Log in

View Full Version : the tale of the virus and the headers (help)


mancini
September 2nd, 2002, 02:28
recenty i was infected with the W95:Weird.10240 virus
what can i say .. it infected only and all my exe files
having only AntiViral Toolkit Pro with virus updates i made the mistake of letting it desinfect the files

And now most my executables that were installation packages are broken
Installshield ones i rename to .cab, the msi ones to .zip winzip ones the same......and the rest all work if i remove the zeros and/or update the crc so i can use them after all and some installation packages still work without any fixing
BUT the WISE ones are defintely ruined and the AnalogX packages... well they are way too strange
(all sections have a 00000000 virtual size and have 2 nonstandard sections)

Strangely tho' all the rest of my noninstaller executables includding ones packed with a executable packer work fine

this are the differences between the way my .exe files looked before and how they look now
(the first 4 are as they occured to xns3.exe and netscan.exe as example ... anyway . they are both WISE installation packages)


-1-the Size of Image changed from (xns3.exe 00006000 to 00074000)
(netscan.exe 00007000 to 00181000)
-2-the Resource Table Size changed from (xns3.exe 00000640 to 0006E040)
(netscan.exe 00000640 to 0017A440)
-3-the Virtual Size of the last section changed from (xns3.exe 00000640 to 0006E200)
(netscan.exe 00000640 to 0017A600)
-4-the Raw Size of the last section changed from (xns3.exe 00000800 to 0006B603)
(netscan.exe 00000800 to 00177A01)
-5-the Characteristics of the last section changed from (all exes 40000040 to E0000000)
-6-the .exe files got a random number of EOF extra data zeros
-7-the .exe files got a wrong CRC check
(.rsrc is allway the last section in the case of installs)

So now i have to spend who knows how manny nights and days asking and learning and trying to find a way to fix my executables back

Kapersky lab who makes AVP keeps putting me off and has no intent of helping me and PE Explorer, the only software i found to fix most of the problems automaticaly, also breaks executables if they are installation packages and they too care not bout my emails.

Now ..obviously i can fix the crc, remove the zeros and change the characteristics
but still remaining are the first 4 problems ... i can update them too of course but i dont know with what values
so i allready almoust finished a program that batch fixes the last 3 problems and i think i can write one to do the same with the first 4 ... change the values that is but i dont know how to make it calculate the values for each file it finds in its batch list.
my best bet is that it aint even possible and i need to manualy calculate that but there must be a way

does anyone have any ideeas about this or about the general problem ?

look in the zip above for screenshots of the full headers of the files

JMI
September 2nd, 2002, 04:33
mancini:

Since I'm in charge of nagging about searching, I did a quick google with "W95:Weird.10240" and there are several companies who claim that their software can "repair" the effects of this virus. Both Panda Software and McAfee make this claim, but I have had no reason to test their products on this virus.

The McAfee site makes this claim:

Removal Instructions
All Users:
Script,Batch,Macro and non memory-resident:

Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident:

Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Maybe the software from one of these companies could help fix the damage. Might be worth a try.

Regards.

mancini
September 2nd, 2002, 04:52
man
im sure youmeant good
but
didnt you see :

"having only AntiViral Toolkit Pro with virus updates i made the mistake of letting it desinfect the files"

that shitty antivirus allready desinfected my files and messed them up further more even

do you undertand now that the idea of running a antivirus on a executable with no virus but a broken pe header is . well not bright ?

Kayaker
September 2nd, 2002, 04:58
Hi Mancini, that sucks bigtime. I got hit with the Weird virus a while back, from code I knew but got infected on another persons system. I was lucky in that I was doing testing on the code at the time and noticed a slowdown and strange behaviour from my system and HD as the virus was rewriting exe files. I was able to stop it somehow and it "only" infected a few hundred of my files.

I'm just looking at a Wise installer package here, and can see that for this particular target the .rsrc section as reported by a PE editor is virtually only the Icon/GroupIcon of a regular PE file. The rest of the section is the installation resources that are loaded from code into windows/temp and are huge in comparison. This section isn't defined in the PE header as part of the loadable resources nor is it included as part of the ImageSize from the looks of it.

After AntiViral Toolkit got through with cleaning up the files it must have used the true file size to base the ImageSize on, and rewrote the .rsrc sizes in the PE header wrong. You might be able to find the start of the .rsrc section, the raw offset hasn't changed, and select a block size into the resource that includes only the default resources present. i.e. for the Icon/GroupIcon section mine seems to be 400h bytes in size. The end of the section should be recognizable as being zero padded. It isn't critical to replace the exact original value of VirtualSize of the rsrc, so 400h for VSize and RSize should be OK. The ending point should also be the "perceived" ImageSize that you will need to restore as well. I'm not sure if the AnalogX packages are the same, but maybe you can use this information.

Regards,
Kayaker

DakienDX
September 2nd, 2002, 11:04
Hello mancini !

I had a virus some time ago too. I don't remember its name but it did "nice" work. About 350 .EXE files where infected.

I even had "looked" at the downloaded file, thought "protecting an installation package with a selfmade Xor encryption, how imaginative" and executed it. It took a bit too long to load the small file. So I tried notepad, which took also about 5 seconds, and pressed RESET.

So I set "BootGUI=0" and started the whole thing from DOS. I used NAV with the latest virus-definitions, rebuilt one file which I had in infected and original form, compared them and said "no way".

I had the same problem you have with the WISE installers.

A normal WISE installer is a stub, with some user-set versioninfo in the .rsrc section and an appended installation package. They use the file-size to check if they have been modified.

However, this makes it impossible to digitally sign the installation files. So they've invented a new stub. The old installation .EXE is placed as whole in the .rsrc section of the new stub. So a digital signature can be appended after the .rsrc section.

So here is the solution. Since the (signed) stub was infected and was repaired, the real installation program is still unaffected in the insided of the .rsrc section. So you only need to extract it from there.

Use a hex-editor, find the second occurence of "This program cannot be run in DOS mode", go a few bytes back to the "MZ". Start there and save the data until the end of the file. Run the new .EXE. If it runs you're lucky, else you'll have to find and remove the digital signature. It starts with a DWord telling how long it is (=how long to the end of the file). So start seaching at the end of the file and go back. Truncate the file when you've found it.

(I was able to restore about 250 files from backups, so I had to repair the other 100 by hand. It took me about two weeks.)

mancini
September 3rd, 2002, 00:09
first of all i need to note this:
(i have mispeled W32:Weird.10240 as W95:Weird.10240 in my first post)
anti viral pro reports the virus i had as W32:Weird.10240
panda antivirus reports the virus i had as W32/Weird.10240.B
norton antivirus reports the virus i had as W32.Weird (G1)
sophos antivirus reports the virus i had as W32/Weird-10240
mcafee antivirus reports the virus i had as W95/Kuang.GR

As part of its infection routine the virus drops a randomly named file with a size of 10,240 bytes hence his name

more info about it:

It is not a dangerous memory resident parasitic Win32 virus. It writes itself to the end of PE EXE files (Windows executable) by increasing last file section and modifying PE header fields. The virus copy in infected files consists of two parts. First part (starter) is a short routine (about one kilobyte of code and data), the second part is the main virus code (about 10Kb of size) encrypted with silly encryption loop.

When the infected file is executed, the starter takes control, decrypts the second part of virus code, drops it to Windows directory as a PE EXE file with random name and executes it. The main virus instance stays memory resident as a hidden Windows application, runs a low priority thread that periodically scans drives' directory trees, looks for PE EXE files and infects them.


DakienDX it must be that you got infected by a different version of the virus or i have wise installs of a different wersion because i cant find in not a single wise installer 2 occurences of the string "This program cannot be run in DOS mode" but only one

i am working on the ting and hopefully ill get to the end of it
nedless to say i am very thankfull for all your guys imput and Kayaker
the .rsrc raw offset brings be at the start of a file info string that is between 2 zero paddede areas and that seems quite strange

anyway im a litle confused now but ill sort it out and hope i can count on your help again at a later time when i will have some progress

DakienDX
September 3rd, 2002, 08:36
Hello mancini !

I never said I had the same virus. The one I had was not memory resident. On execution it infected either .EXE files in 75 directories or 300 .EXE files, depending what limit was reached first.

The WISE installations I had were signed, so there was the signed stub I described. The ones not signed had still the same stub.

I used DOS to find out how the virus worked. The first API it used was GetCurrentDirectory, so I patched my KERNEL32.DLL to compare the instructions at the calling address for the virus pattern and if they match, jump some bytes further to the jump back to the program's OEP. (skip the "virus" part) So I could repair the files under Windows.

The manual file repairs I did were really hard. I had to look for an uncorrupted copy of programs using the same compiler/installation system/packer/... and compare the differences. Sorry I can't help you more, but it's hard to handle with this kind of things.

RaX
September 11th, 2002, 22:44
Quote:
I even had "looked" at the downloaded file, thought "protecting an installation package with a selfmade Xor encryption, how imaginative" and executed it. It took a bit too long to load the small file. So I tried notepad, which took also about 5 seconds, and pressed RESET.


DakienDX, that's the saddest thing I've ever heard.
You need something to do in your free time ;P

DakienDX
September 12th, 2002, 00:09
Hello RaX !

Maybe I download me a virus and execute it every month to have something to do something in my free time.

Oh, wait, I'm already visiting the board in my free time. Shall I send you any virus I download instead?
(don't worry, this was the first and last virus I ever got)

Just one rule makes sure you don't get a virus: Don't execute suspicious files you download for friends without an internet connection.

Now my software installation packages are all called "*.EX&".