Win32.CTX.1085
Details
Win32.CTX.10853
This is a Win32 parasitic virus. Also known as Dengue. It uses polymorphic and Entry Point Obscuring mehods (see below).
This variant of the virus is memory resident. It leaves its copy in the system memory, locates the EXPLORER.EXE image in the system memory, gets access to its code and patches it so that virus code will receive control when applications are active in the system. The virus then receives control to the host program, and virus memory resident copy “waits” for the call from patched EXPLORER.EXE code.
When virus code gets control from EXPLORER.EXE, it scans all subdirectories on all drives, looks for .EXE, .SCR and .CPL files and infects them in background.
The virus checks file names and avoids several anti-virus programs and utilities infection, the files are checked by first two letters in file name: DR*, PA*, RO*, VI*, AV*, TO*, CA*, IN*, MS*, SR*, SP*, RP*, PR*, NO*, CE*, LE*, MO*, SM*, DD*, SO*, SQ*, EX*, IE*, CM*, CO*.
The virus also deletes several anti-virus data files: AVP.CRC, ANTI-VIR.DAT, CHKLIST.CPS, CHKLIST.MS, IVP.NTZ.
The virus contains the text string:
[ Dengue Hemorrhagic Fever BioCoded by GriYo / 29A ]
Disclaimer: This software has been designed for research purposes only.
The author is not responsible for any problems caused due
to improper or illegal usage of it
Infecting EXE Files
While infecting PE EXE files the virus increases the size of last file section, encrypts its copy by polymorphic engine and writes to there. In case the last file section is FixupTable (relocations), the virus just overwrites it.
To get control on infected file start the virus uses the “Entry Point Obscuring” method. To receive control the virus does not modifies the StartProgram address, but scans CODE file section, looks for CALL or JMP instructions that go to the file ImportTable, gets random one and patches it with CALL_Virus instruction that will pass the control to the virus polymorphic decryption loop. If the virus finds no CALL/JMP to ImportTable, it exits the infection routine.
The infection routine has minor bugs, and in some cases infected files stays corrupted and cause standard Windows error message on start. In some cases that may stop WindowsNT loading.
Win2000 “compatibility”
The virus avoids Win2000 internal anti-virus and integrity protection that is based on SFC service (System File Check). The virus gets access to the SFC.DLL functions and checks each file before infecting it. If a file is protected by SFC the virus skips it and searches for next file in directory.
Polymorphic Engine
The polymorphic engine is very closed to the engines that were used in the “Win95.HPS” and “Win95.Marburg” viruses, but has some improvements. The main difference is the number of polymorphic layers. In the “Win.CTX” virus the polymorphic engine is randomly called from four till seven times and encrypts the virus code by four-seven polymorphic loops.
In addition with EPO technology that makes this virus high difficult to detect and disinfect.
Related Posts