Details
Win32.AOC

This is a benign non-memory resident parasitic polymorphic Win32 virus. It searches for PE EXE files in the current Windows and Windows system directories and infects them. The virus infects .EXE files as well as .DLL libraries. While infecting, the virus writes itself to the end of the file.
The virus avoids detection in several anti-virus programs by detecting them according to the first two letters in the file name: AV*, AN*, DR*, ER*, OD*, TB*, F-*.
Depending on its “generation,” the virus displays the following text:
< [AOC] - Anvil of Crom virus Coded by Bumblebee/29a >

Details
Win32.Andras

This is a direct action (non-memory resident) parasitic polymorphic Win32 virus. It searches for PE EXE files with .EXE and .SCR extensions in a current directory, then in Windows, Windows system directories, then in all subdirectories on all available local drives, and infects them. While infecting, the virus writes itself to the end of the file. The file searching and infection goes on in the background, so an infected application run doesn’t slow down too much.
The virus checks file names and does not infect the following files:
AP*, PA*, F-*, AV*, SC*, VS*, IV*, DR*.
The virus corrupts the following anti-virus data files:
ANTI-VIR.DAT CHKLIST.MS CHKLIST.DAT CHKLIST.TAV CHKLIST.CPS AVP.CRC IVB.NTZ SMARTCHK.MS SMARTCHK.CPS
Starting from 2001 on the second of each month, the virus randomly increases the size of randomly selected files. File size is increased up to 1Mb.
The virus contains the “copyright” string:
*ANDRAS* by Pointer=&Hell

Details
Win2K.Team.a

Team is a Windows 2000/XP compatible companion virus using the “stream companion” infection method. This method is based on an NTFS feature that allows the creation of multiple data streams associated with a file.
NTFS Streams
Each file contains at least one default data stream that is accessed just by the file name. Each file may also contain additional stream(s) that can be accessed by their individual or specific names (filename:streamname).
The default file stream is a file body itself (in pre-NTFS terms). For instance, when an EXE file is executed the program is read from the default file stream; when a document is opened, its contents are also read from the default stream.
Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When the file is deleted, its streams are deleted as well; if a file is renamed, its streams follow its new name.
Windows has no standard tools to view/edit file streams. To “manually” view file streams you need to use special utilities such as the FAR utility with a file streams support plug-in (Ctrl-PgDn displays file streams for the selected file).
Virus Execution
The virus itself is a Windows application (PE EXE file) about 4K in size. When run it executes the host file tries to infect all EXE files in the current directory. If the host file is absent, the virus shows the following message before infecting files:

While infecting a file the virus creates a new stream associated with the victim file, this stream has a “ccc” name extension, i.e. the complete stream name is “FileName:ccc”. The virus then moves the victim file’s body to the “ccc” stream and then overwrites the victim file’s body (default stream) with its virus code.
During infection, Team makes a copy of itself under the name 2002. After infection is complete Team deletes this file.
As a result, when the infected file is executed Windows reads the default stream that was overwritten by the virus code and executes it.
Windows reports the same file size for all infected files.
To release control to host programs the virus creates a new process by accessing the original file program using the naming convention FileName:ccc.
This infection method should work on any NTFS system, but the virus checks for the system version and runs only under Win2000/XP.

Details
Win2K.Stream.a

This is the first known Windows virus using the “stream companion” infection method. This method is based on an NTFS feature that allows for the creation of multiple data streams associated with a file.
NTFS Streams
Each file contains at least one default data stream that is accessed just by file name. Each file may also contain additional stream(s) that can be accessed by their personal names (filename:streamname).
The default file stream is the file body itself (in pre-NTFS terms). For instance, when an EXE file is executed, the program is read from the default file stream; when a document is opened, its contents are also read from the default stream.
Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When a file is deleted, its streams are deleted as well; if a file is renamed, the streams follow the new name.
In a Windows package, there are no standard tools to view/edit file streams. To “manually” view file streams, you need to use special utilities, for instance FAR utility with file-streams support plug-in (Ctrl-PgDn displays file streams for selected file).
Virus Operation
The virus itself is a Windows application (PE EXE file) compressed by Petite PE EXE files compressor and is about 4K in size. When run, it infects all EXE files in the current directory and then returns control to the host file. If any error occurs, the virus displays the message:

While infecting a file, the virus creates a new stream associated with the victim file, and that stream has the “STR” name; i.e., the complete stream name is “FileName:STR”. The virus then moves the victim file body to the STR stream (default stream, see above) and then overwrites the victim’s file body (default stream) with its own (virus) code.
As a result, when an infected file is executed, Windows reads the default stream (that is overwritten by the virus code) and executes it. Also, Windows reports the same file size for all infected files - that is the virus length.
To release control to the host program, the virus just creates a new process by accessing the original file program with the “FileName:STR” name.
This infection method should work on any NTFS system, but the virus checks the system version and runs only under Win2000.

Details
Win16.Vicodin.1175

It is a dangerous nonmemory resident parasitic Windows-virus. When an infected file is executed, the virus takes control, searches for NewEXE (Windows 3.xx) files and infects them. While infecting a file the virus appends its code to the code segment that contains program entry point and shifts down the rest of the file.
To do that the virus parses NewEXE header, calculates the offset and size of code segment, moves down the rest of file (block-by-block), and injects its code into the “cave”. The virus then increases the size of affected code segment, modifies the address of entry point, fixes file offsets of other NexEXE tables.
The virus has bugs and while infecting some NewEXE files halts the system. The virus contains the text string:
Damn.Poppy by VicodinES and the Narkotic Crew

Details
Win16.Vecna.832

This is a memory resident Windows 3.xx parasitic virus. It infects NE EXE files. While infecting the virus looks for “cave” in file structure: a not used block between end of first file segment and beginning of next one. If there are 152 bytes free, the virus writes its loader to there and modifies the NE header so that this loader takes control when infected file is executed. The virus then saves its complete code to the end of the file without any changes in NE header (as an overlay code).
When an infected file is executed, the loader routine takes control. It reads virus rest code from the end of the file and leaves it in the system memory: it allocates a block of memory and hooks INT 21h by using DPMI calls. The virus then infects NE EXE files that are executed.
The virus does not manifest itself in any way, it contains the text strings:
[BONK] by Vecna/29A (c) 1998
New technology for old header formatsall

Details
Win16.RedTeam

This virus infects Windows EXE files (NewExe) and sends itself to Internet by using Eudora e-mail - it is the first known virus that infects Windows and spreads via Internet. To infect files the virus stays in Windows memory, it then infects NE-files that are executed. To infect Eudora e-mail the virus parses internal format of mail database and adds “infected” messages. The virus is able to spread to the Internet only if the Eudora e-mail system is installed on the computer, but recipients of infected messages may use any standard e-mail system, not only Eudora.
Of course, the virus is not able to run itself automatically from an infected message. It is not able to infect the system when an infected message is opened and read. To spread the virus, the infected EXE attachment has to be extracted and executed. To do exactly that (to extract and execute the attached file) the text of the message convinces the user.
The virus was not found in-the-wild, but being released it can appear as a real danger to the global computer network because to spread itself is uses the most popular OS (Windows) and one of most popular e-mail systems (Eudora).
The length of virus code and data is 4766 bytes. The virus was named after text strings present in virus body (they are encrypted in infected files):
<<-RED TEAM->> (C) The Soul Manager.
Made in Australia - 06.97.
So, so, Herr Kurtzhals - Is F/Win able to follow The Red Team?

Infecting EXE
While infecting NewEXE files the virus does not create new segment in there - it calculates the address of the code segment, moves the rest of file down and writes itself to that cave. The virus increases the size of the code segment and as a result stays as a part of legal program’s code. The virus also fixes necessary fields in NE header and relocation tables. The virus then modifies initial address of entry point, or patches addresses of system routines in case of KRNL286/386.EXE.
When an infected file is executed under not infected environment, the virus takes control and looks for Win16 Kernel module (KRNL286.EXE or KRNL386.EXE). When this file is located, the virus opens and infects it. The virus does not alter entry point address, it changes addresses of WINEXEC or INITTASK routines instead. In case of Windows 3.xx the virus sets new address of WINEXEC routine, in case of Windows95/NT the virus do the same with INITTASK routine (because Windows95/NT do not call WINEXEC).
To separate KRNL?86.EXE modules (Windows 3.xx or Windows95/NT) the virus uses the name if exported CALLPROC32W function, it presents only in 32-bit Windows95/NT.
The virus then returns control to host program and does not perform any other actions. As a result being executed for the first time the virus does not leave any code in system memory - it only infects Windows’ Kernel16 module.
Going memory resident
When Windows is loaded with infected Kernel, the virus stays in the system memory as a part of Kernel - no special action is necessary to do that because code of virus is placed in the same code segment as original Kernel’s routines. The virus also does not perform any action to hook system events because they were already hooked while infection - address of WINEXEC or INITTASK already points to virus handler.
Under Windows 3.xx the virus hooks WINEXEC, so it infects files that are executed. The virus does that in quite clever way - it immediately passes control to original WINEXEC handler and then infects a file in background, i.e. there is no delay when application are executed under infected environment. That is quite important for the virus because usually Windows 3.xx is installed on old slow PC, and delays on execution may warn a user.
Under Windows95/NT the virus hooks INITTASK, so it intercepts control when programs are registering themselves in the system. The virus then with a help of GetExePtr function gets Module Handles for all NE-application that are active and infects them.
Infecting E-mail
While infecting a file with probability 1/8 (depending on the key that is used to encrypt text strings) the virus modifies its code so that this-time infected file will activate a routine that drops infected E-mail messages to Eudora outbox. When such file is executed in directory where Eudora databases are placed, the virus opens Eudora data files: NNDBASE.TOC, OUT.TOC, OUT.MBX. The first file (”Nick names database”) is used by virus to get names of recipients to whom the virus will send an infected message. The infected message is placed to OUT.MBX (Outbox database) and necessary references are placed to OUT.TOC file.
The message itself has a subject “Red Team”, contains the text and attached EXE file. The text looks as follows:
———————————————————————-
Hiya!
Just thought I’d warn you about a destructive new e-mail virus.
Here is some info:
> The “Red Team” virus is a complex new computer virus that spreads via
> the Microsoft Windows operating system, and Internet E-Mail. Although
> it is not the first virus to spread via E-Mail (that was “Good Times”),
> the Red Team virus is unparalelled in its destructive capabilities.
> Further more, the virus is exceedingly common - it has already been
> reported in much of western Europe, the USA, Russia, Australia, and
> Japan. In short, everywhere.
>
> We at QUEST, have spent several weeks analysing this virus, and are proud
> to anounce that we finally have a cure! The program, named “K-RTEAM”
> (Kill Red Team), can be executed in any Microsoft Windows environment, and
> will reliably detect (and remove if nescessary) the Red Team virus from
> your system buffers.
>
> –
> Julia Blumin
> QUALCOMM Enterprise Software Technologies
> World Wide Web: http://www.qualcomm.com
The reason I thought I should warn you, is that we recently had a run in
with this beast. Luckily we managed to get a copy of the excellent
‘K-RTEAM’ programme before the destruction really started. Just in case
you should suffer the same misfortune, I have included this programme for
you too.
Bye!
P.S. Make sure you warn all your friends of this new threat!
———————————————————————-

This text in the virus body is compressed, so the virus decompresses it before saving to Eudora outbox. The attached EXE file has NE header and is named as K-RTEAM.EXE (”Kill Red Team”), it has 6351 bytes of length. It is an infected do-nothing program (the virus creates it on the C: drive - C:\K-RTEAM.EXE) that only spreads the virus on computer. At the header and end of this file there are the text strings:
K-RTEAM - Red Team Anti-Virus
K-RTEAM
Red Team Virus Found!
Remove Virus?
Virus Removed!
Could not Remove Virus!

The virus does not send messages twice from the same infected computer. To do that the virus creates the RTBASE.TOC file while sending infected messages. Next time the virus will look for that file and terminate E-mail infection routine, if this file presents in directory.
In-lab
The virus replicates itself under Windows 3.xx and had no side effects during experiments in lab - all files were infected correctly, the programs were not corrupted and Windows did not display any warning/error messages.
The virus also stored its dropper in the Eudora outbox with no problems. The infected messages then were sent via Internet and correctly received.
Under Windows95/NT the virus has a problem - it cannot infect KRNL386.EXE and as a result cannot install itself memory resident. The bug is quite stupid - the virus reserves Word (DW) for variable “NE Header Offset”, but uses it as DoubleWord (DD). The second Word of that DoubleWord is Windows version flag: 0 if Windows3.xx, FFFFh if Windows95/NT. So under Windows95/NT the virus gets wrong value from that variable.
Despite this, the files that were infected under Windows 3.xx do work under Windows95/NT without any problem and may infect Eudora database as well as under Windows 3.xx. Moreover, that stupid bug may be easily fixed and a Windows95 compatible version might be released by the virus author.

Details
Win16.Klon.11776

It is not a dangerous nonmemory resident parasitic Win16 virus.
The virus itself is Win16 executable file (NE EXE file) about 11-13Kb of length (depending on virus version). The virus is written in Turbo Pascal for Windows.
When the virus runs it looks for Win16 and Win32 EXE files (NE and PE) on available drives and infects them. While infecting the virus moves victim file body down, and writes its own code to the file beginning. To return control to host program the virus “disinfects” host file to temporary “.DLL” file and spawns it.
While processing the virus may also create its “droppers” (pure virus EXE code) in Windows system directory, the file names depend on virus version:
SYSTEM0.EXE, SYSTEM1.EXE, SYSTEM9.EXE ANTIA.EXE, ANTIB.EXE
Some of virus versions also register these files in WIN.INI file in auto-run section:
[windows]
run=
Depending on its “generation” and other conditions the viruses displays the message boxes:
klon!
Najemnik Virus Version 3.0
AntiAnti
One of virus versions looks for active anti-virus programs by searching for following strings:
viru
mks_
avp
antiviral
then moves this application window out of desktop and tries to terminate this application.
The viruses contains the text string:
“Klon.11776″:
Idea:SaddamHusseinDiskValidator Amiga!
“Klon.12800,13056″: AntiAntiVirus AAV AntiAntiVirus AAV

Details
Win16.HLLP.Hiro.10240

Hiro is a not dangerous, non-memory resident parasitic virus written in Pascal. It is a 16 bit NE EXE file that also works under Windows 3.xx. The virus contains the text string:

Hiroshima end 000 v1.2000:0000

The virus looks for EXE-files in Windows directories and writes itself to the beginning of files. The directories ‘Hiro’ searches are:

C:\WINDOWS
C:\WINDOWS\SYSTEM

The Hiro virus creates a list of files before infecting them. The file list location and name is as follows:

C:\SETWIN.TMP

Each time an infected computer is started the virus changes the system date to:
August 5, 1995

Details
Win16.Gollum

This is a parasitic virus that “stays resident” under Windows and Windows95, hooks disk file access and infects DOS EXE files. This is multipartite virus, because it affects two different platforms - Windows and DOS. The virus does not infect neither Portable Executable (PE) nor New Executable (NE) Windows EXE files, but stays in Windows as a VxD driver to intercept and infect DOS EXE files. So, the virus does not infect Windows files, but Windows memory, and it does not infect DOS memory, but does infect DOS EXE files.
When an infected DOS EXE file is executed, the virus only drops its VxD (the GOLLUM.386 file), registers it in the Windows SYSTEM.INI file, returns to the host program and does not perform any other action. When Windows is starting, it loads this virus VxD, the virus takes control, hooks V86 interrupts chain and then infects DOS EXE files. The GOLLUM.386 dropper has 6592 bytes of length, while infecting it adds 7167 bytes to DOS EXE files.
Infected DOS EXE File
The virus in DOS EXE file is encrypted by NOT (XOR 0FFh) instruction. So, when an infected file is executed, the virus takes control and decrypts itself. The loop of decryption command contains a silly anti-debugging trick, and one should be careful while analyzing the virus code.
The virus then looks for Windows SYSTEM.INI file. There are five names that are used by virus:
C:\WINDOWS\SYSTEM.INI
C:\WIN\SYSTEM.INI
C:\WIN31\SYSTEM.INI
C:\WIN311\SYSTEM.INI
C:\WIN95\SYSTEM.INI

If there are no such files, the virus does not drop its VxD and returns to the host program. Otherwise it creates the GOLLUM.386 file (virus VxD) in the Windows directory and inserts into the SYSTEM.INI file the command that loads this VxD:
DEVICE=GOLLUM.386

This command is inserted into [386Enh] section - the virus searches for string “[386" and writes that command to there:
SYSTEM.INI before and after infection
all ...
[386Enh] [386Enh]
mouse=*vmd DEVICE=GOLLUM.386
…
mouse=*vmd
…

The virus does not drops its VxD twice - it scans the SYSTEM.INI file for the string “GOLLU” and terminates infection routine if this string is found.
Virus in VxD File
Virus VxD (the GOLLUM.386 file) has LE (Linear Executable) format. DOS EXE stub in this file contains a short routine that switches to standard text video mode and displays the text:
GoLLum!

The LE part of this file contains the installation routine that gets and stores startup path (to use in infection routine), hooks INT 21h (V86 interrupt chain), INT 21h handler, infection routine and virus DOS EXE code. The INT 21h virus handler intercepts three calls: Load and Execute (4B00h), Terminate (4C00h) and Change Directory (3Bh).
When a file is executed, the virus only saves its name and returns control. The infection routine gets control on Terminate call. At first the virus checks the file name. It infects the files only on C: drive and does not infect the files SCAN*.*, F-PR*.*, TB*.* (SCAN, F-PROT, ThunderByte-related programs) as well as files with name that contains ‘V’ letter or digits. The virus also does not infect the files with length less than 7167 bytes.
The virus then opens the file, reads and checks its header. The virus checks the EXE stamp (MZ at file beginning) and NewExe flags, but fails and in some cases infects NewExe files as DOS EXE. That may corrupt files. To prevent duplicate infection the virus compares the CRC field (offset 12h in EXE header) with two bytes - 52h 43h (ASCII “RC”).
The virus then infects the file in a standard way that is used by majority of DOS viruses - it writes its code (DOS and VxD parts) to the end of the file and modifies EXE header (entry point and stack initial values, module size and identificator “RC”). To avoid code/data access violation while writing VxD part the virus copies it from GOLLUM.386 in startup path that was stored while installing virus VxD.
The infection routine is complete, and the virus closes the file as well as restores file attributes and file date and time stamp.
Trigger Routines
While installing on June 4th the virus sends a system message with the text that forces Windows to display this text as a system error message:
GoLLuM ViRuS by Griyo/29A
Deep down here by the dark water lived old Gollum, a small slimy
creature. I dont know where he came from, nor who or what he was. He
was a Gollum -as dark a darkness, except for two big round pale eyes
in his thin face.
J.R.R. ToLkieN … The HoBBit
Press any key to continue

On selecting a directory (INT 21h Change Directory call) the virus gets the system timer and depending on its value (with probability 1/256) creates the GOLLUM.EXE file in the current directory and copies its VxD GOLLUM.386 to there. When this EXE file is executed under DOS, the DOS stub routine displays:
GoLLum!

To avoid detection by anti-virus integrity checkers the virus deletes their databases: ANTI-VIR.DAT, CHKLIST.TAV, CHKLIST.MS, AVP.CRC, IVB.NTZ.
The virus also contains the strings:
GoLLuM ViRuS for Microsoft Windows by GriYo/29A
GPTrap_DDB

Details
Win16.CyberTech

It is a very dangerous memory resident parasitic virus. When an infected program is executed, the virus infects the Windows KERNEL file. When an infected KERNEL is executed, the virus hooks the WinExec function and writes itself to the end of NewEXE files that are executed.
To infect the KERNEL the virus gets the access to that file by using documented function GetModuleHandle, then the virus writes its code to the KERNEL file (KRNL286.EXE or KRNL386.EXE), and patches the system data in that file so, that the address of WinExec routine in the infected KERNEL points to the virus code. Then the virus returns the control to the host NewEXE file. So, when the infected file is executed, the virus infects only the KERNEL file.
When the system with infected KERNEL is loading, the virus stays memory resident as a part of KERNEL code, and patched WinExec address points to the virus handler. When an NewEXE file is executed, the virus infects it.
The virus separates the infected and not infected files by using the ID-label “LROY” that the virus writes to the checksum field in NewEXE header while infecting a file.
Depending on the system date and the day number the virus displays the message box bearing the title:
Chicago 7: Cyber riot

and the messages inside. The virus displays different messages, in April starting from 29th and on May 1st:
Happy anniversary, Los Angeles!
Anarchists of the world, unite!

On any Friday before the 13th of a month:
When the levee breaks, I have no place to stayall
(Crying won’t help you. Praying won’t do you no good.)

On March 6 and in December from 1st to 26th:
Save the Whale, harpoon a fat cat.

After displaying the message, the virus erases disk sectors.
The virus also contains the text strings:
USER KERNEL Chicago-7 CyberRiot, 15.1.1993 Klash (Werner L.)
Sommer 1993: 15 Windowscomputerviren
Coming soon: Diet riot. Same great aftertaste–fewer bytes.
Source code avaiable for $15,000,000. Serious inquiries only.
Why does IBM need to lay me off? Oh well, their loss.
McAfee’s FUD equation: !!!!!!+??????=$$$$$$
Convict the pigs
This program was written in the cities of Hamburg, Chicago, Seattle and
Berkeley. Copyright (C) 1993 Klash/Skism/George J/Phalcon/Henry Buscombe
and 2 ex-Softies, collectively known as the Chicago 7.

Details
Win16.Apparition.a

This is a memory resident parasitic (polymorphic?) Windows EXE files infector, 87438 bytes of length, written in Borland’s Object Pascal for Windows. The virus installs itself into the system and periodically searches for EXE files and writes itself to the beginning of files.
The virus has a very unusual structure. The main part (about 60K) is the virus code (virus routines and Pascal runtime library), text strings, icon and other data used by the virus while installing and spreading. The next block (3.5K) contains a packed (with LZ method) MS Word template - Word macro virus. The third block (21K) contains packed (by LZ) virus source code (!!!). After unpacking, that 46K source helped a lot to complete virus analysis. And the last block (3K) contains resources file that is used when the virus runs Borland Pascal compiler (see below).
While infecting a file the virus moves the file down by 87438 bytes and then writes its code to the beginning of the file. To return control to the host file, the virus creates a temporary file, writes to this file clean host file code and executes it. This way to spread is usual for DOS viruses written in high level languages - Pascal or C.
The virus also scans the files for
DEC BP
DEC BP

assembler instruction (4D4Dh) while infecting them, and replaces this code with INT 83h call (CD83h). When active, the virus hooks INT 83h. The only code in virus INT 83h handler decreases BP register by two - the same as DEC BP, DEC BP commands do. I do not know what is the reason to do that, but patched in this way files will work under infected system only.
Before infecting the virus checks the file header and infects only EXE file that have NE (Windows) or PE (Windows95) internal format, so the virus infects both NewEXE Windows and Windows95 executable files. Under Windows 3.11 this virus works without any side effect, but I didn’t try to run it under Windows95.
Installation
When an infected file runs, the virus allocates blocks of system memory and reads its code from infected file to these blocks (to use these data while infecting other files). It then drops to the Windows startup directory the 87438 bytes VIDACCEL.EXE file containing virus code and then registers this file in Windows WIN.INI file in [windows] section as “load by default” application - the string “load=VIDACCEL.EXE” appears, or “VIDACCEL.EXE” is appended to the end of “load=” string. As a result, Windows will load and execute the infected VIDACCEL.EXE on the next startup.
To stay “memory resident” the virus creates a hidden window that dispatches system events including timer calls and runs standard messages dispatching loop. On timer calls the virus, depending on its internal flags, searches for EXE files in subdirectory trees on all disks and infects them. To do all that the virus uses standard Pascal library calls only - no system programming at all.
In details, when the virus installs itself into the system, the Pascal runtime library creates and registers a window class (by system calls REGISTERCLASS, CREATEWINDOW and SHOWWINDOW) and sets HIDDEN parameter for this window. The virus then sets new Windows system timer (SETTIMER call), sets timer delay to 10 seconds and registers a handler (wmTimer) that gets control on timer events. To stay in memory the virus initializes the main messages dispatching loop (GETMESSAGE, TRANSLATEMESSAGE, DISPATCHMESSAGE) and stays within this loop up to termination request (wmClose) when Windows exits.
Timer Handler
When the virus timer handler gets control (once per 10 seconds), it launches its four routines in sequence - one routine is executed per one timer event. The first routine maps drives - it accesses all disks from C: till Z: and stores write-able ones. To do that the virus creates temporary file \WR.TST on a disk and deletes it. If this operation failed, the virus does not access files on this disk.
The second routine scans the directory tree on selected disk and searches for files. When an EXE file is found, the virus checks its length and date. If the file length is less than 300K and above than 16384 bytes, and the file date is not equal to 1234h (Feb 7, 1990), the virus saves the file name to infect it when infection routine (fourth one) will get control.
While searching files the virus pays special attention for several file names - OWINDOWS.TPW, BPC.EXE and NORMAL.DOT. If Pascal for Windows files are found (OWINDOWS.TPW and BPC.EXE), the virus stores their paths to use in its mutation engine (see below). When NORMAL.DOT file is found, the virus overwrites it with a silly Word macro virus that contains three macros: FileOpen, AutoOpen and WWUpdated. The first macro infects Word documents on opening, the second macro installs virus on Word startup, the last one is virus ID-macro.
Mutation
The third routine that is called by timer handler is the virus mutation engine. I could not make the virus to complete that routine, but it seems that the virus attempts to modify and recompile its source code! I never seen such way of polymorphism. The virus is not encrypted, but it attempts to rebuild itself, and that would be not possible to detect that virus by using a mask - in different samples there will be different offsets and pointers to data and code, and different version of Borland Pascal compiler will “mix” that code too.
To do that the virus unpacks and writes to disk its source code, processes it and inserts junk(?) do-nothing Pascal instructions into the text. The virus gets junk commands from strings:
Begin if then Repeat Until or True Until True End
While And False do While False do
Procedure Word Boolean Real Char integer string pointer wri
= <> > < and or xor

Then the virus creates temporary resources and PIF files (MAIN.RES and TMP~~TMP.PIF) and runs Borland Pascal compiler (by using PIF). As a result there is TMP$XTMP.EXE file containing virus code. The virus then appends to that file packed Word macro virus, compresses (LZ-method) and appends new source file, as well as last block with resources file (see virus structure above).
The result of this mutation engine is an EXE file with similar (but not the same) executable code and data, as well as with similar packed source code inside. The virus then renames the file to VIDACCEL.EXE (virus dropper) and moves it to Windows startup directory.
WIN.INI Section and Trigger Routines
While installing the virus creates a section in WIN.INI file, the name of section is [The Apparition]. This section describes several virus parameters. The virus creates, reads and modifies following parameters:
“Running NOW=” - “Yes” means that the virus is already active. When infected file is executed for next time, the virus checks that parameter and does not re-infect the system. While installing itself into the system, the virus sets it to “Yes”, while exiting - to “No”.
“BootInfected=” - “1″ means that the VIDACCEL.EXE file is already dropped, and the virus will not re-drop it.
“DieMonth=” and “DieDay=” - they point to the trigger date. On this date the virus will search for all files (except WIN386.SWP and 386SPART.PAR) on all disks and delete them. The virus inits these strings while infecting the system - it sets them to current date increased by month.
“AtomID=” and “IDAtom=” parameters are used to perform system calls.
Following parameters are accessed by virus only for reading, that means that these strings may be entered only by user:
“Die=” - this parameter locks the trigger routine.
“NoRun=” - if this parameter is set to “1″, the virus will not infect the system.
“NoInfect=” - if this parameter is set to “1″, the virus will not infect the files.
“ShowDotsOn=1″, “ShowDialog=666″, “Logging=YES” - debug parameters.
If “Logging” is set, the virus creates the WINAPP.LOG file in Windows directory and writes following strings to there:
Started. - when run
Loaded OK. - allocating memory and reading virus code done
InfectBoot = start - before dropping VIDACCEL.EXE
InfectBoot = done - after dropping VIDACCEL.EXE
Running application - before running host file
Application finished - after running host file
Terminate requested - when corresponding button is pressed, if
Paused virus windows is visible (see below)
Resumed
Remove from memory requested
!!! Destruction requested !!!
Executing PIF : - while executing Borland Pascal via PIF
PM Failed : No compiler - while executing mutation engine
PM started
PM is using temp dir
PM Failed : Out of diskspace
PM Failed : 1st compile failed
1st compile OK.
PM Failed : Source file too big
PM : Compression started, bytes
PM : Compression completed,
PM : Constants updated
PM : 2nd compile failed
PM : I/O Error
PM : Linked OK

When “ShowDotsOn” is set, the virus displays MessageBoxes (header/message) to ask user about operation:
!!! VIRUS WARNING !!!
Do you really want to run program infected by virus ?
!!! WARNING !!!
Overwrite NORMAL.DOT, confirmed ?
!!! THE APPARITION WARNING !!!
Infect [filename] Confirmed ?

When “ShowDialog” is set to “666″, the virus makes its window visible, and it appears on the screen:
+——————————–+
? - ? THE APPARITION ? * ?
+——————————–?
? File Help ?
+——————————–?
? The Apparition for Windows ?
? UltraGluk ALL-IN-ONE ?
? ?
? Status : ?
? Last : ?
? Total : ?
? ?
? +————+ +———–+ ?
? ? Terminate ? ? Pause ? ?
? +————+ +———–+ ?
? +—————————+ ?
? ? !!! DESTRUCT !!! ? ?
? +—————————+ ?
+——————————–+

“File” menu contains four items:
“Check” - the virus displays the MessageBox:
Double FUCK!!!
Press CTRL+ALT+DEL Twice to Install Printer!!!

“Infect” - the virus runs file browser to select the file. If the virus is infecting some other file, it displays:
Error!
Infection engine is busy.

If the file is already infected, the virus displays:
You MAZDAI!
File is already infected, I WANNA new file to infect!

Both “Remove” and “Teminate” (mistyping in virus code) remove virus from the system. In case of “Remove” the virus also displays the MessageBox:
WINAPP
About to remove from memory, confirmed?

“Help” menu contains one item - “About”. When pressed, the virus displays MessageBox with the text inside:
About The Apparition
Win-Apparition
Written by Lord Asd
Last modified : 25 Dec ‘96
This beta version of The Apparition was tested only
under Win 3.10 and may work incorrectly under
other Win versions and OS/2 Warp

“Status :” string is followed with a string that indicates current virus status:
Completing taskall
Wait…
Locked.
Upgraded OK.
Paused by operator.
Mapping drives…
Scanning tree (Level x)…
Spreading…
Idle.
PM : Loading…
PM : Unpack…
PM : Mutation…
PM : 1st compile
PM : FAILURE
PM : Compression…
PM : Updating…
PM : 2nd compile
PM : Linking…

“Last :” string is followed with latest infected file name. “Total :” string contains the number of files that were processed while scanning disk tree.
On “Terminate” button the virus removes itself from memory. On “Pause” button the virus paused its timer handler and replaces “Pause” button with “Resume”. On “DESTRUCT” button the virus displays two MessageBoxes:
WARNING
Are you sure you want to delete all files from your disks?
!!! DANGER !!!
Destroy all data on all available devices, confirmed?

and then erases all files on all disks.
The virus also displays other MessageBoxes and contains more text strings. MessageBoxes are:
Warning
Destruction locked.
System error
System stack failure, error code 0xC6 at 0004:2F16
Error
Unexpected disk operation failure, error code 0×0x
Error
Out of memory.
Error
Unknown disk error.
!!! VIRUS WARNING !!!
This program is infected by The Apparition for Windows and will not start.

Text strings are:
APPARITION _PSEUDO_ICON MAIN_MENU ABOUTDLG UNTITLED WINAPP
COMMDLG KERNEL KERNEL GDI USER KEYBOARD KERNEL USER KEYBOARD
WINAPP.EXE
All files *.* Executable files (*.EXE) *.EXE Infect file EXE
ApparitionInstalled
hInstance=
*** PERMUTATION START HERE ***
*** PERMUTATION STOP HERE ***
Function Begin End
\TMP$XTMP.T01 \TMP$XTMP.T02 \TMP$XTMP.EXE \MAIN.RES
!!! CODE SIZE !!!
VSize=
cs_const=
!!! DECOMPRESSED SRC SIZE !!!
XSrcSize=
xss_const=
!!! COMPRESSED SRC SIZE !!!
CSrcSize=
css_const=
ApparitionInstalled
AboutDlg
Apparition
ApparitionInstalled
THE APPARITION
Running
THE APPARITION
KERNEL USER GDI KRNL386 KRNL286
MICROSOFT PIFEX
WINDOWS 286 3.0
WINDOWS 386 3.0
Portions Copyright (c) 1983,92 Borland
OW1 OW2
TurboWindow Error code = %d. Continue?
Application Error
(Inactive %s)
TPWinCrt
Runtime error 000 at 0000:0000.
Main_Menu Apparition THE APPARITION Times New Roman Terminate
Apparition Last None Pause Total
!!! DESTRUCT !!! Initializing… Status

Text added: Jan-06-1997

Details
Win.Wintiny

It is a harmless nonmemory resident parasitic virus. It searches for NewEXE files and writes itself to the end of the file. It contains the strings:
*.EXE
WinTiny (C)Copyright June, 1995 by Burglar in Taipei, Taiwan.

Details
Win.Vir_1_4

This is a benign, nonmemory resident parasitic virus, and is the first known virus for Windows 3.xx.
The virus searches for all NewEXE files (Windows EXE files) of the current directory and infects them. It saves the startup and auto data segments to the end of the file and overwrites those segments with the virus code and data. It also fixes the NewEXE header and the segment table.
The virus does not return control to the host program, simply disinfecting it and returning to Windows. The file remains non-infected, and upon the next try, the program starts, - it looks like a Windows missed mouse click.
There are several known variants of this infector, the original one contains the texts:
Virus_for_Windows v1.4
MK92

“Vir_1_4.b” contains the text:
AntiWindoze Virus by Xavirus Hacker. THNX2MK!!!

Details
Win.VfW.988

It is a dangerous nonmemory resident parasitic NewEXE (Windows) virus. It searches for NewEXE files, then writes itself to the end or to the middle of the file. The virus has bugs and may corrupt files while infecting them. The virus contains the string:
*.EXE Virus for Windows ver 2.0