that are accessed.

RUNDLL16 component

While installing its copy in Windows system directory the virus creates the RUNDLL16.EXE file in there, writes to this file its image in PE EXE file form, and spawns it. The RUNDLL16.EXE registers itself in the system as Service Process (invisible task), and registers its file (RUNDLL16.EXE) as auto-run file. To do that the virus creates the registry key:


 HKLM\Software\Microsoft\Windows\CurrentVersion\Run  rundll16 = rundll16.exe

The virus process then sleeps for several minutes, then scans subdirectory trees on all fixed drives from C: till Z:, "touches" EXE files there, and as a result forces Ring0 component to infect them.

Infection

As a result of installation the virus code is present in Windows memory in two copies: the first one is a system process that scans all drives and infects files on them; the second copy is active as system VxD driver that intercepts file access functions, and infects PE EXE files that are accessed.

While infecting a file the virus parses its internal PE format, increases size of the last section, runs its polymorphic engine and writes the result of it to the end of the file. The virus then modifies the necessary PE header fields, including program startup address.