Details
Win32.Ditex

Ditex is a memory resident parasitic Win32 virus. It is written in Microsoft Visual C++ and is about 33KB in size.
The virus infects PE EXE files that have .EXE filename extensions. While infecting the virus encrypts and writes itself to the end of the file. The virus code in infected files has two blocks: dropper and main code.
When an infected file is run the “dropper” gets control. It decrypts itself, decrypts the “main code” and then drops the “main code” into a Win32 PE EXE file under the TDI.SYS name in the Windows directory and runs it.
The main code searches for PE EXE files in directories on local drives and when found infects them.
The virus also contains a {backdoor:Backdoor} routine that opens an Internet connection, waits for its master’s (virus author) instructions and then follows them: sends/receives files, executes programs, reports system informationall

Details
Win32.Devir

This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the virus infects files in current directory only.
The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 10 of them: file opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by infected the host program, and the virus will be active until the moment the host program exits. The virus also hooks, selecting a new directory function, and infects PE EXE files in there.
The PE EXE infection method is a complex and is similar to the Win32.Driller virus. The block of host file code that is overwritten by the virus poly-morphic routine in some cases may be also compressed during infection.
The virus also contains a backdoor routine that opens an Internet connection, waits for its author’s instructions and then follows them: sends/receives files, executes programs, reports system information, etc.
The virus contains the following “copyright” text:
Intruder v.0.1 by Deviator//HAZARD

Details
Win32.Damm.1537

This is a benign memory resident parasitic Windows virus. The virus uses Win98 specific calls and is able to spread only under Win98. To remain in the memory resident, the virus switches itself to kernel mode by using Win98 kernel functions, hooks the file access functions (IFS) and infects PE EXE files that are opened, renamed or when file attributes are accessed. While infecting a file, the virus writes itself to the end of the file.
The virus uses anti-debugging tricks and seems to disable Windows debuggers. The virus also looks for several anti-virus monitors installed, and disables them by patching their code. The virus also checks file names before infecting and does not affect anti-virus programs and some utilities. The virus detects them by comparing a file name with a set of strings:
AVP _AVP NAV TB F- WEB PAV GUARDDOG DRW SPIDER
DSAV NOD MTX MATRIX WINICE FDISK SCAN DEFRAG
On 1st of each month, the virus removes the Desktop icons with the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop = 1
The virus also contains the “copyright” text strings:
DAMMiT by ULTRAS [MATRiX]
(c) 2000

Details
Win32.CTX.6886

This is a Win32 parasitic virus. It uses polymorphic and Entry Point Obscuring mehods (see below).
It is not a dangerous nonmemory resident parasitic polymorphic Windows virus. It searches for PE EXE files (Windows Portable Executable files) in current directory (except drive root directory), Windows and Windows system directory and infects up to five files in each directory on each infected file start.
The virus checks file names and avoids several anti-virus programs infection: DR*, PA*, RO*, VI*, AV*, TO*, CA*, IN* (DRWEB, PANDA, VIRUS*, AVP, e.t.c.).
The virus payload routine is activated when an infected file is executed in six month after being infected and exactly at the same hour. This routine inverts the desktop colors, in case the monitor has enough resolution, and then goes in an endless loop.
The virus contains the text string that are not used in any way:
[ CTX Phage Virus BioCoded by GriYo / 29A Disclaimer: This software has
been designed for research purposes only. The author is not responsible
for any problems caused due to improper or illegal usage of it ]

Details
Win32.CTX.10853

This is a Win32 parasitic virus. Also known as Dengue. It uses polymorphic and Entry Point Obscuring mehods (see below).
This variant of the virus is memory resident. It leaves its copy in the system memory, locates the EXPLORER.EXE image in the system memory, gets access to its code and patches it so that virus code will receive control when applications are active in the system. The virus then receives control to the host program, and virus memory resident copy “waits” for the call from patched EXPLORER.EXE code.
When virus code gets control from EXPLORER.EXE, it scans all subdirectories on all drives, looks for .EXE, .SCR and .CPL files and infects them in background.
The virus checks file names and avoids several anti-virus programs and utilities infection, the files are checked by first two letters in file name: DR*, PA*, RO*, VI*, AV*, TO*, CA*, IN*, MS*, SR*, SP*, RP*, PR*, NO*, CE*, LE*, MO*, SM*, DD*, SO*, SQ*, EX*, IE*, CM*, CO*.
The virus also deletes several anti-virus data files: AVP.CRC, ANTI-VIR.DAT, CHKLIST.CPS, CHKLIST.MS, IVP.NTZ.
The virus contains the text string:
[ Dengue Hemorrhagic Fever BioCoded by GriYo / 29A ]
Disclaimer: This software has been designed for research purposes only.
The author is not responsible for any problems caused due
to improper or illegal usage of it

Infecting EXE Files
While infecting PE EXE files the virus increases the size of last file section, encrypts its copy by polymorphic engine and writes to there. In case the last file section is FixupTable (relocations), the virus just overwrites it.
To get control on infected file start the virus uses the “Entry Point Obscuring” method. To receive control the virus does not modifies the StartProgram address, but scans CODE file section, looks for CALL or JMP instructions that go to the file ImportTable, gets random one and patches it with CALL_Virus instruction that will pass the control to the virus polymorphic decryption loop. If the virus finds no CALL/JMP to ImportTable, it exits the infection routine.
The infection routine has minor bugs, and in some cases infected files stays corrupted and cause standard Windows error message on start. In some cases that may stop WindowsNT loading.
Win2000 “compatibility”
The virus avoids Win2000 internal anti-virus and integrity protection that is based on SFC service (System File Check). The virus gets access to the SFC.DLL functions and checks each file before infecting it. If a file is protected by SFC the virus skips it and searches for next file in directory.
Polymorphic Engine
The polymorphic engine is very closed to the engines that were used in the “Win95.HPS” and “Win95.Marburg” viruses, but has some improvements. The main difference is the number of polymorphic layers. In the “Win.CTX” virus the polymorphic engine is randomly called from four till seven times and encrypts the virus code by four-seven polymorphic loops.
In addition with EPO technology that makes this virus high difficult to detect and disinfect.

Details
Win32.Crypto

This text was written with the help of Adrian Marinescu, GeCAD Software.
This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K in length. It infects KERNEL32.DLL and PE EXE files: it writes its code to the end of the file and modifies necessary fields in the PE header to gain control when an infected file is run. The virus also adds its “droppers” to archives of different types (ACE, RAR, ZIP, CAB, ARJ) and to some types of self-extracting packages (SFX ACE and RAR files).
The virus uses a polymorphic engine while infecting PE EXE files and archives only, and leaves the virus image non-encrypted in the KERNEL32.DLL file.
The virus uses anti-debugging tricks, disables anti-virus on-access scanners (Avast, AVP, AVG and Amon), deletes anti-virus data files (AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, AVGQT.DAT), patches the LGUARD.VPS file (anti-virus database?), and avoids infection of many anti-virus programs: TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, SQSTART.
One of the most important virus features is the fact that it encrypts/decrypts “on-the-fly” Windows libraries (DLL files) when they are loaded - upon loading a library, the virus decrypts it, an upon unloading, the virus encrypts the file body. To encrypt DLL files, the virus uses strong cryptographic algorithms (provided by Crypt API included in Windows). As a result, once infected system keeps working only in the case the virus code is present in the memory and realizes this encryption/decryption. In case the system is disinfected, the DLL libraries stay encrypted, and the system cannot load them. The first virus to use such technology was Onehalf multipartite virus that was “well known” in the second half of the 1990s.
The virus is incompatible with several Win32 versions, such as Win95 and Win98 standard editions. Under these conditions, the virus does not install itself into the system (does not infect KERNEL32.DLL) and/or does not PE EXE infect files.
Installing into the system
When an infected file is executed for the first time on a clean system, the polymorphic decryptor loop gains control, restores the original file code in clean form and passes control to there. The installation routine gains control, and after performing several anti-debugging and anti-anti-virus procedures, installs the virus copy into the system.
While installing, the virus infects the KERNEL32.DLL file so, that upon the next start-up, Windows loads the virus code as a part of the KERNEL32 library. While infecting, the virus patches KERNEL32 export tables so that upon the next loading, the virus intercepts and filters several file access functions that are exported from KERNEL32.DLL (CreateFile, OpenFile, __lopen, CopyFile, MoveFile, MoveFileEx, LoadLibrary, LoadLibraryEx, FreeLibrary - in both ANSI and UNICODE forms).
To infect KERNEL32.DLL (this library is loaded into the memory when the virus is run, so it is protected by Windows for writing), the virus copies the KERNEL32.DLL file to the Windows folder, infects this copy and then forces Windows to switch the old file with the infected one upon the next boot. As a result, upon the next restart, Windows will be loaded with the infected KERNEL32.DLL - the virus filters file-access events, and runs PE EXE and archive-infection routines.
After infecting KERNEL32.DLL, the virus erases its code from the memory and returns control to the host program.
Virus spreading
When Windows is loaded with an infected KERNEL32.DLL, the virus stays in the memory as a component of KERNEL32.DLL, and hooks several KERNEL32 exported functions. Upon a first call to these functions, the virus activates its infection routine that searches for victim files (PE EXE) in the background and infects them. The virus searches files on all drives from C to Z.
To make the scanning process less conspicuous, the virus will first wait for three seconds before each drive scan.
While infecting a file, the virus enlarges the last file section and reserves space for its code, then writes the encrypted code along with the polymorphic decryptor in there and sets the program entry-point to the decryption routine.
Archive infection
The virus is able to add droppers to the archives of several types: ACE and RAR (including SFX self-extracting files), as well as ZIP, CAB, ARJ. The virus droppers in archives get a name randomly selected from variants:
INSTALL, SETUP, RUN, SOUND, CONFIG, HELP, GRATIS, CRACK, UPDATE, README
beginning or/and ending with ‘!’ char. The file name extension is .EXE.
To add its dropper to an archive, the virus creates a dropper as a disk file and executes the external program needed to process the respective archive type. Using this method, the virus is able to append the dropper compressed with a randomly selected method, depending on the archiver program.
Encrypting libraries
The virus creates cryptographic keys in the installation part of the virus (by using Crypt API included in Windows). If the keys are created successfully, the virus is able to encrypt the code of the DLL files that are used by applications (they loaded by Windows in case of need). To do this, the virus uses LoadLibrary and FreeLibrary hooks, intercepts library loading and encrypts/decrypt them on the fly.
Any DLL with the name starting with one of the following patterns are excepted: SFC, MPR, OLE32, NTDLL, GDI32, RPCRT4, USER32, RSASIG, SHELL32, CRYPT32, RSABASE, PSTOREC, KERNEL32, ADVAPI32, RUNDLL32, SFCFILES. Also, DLLs that are listed in the following lists are not encrypted:
System\CurrentControlSet\Control\SessionManager\KnownDLLs
System\CurrentControlSet\Control\SessionManager\Known16DLLs

The most important aspect is that the encryption key and the encryption algorithm are unique for each infected system. WinCrypt supports custom encryption algorithms making disinfection from other systems than Windows impossible. The encryption of the DLLs will consume many time/CPU resources - the virus will read each time the needed keys from registry.
To be able to use the Crypt API included in Windows, the virus needs to create a new key, with the container name set to “Prizzy/29A”. First, the virus checks for its existence, and if the key is not present, the dedicated API is called in order to create a new one. Then, the virus will need to store the generated key - for that, the virus will use the system registry. At this point, the virus contains a limitation - it will assume that the key SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A will be created after the CryptAquireContext API call. The virus will set the value ‘Kiss Of Death’ to the newly generated key.

Details
Win32.Chop.3808

It is not a dangerous nonmemory resident parasitic polymorphic Win32 virus. It searches for PE EXE files in the current directory, then writes itself to the end of the file.
In six month after infection affected files when run display the message box:
W32/Wm.Cocaine by Vecna/29A and Reptile/29A
Chop your breakfast in a mirror!

The virus seems to be an “alpha-version” of the “Cocaine” multi-platform Win32/Word/Email virus. The PE EXE and polymorphic engines in the “Chop” virus are very closed to “Cocaine” routines, and there are several empty (do-nothing) routines in the “Chop” that are functional in the “Cocaine”.

Details
Win32.Chiton
This is a family of dangerous Win32 viruses.
Win32.Chiton.l
When launching, the virus writes itself to vb6eng.dll. in the Windows system directory.
When any application which uses this DLL is launched, the virus will search for and infect Win32 applications (PE files). When infecting files, it writes itself to the end of the file. It does not re-infect already infected files.
The virus does not manifest its presence in the system in any way.
It contains the text string;
OU812 - roy g biv
06/06/01
*4U2NV*
Win32.Chiton.m
This virus searches for and infects PE files.
EXE files are infected by patching the API Process Thread Creation offset. Other PE files will be infected by replacing the code at entry point with the virus code. This virus does not re-infect already infected files.
The virus includes antidebugging techniques.
The virus does not manifest its presence in the system in any way.
The virus code contains errors.
It contains the text string:
Shrug - roy g biv
01/01/01

Details
Win32.Champ

It is a dangerous nonmemory resident parasitic polymorphic Win32 virus. It infects the PE EXE files (Win32 executable). The virus infection routine has bugs and most of infected files are corrupted. They cannot be repaired and should be restored from not infected source.
On 1st of months with even numbers (February, April, June,all) the virus runs its payload routine that creates 500 garbage files with random names in three directories: Windows directory, Windows system directory and in the root directory on the drive where Windows is installed.
When infection routine is activated, the virus searches for PE EXE files in the current directory, then encrypts its body and writes to the end of the file. To get control on infected files start the virus patches the victim files’ entry routine - the virus overwrites it with polymorphic code that passes control to the decryption routine in the main virus code (at the end of the file).
The virus checks file names and does not infect anti-virus programs: SCAN*, DRWE*, PAVW*, AVP3*, AVP1*, NOD3*, NOD. The virus also deletes the ANTI-VIR.DAT file, if it exists.
The virus contains the text string:
LethalMind.Champagne releaseed the 22th of March 1999.
Greetings to 29A, SLAM, Darkman, Benny, Pockets, Rod, Mist,
Thermo, Mdrg and all who have helped me. Je t’aime Laurence !

Details
Win32.Cerebrus.1482

This is a direct action (nonmemory resident) parasitic Windows infector. It infects files of any new format - Windows formats NE (Windows 3.xx), PE (Portable Executable), as well as LX (Linear executable), but is able to replicate itself only under Windows32 because is has PE format and imports Windows32 functions.
When an infected file is executed, the virus takes control, searches for Windows .EXE files in current directory and writes itself to the end of the file. While infecting the virus does not modifies PE header at all, the infection way is based only on DOS Stub header: the virus writes to there new file offset of PE header (virus PE header). As a result the infected file has three parts: first part is original DOS stub, the second part is host PE data (not modified), third part is virus code and.
The virus has PE file structure: it contains PE header, section headers, import table, code and data sections. The modified DOS stub in infected files points to virus PE header instead of original ones. As a result, Windows32 while executing infected files reads and runs virus code instead of host one.
To return to host program the virus creates a copy of infected file with EVE extension, disinfects it (just restores file offset of PE header) and spawns. The virus do not deletes these “temporary” files, so after executing an infected program they stay on disk in the same directory as infected file.
The virus has a trigger routine that just beeps by PC speaker when virus takes control. The virus contains the text strings, the first one is block of names that the virus imports from KERNEL32 and USER32:
ExitProcess Beep GetCommandLineA CreateProcessA CopyFileA CreateFileA
SetFilePointer ReadFile WriteFile CloseHandle FindFirstFileA FindNextFileA
FindClose GetFileSize WinExec
MURKRY/IkX
CEREBRUS
The three head guardian, is in your computer, fear no more
*.EXE

Details
Win32.Cafet

This is a very dangerous non-memory resident parasitic Win32 virus. It searches for PE EXE files with .EXE and .SCR extensions in current and Windows system directories, then writes itself to the end of the file.
The virus deletes anti-virus data files:
ANTI-VIR.DAT
CHKLIST.TAV
CHKLIST.MS
AVP.CRC
IVB.NTZ
On the 12th of each month, the virus displays the following message box:
VIRUS CEFET-RJ
FORA F.H.C.
MAIS VERBAS PARA NOSSAS ESCOLAS
MADE IN BRAZIL - 1999
FEITO POR: N.B.K.
then creates and, depending on the system timer, spawns the D.BAT DOS batch file with “deltree” instruction in there.

Details
Win32.Cabanas

this text was written by Peter Szor, Data Fellows Ltd
Win32.Cabanas is a first known 32-bit virus that works under Windows NT, Windows 95 and Windows 3.x with Win32s sub-system. It was found in late 1997.
Win32.Cabanas is a per-process memory resident, fast infecting, anti-debugged, partially packed/encrypted, anti-heuristic, semi-stealth virus. The “Win32″ prefix is not misleading, as the virus is also able to spread in all Win32 based systems (Windows NT, Windows 95 and Win32s). The author of the virus is a member of the 29A group, the same young virus writer who wrote the infamous “Cap.a” virus.
When a Win32.Cabanas infected file is executed the execution will start at the original host entry point. Yes, Cabanas does not touch the entry point field in the Image File Header. Instead it patches the host program at its entry point. Five bytes at the entry point is replaced with a FAR JMP to the address where the original program ended. This can be considered as an anti-heuristic feature, as the host entry point value in the PE header keeps pointing inside the code section, possibly turning off some heuristic flags.
Thus the first JMP points to the real entry point. The first function in Cabanas unpacks and decrypts a string table which consist of Win32 KERNEL API names. The unpack mechanism is simple but effective enough. Now the real problem is that the virus uses Structured Exception Handling (typically abbreviated to SEH) as an anti-debug trick.
When the unpack/decryptor function is ready the virus calls a routine to get the original Base Address of KERNEL32.DLL. During infection time the virus searches for GetModuleHandleA and GetModuleHandleW in the Import Table respectively. When it finds them its saves a pointer to the actual DWORD in the .idata list. Since the loader puts the addresses to this table before it execute the virus, Cabanas gets them easily.
If the application does not have a GetModuleHandleA or GetModuleHandleW import the virus uses a third but undocumented way to get the Base Address of KERNEL32.DLL by getting it from the ForwarderChain field of KERNEL32 imports. Actually this will not work under Windows NT, but on Windows 95 only. When the virus has the Base Address/Module Handle of KERNEL32.DLL it calls its own routine to get the address of GetProcAddress function. The first method is based on the search in the Import Table during infection time. The virus saves a pointer to the .idata section whenever it finds a GetProcAddress import in the host. In most cases Win32 applications import the GetProcAddress API, thus the virus should not use a secondary routine to get the same result. If the first method failed the virus calls a function which is able to search for GetProcAddress export in KERNEL32 which could be called as GetProcAddress-From-ExportsTable. This function is able to search in KERNEL32’s Exports Table and find the address of GetProcAddress.
After this the virus gets all the API addresses it wants to use in a loop. When the addresses are available Cabanas is ready to replicate and calls its direct action infection routine.
The direct action infection part is surprisingly fast. Even though it goes through all the files in Windows directory, Windows System directory and in the current directory receptively, the file infection is fast enough to go unnoticed in much systems This is because the virus works with “memory mapped” files only, a new feature implemented in Win32 based systems which simplifies file handling and increases overall system performance.
First the virus gets the name of Windows directory, then it gets the name of Windows System directory and calls the function which searches for non infected executable images. It searches for non directory entries and check the size of the files it found.
Files with size dividable by 101 without reminder are assumed to be infected. Other files which are too huge will not be infected either. After this the virus checks the file extension, if it matches EXE or SCR (screen saver files), the virus opens and maps the file. If the file