Win95.Punch.9262
Details
Win95.Punch.9262.a
This is the first known “memory resident” parasitic virus that infects Win95 EXE files (PE executables). It seems that this one opens new line of Win95 parasitic infectors.
The virus infects the system by two steps. When an infected Win95 EXE file is executed, the virus drops to the disk a VxD file (dropper) that contains virus code, and then the virus registers this VxD in SYSTEM.INI file. The virus then returns to the host file and does not affect the system in any other way up to the next rebooting. When Win95 loads itself next time, it reads from disk VxD files and brings control to them. The virus in VxD file receives control, hooks system file access calls and then infects Win95 EXE files that are opened.
Fortunately, the virus has several lethal bugs and it cannot replicate itself under standard environment without corrupting Win95 system files. So, the infected system will work not stable, and this virus has no chances to be “in-the-wild”. Unfortunately, these bugs may be easily fixed, and new version of this virus may bring much more problems for Win95 users.
The virus contains the text strings that are used while accessing system resources and functions:
KERNEL32
CreateFileA
WriteFile
ReadFile
SetFilePointer
CloseHandle
The virus also contains the strings to use them while searching for Win95 directory and creating files in there:
c:\win95\system.ini
c:\windows\system.ini
c:\win95\system\vvfs.vxd
c:\windows\system\vvfs.vxd
The next text string is the name of virus section in PE header:
QuantumG
The virus was named after the last string appeared in its code:
Beating You to the Punch in the ’97 (almost)
Infected EXE File Run
When an infected Win95 EXE file is executed, the virus gets control and drops VxD file. To do that the virus performs the system calls GetLogicalDriveStringsA (KERNEL32 function #350) and SetEnvironmentVariableA (KERNEL32 function #372), gets information about system parameters and pointers to file access system routines CreateFileA, WriteFile, ReadFile, SetFilePointer, CloseHandle.
The virus then creates the VxD file C:\WIN95\SYSTEM\VVFS.VXD. If that call fails (there is no such directory), the virus creates the file C:\WINDOWS\SYSTEM\VVFS.VXD. If that call fails too (there are no such directories on disk), the virus returns to the host program. Otherwise, the virus writes to newly created VxD file 9262 bytes of data and code that are really VxD file (LE EXE file).
To complete infection the virus looks for C:\WIN95\SYSTEM.INI or C:\WINDOWS\SYSTEM.INI file, scans it for first appearance of “ice=” string (“device=”) and inserts “vvfs.vxd,” string to there:
Before infection: device=some.vxd
After infection: device=vvfs.vxd,some.vxd
The virus also checks “device=” line for “vvfs” string beforehand, and does not inserts its VxD name twice. Then it closes the SYSTEM.INI file and returns to the host program.
As a result of infection there is newly created VxD file in Win95 SYSTEM subdirectory, and SYSTEM.INI file is modified so that while loading Win95 will load and execute this VxD.
Loading Win95 and IFS API Hook
When an infected VxD file (dropper) takes control, the virus checks version of DOS IFS Manager (DOS Installable File System Manager), hooks IFS API calls and stays in the Win95 memory as a VxD driver.
IFS API hook is very similar to the way TSRs work in DOS but with some differences. The hook interposes itself between the IFS Manager and the File System Drivers. The hook handler gets control before the File System Drivers are called and it can do anything it wants.
The virus hook handler intercepts only one function – OpenFile (IFSFN_OPEN) and infects files when the system is opening them (note: the virus hooks the control when _any_ application opens a file – Win95 or DOS window under Win95, and infects files ever if they are being opened in DOS window).
Infecting EXE files
When the virus intercepts the file opening call, it reads file header and checks it for MZ (DOS EXE stub) and PE (Portable Executable) stamps. It then reads other fields from PE header, creates new section with the name “QuantumG”, writes itself (10185) to the end of the file (into new section) and then fixes PE header. The virus also patches Resources section and Resources Directory to allow accessing to KERNEL32 functions while dropping VxD file.
To prevent duplicate infection the virus compares the name of last section in PE header with “QuantumG” and does not infect EXE files twice.
Infecting: Last Notes
While infecting a file the virus does not access file time and date stamp and leaves the infected file with current time and date. The virus also does not check the file attributes, and as a result the virus fails to infect Read-Only files. The virus does not check the file name extension and infects not only *.EXE files, but also DLL, CPL, DRV and other files that have PE EXE internal format.
The virus writes different number of bytes while infecting EXE files (10185 bytes) and dropping VxD (9262 bytes). This is caused by differences between PE EXE and VxD formats. In different files the virus has to have different entry points. This virus fixes that problem by writing additional code to EXE file. That additional code contains the routine that drops VxD file, and it is placed before the main virus code:
VxD dropper Infected EXE file
+————————–+<---+ +--------------------------+
?VxD DOS stub and LE header? ? ?host file header,data,code?
?--------------------------? ? ? ?
?API hook and infection ?+---?>?————————–? Entry point
?routines ?? ? ?VxD dropping routine, ?
?————————–?+ ? ?writes the rest to VxD ?
?VxD dropping routine ? +>+>?————————–?
? ? ? ?VxD DOS stub and LE header?
?————————–?–+ ?————————–?
?Other data ? ?API hook and infection ?
+————————–+<+ ?routines ?
? ?--------------------------?
? ?VxD dropping routine ?
? ?(second copy) ?
? ?--------------------------?
? ?Other data ?
+--->+————————–+
The virus also may increase the size of EXE files by different values – the virus increases the file size up to the section alignment, and then it writes its 10185 bytes to the end of the file.
Trial
This virus was tested in Windows95 4.00.950. The infected EXE file and next generation of the virus dropped the VxD file and modified the SYSTEM.INI file without any problem and side effects.
The problems appeared while loading Win95 with VxD dropper. The Win95 loading process was not completed – the system error message (blue-screaned) appeared:
A fatal exception 0E has occurred at xxx:xxxxxx. The current application
will be terminated.
Then the system continued booting and the next message appeared: “A fatal exception 0C all”, and the system locked up.
After rebooting in DOS mode I found that the virus infected the USER32.DLL file in SYSTEM subdirectory. After replacing infected USER32.DLL with original one I set this file to Read-Only mode and re-booted the computer. This time Win95 loading process was completed, but it was several times interrupted by the system message:
This program has performed an illegal operation
and will be shut down.
If the problem persists, contact the program
vendor.
I rebooted to DOS, searched for other infected files and found several ones: EXPLORER.EXE in Win95 directory and COMCTL32.DLL, MPREXE.EXE, MPRSERV.DLL, MPR.DLL, MSPWL32.DLL, SHELL32.DLL in SYSTEM subdirectory.
I restored infected files and put Read-Only attribute for all EXE and DLL files. Win95 loading was interrupted by “illegal operation” message again – the virus infected the files DESK.CPL and WINSPOOL.DRV (both are of PE EXE format). When all executable system files in Win95 directory were marked as Read-Only, Win95 loaded itself without any problems.
There were no problems to infect several applications such as WRITE.EXE, but in some cases these application caused “illegal operation” message while loading, but then they did work correctly. Other problems appeared when I tried to infect special short test files (goat-files) – they increased in size up to 9Mb (!).
Conclusion
I have not tested this virus in other Win95 releases, and maybe it does work in some specific Win95 release only, but several bugs in the virus that are not release-specific are too lethal to allow the virus to spread itself out of anti-virus research labs.
Even if an infected file would be launched to Internet (as it was with “Hare”), the “Punch” virus will disclose itself in very short time because it has too serious bugs. But anyway, this is the first TSR Win95 virus, and there are no chances – this is not the last one.
Related Posts