发信人: jackyz()
整理人: emil(1999-09-20 09:41:04), 站内信件
|
--------------------------------------------------------------
WinNT.RemEx
WinNT.RemEx (a.k.a. RemoteExplorer, W32.RICH)
This virus infects Windows executable files (PE files). It spreads on
ly under Windows NT on servers and workstations. The virus is able to
spread over the local network, not only on local machine. This is the
first known parasitic virus that stays in the WinNT memory as a syste
m service.
Installation
When an infected EXE file is executed on the system at the first time,
the virus gets control and runs its installing procedure. It copies
itself to the WinNT System32\Drivers directory with the IE403R.SYS nam
e and runs this copy as a system service. The EXE instance of the vir
us then releases the control.
If an infected EXE file is executed under already infected system, the
virus looks for its code in the system, removes it and replaces with
its new copy. So the virus seems to be able to upgrade itself with ne
w version.
When the infected driver (the IE403R.SYS file) is executed, the virus
stays in the system memory as a standard Windows NT service, but does
not hook any system events. Instead of that the virus just delays in
"sleeping" loop that is interrupted by system timer each ten minutes.
The virus then randomly runs its infection and hiding routines: in 2
cases from 5 it runs infection, otherwise it runs hiding routine.
Infection and Damage
The infection routine scans local and shared remote drives, looks for
EXE files and infects them. While infecting the virus compresses the
target EXE file, writes itself to the top of target file (overwrites i
t), and adds compressed data to the end of its code as a PE file resou
rce. To run the host file when infected file is run, the virus extrac
ts it from resource to the temporary file, executes, and then deletes
the file. While compressing the virus uses the "deflate" method with
GZIP-like data headers.
Depending on the system random counter the virus also corrupts randoml
y selected files on the disk that is being scanned. The virus compres
ses them by using the same compression method and then encrypts with s
ome optimal algorithm.
The virus depending on the system random counter in 1 case of 20 also
scans the network drives by using their UNC names and processes them i
n the same way as described above.
The virus does not affect any files in the Windows directory, as well
as in the Windows System and temporary directories and in the "C:\Prog
ram Files" folder. The virus also checks the file name extension and
does not encrypt the .OBJ, .TMP, .DLL files.
Hiding routine
This routine is run next to infection routine, and "cleans" virus trac
es in the system. First of all it looks for the windows with "TASKMGR
.SYS - Application Error" and "Dr.Watson for Windows NT" titles and cl
oses them. So the virus bypasses the error messages caused by its bug
s.
The virus then checks its driver "sleeps" for too long time (more that
one hour). In this case the virus kills the service.
The virus also deletes the DRWTSN32.LOG file as well as all "~*" files
in the Windows temporary directory.
Features
When the virus is installing itself into the system, for some time it
is visible in the TaskManager's process list with the "IE403R.SYS" nam
e. At any time it is visible in the ControlPanel/Services as the "Rem
ote Explorer" service.
The virus does work under Windows95/98. Under Windows95 the infected
files are terminated with the standard error message, under Window98 t
he virus successfully extracts and executes the host file, but does no
t install itself into the system.
The virus is able to run on NT machine only in case the CurrentUser ha
s Admin privileges, otherwise the virus fails to install its service i
n NT memory. Despite on this, if the computer is already infected, th
e logging with not Admin account will not prevent the virus installed
in the memory.
The virus infection, hiding and damage routines do work only in non-wo
rking hours: full day on Sunday and Saturday, on other days - only fr
om 21:00 till 6:00 on other days. Otherwise the virus sets lowest pri
ority for itself, and "sleeps" for long periods of time. So the virus
runs its routine ever in work-hours, but only in case nobody is access
ing the computer for the long time.
The virus has bugs and may work incorrectly. It does not check file n
ames and infects DOS EXE files as well as Windows EXE, for example.
Additional Tech Details
The virus has quite large size - it is written in Microsoft Visual C++
and is about 125K. The original virus code occupies about 14K, GZIP r
outines - 20K, C run-time libraries - 40K. Other data are occupied by
virus/C++ data, resources, e.t.c.
The virus has quite unusual structure: the infected files have code a
nd data segments, as well as three resources that contains compressed
executable files. The first recourse contains the standard NT4 PSAPI.
DLL that is used by virus to access processes in the system memory.
The second resource is the original virus code itself (including the s
ame compressed PSAPI.DLL in the resource). This copy of virus code is
used as the original data to install the virus into the system and to
infect EXE files.
The third resource is the host file that is extracted and decompressed
, when the virus needs to run the host program.
System Registry: while installing its SYS driver to the system the vi
rus uses the standard NT API calls. That caused the system to registe
r the virus drivers in the system registry - the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer
is created.
Temporary files: while compressing/decompressing files the virus need
s for temporary ones. It creates them in the Windows temporary direct
ory with the random names ~xxxdddd.TMP (where 'x' - letters, 'd' - dig
its).
Resume
The virus is the first native "memory resident" NT infector, so it mig
ht look as some super-virus. Actually the virus was written by some m
iddle-level developer that has access to the NT Device Development Kit
documentation.
The virus does not hook any NT event, does not use any network protoco
ls, does not try to access the passwords, and spread its copy over the
global network. Moreover, the ordinary DOS parasitic viruses have th
e same network spreading abilities like this virus has - they also can
infect files on remote shared drives, stays in the system memory, e.t
.c.
This is just a standard parasitic virus, but with NT service infection
ability. It is not more complex than some other already known Window
s viruses are, and definitely not more complex than the well-known BO
trojan (BackOrifice).
This virus is not a shock at all - it is long awaited WindowsNT-servic
e virus.
--------------------------------------------------------------
信息源自 AVP 12.29 的 AVP 已经可以杀之。
--
████████
█ █
█ 不滞于物 █
█ 草木皆可 █
█ 为剑 █
█ █
※ 来源:.网易虚拟社区 club.netease.com.[FROM: 202.96.129.140]
|
|