Win16.Gollu
Details
Win16.Gollum
This is a parasitic virus that “stays resident” under Windows and Windows95, hooks disk file access and infects DOS EXE files. This is multipartite virus, because it affects two different platforms - Windows and DOS. The virus does not infect neither Portable Executable (PE) nor New Executable (NE) Windows EXE files, but stays in Windows as a VxD driver to intercept and infect DOS EXE files. So, the virus does not infect Windows files, but Windows memory, and it does not infect DOS memory, but does infect DOS EXE files.
When an infected DOS EXE file is executed, the virus only drops its VxD (the GOLLUM.386 file), registers it in the Windows SYSTEM.INI file, returns to the host program and does not perform any other action. When Windows is starting, it loads this virus VxD, the virus takes control, hooks V86 interrupts chain and then infects DOS EXE files. The GOLLUM.386 dropper has 6592 bytes of length, while infecting it adds 7167 bytes to DOS EXE files.
Infected DOS EXE File
The virus in DOS EXE file is encrypted by NOT (XOR 0FFh) instruction. So, when an infected file is executed, the virus takes control and decrypts itself. The loop of decryption command contains a silly anti-debugging trick, and one should be careful while analyzing the virus code.
The virus then looks for Windows SYSTEM.INI file. There are five names that are used by virus:
C:\WINDOWS\SYSTEM.INI
C:\WIN\SYSTEM.INI
C:\WIN31\SYSTEM.INI
C:\WIN311\SYSTEM.INI
C:\WIN95\SYSTEM.INI
If there are no such files, the virus does not drop its VxD and returns to the host program. Otherwise it creates the GOLLUM.386 file (virus VxD) in the Windows directory and inserts into the SYSTEM.INI file the command that loads this VxD:
DEVICE=GOLLUM.386
This command is inserted into [386Enh] section - the virus searches for string “[386" and writes that command to there:
SYSTEM.INI before and after infection
all ...
[386Enh] [386Enh]
mouse=*vmd DEVICE=GOLLUM.386
…
mouse=*vmd
…
The virus does not drops its VxD twice - it scans the SYSTEM.INI file for the string “GOLLU” and terminates infection routine if this string is found.
Virus in VxD File
Virus VxD (the GOLLUM.386 file) has LE (Linear Executable) format. DOS EXE stub in this file contains a short routine that switches to standard text video mode and displays the text:
GoLLum!
The LE part of this file contains the installation routine that gets and stores startup path (to use in infection routine), hooks INT 21h (V86 interrupt chain), INT 21h handler, infection routine and virus DOS EXE code. The INT 21h virus handler intercepts three calls: Load and Execute (4B00h), Terminate (4C00h) and Change Directory (3Bh).
When a file is executed, the virus only saves its name and returns control. The infection routine gets control on Terminate call. At first the virus checks the file name. It infects the files only on C: drive and does not infect the files SCAN*.*, F-PR*.*, TB*.* (SCAN, F-PROT, ThunderByte-related programs) as well as files with name that contains ‘V’ letter or digits. The virus also does not infect the files with length less than 7167 bytes.
The virus then opens the file, reads and checks its header. The virus checks the EXE stamp (MZ at file beginning) and NewExe flags, but fails and in some cases infects NewExe files as DOS EXE. That may corrupt files. To prevent duplicate infection the virus compares the CRC field (offset 12h in EXE header) with two bytes - 52h 43h (ASCII “RC”).
The virus then infects the file in a standard way that is used by majority of DOS viruses - it writes its code (DOS and VxD parts) to the end of the file and modifies EXE header (entry point and stack initial values, module size and identificator “RC”). To avoid code/data access violation while writing VxD part the virus copies it from GOLLUM.386 in startup path that was stored while installing virus VxD.
The infection routine is complete, and the virus closes the file as well as restores file attributes and file date and time stamp.
Trigger Routines
While installing on June 4th the virus sends a system message with the text that forces Windows to display this text as a system error message:
GoLLuM ViRuS by Griyo/29A
Deep down here by the dark water lived old Gollum, a small slimy
creature. I dont know where he came from, nor who or what he was. He
was a Gollum -as dark a darkness, except for two big round pale eyes
in his thin face.
J.R.R. ToLkieN … The HoBBit
Press any key to continue
On selecting a directory (INT 21h Change Directory call) the virus gets the system timer and depending on its value (with probability 1/256) creates the GOLLUM.EXE file in the current directory and copies its VxD GOLLUM.386 to there. When this EXE file is executed under DOS, the DOS stub routine displays:
GoLLum!
To avoid detection by anti-virus integrity checkers the virus deletes their databases: ANTI-VIR.DAT, CHKLIST.TAV, CHKLIST.MS, AVP.CRC, IVB.NTZ.
The virus also contains the strings:
GoLLuM ViRuS for Microsoft Windows by GriYo/29A
GPTrap_DDB
Related Posts