Virus Algorithm Analysis

Article courtesy of Eugene Kaspersky and Kaspersky Labs.

The most suitable object for keeping and analyzing a virus is a file containing the virus body. In practice, when analyzing a file virus, it is convenient to have several different infected, but not-too-large-in size, files. It is also desirable to have infected files of all types (COM, EXE, SYS, BAT, NewEXE) that this virus can infect. If it is necessary to analyze a part of the RAM, then with the help of some utilities (for example, AVPUTIL.COM), it is rather easy to simply mark the area where the virus is and copy it to a disk. If, however, analysis of the MBR or boot sector is required, you may copy them to files with the help of popular Norton utilities or AVPUTIL. The most suitable form of keeping a boot virus is an image file of the infected disk. To create this file, it is necessary to format a diskette, infect it with virus, copy that diskette’s image (all sectors, starting from 0 and off to the very last one) to file and, if necessary, to compress it (this procedure can be done with the help of Norton Utilities, TELEDISK or DISKDUPE programs).

The infected files or image files of infected diskettes should be e-mailed to anti-virus program developers, or at least by conventional mail on diskettes. However, if this might take a lot of time, confident users may try to figure the virus out and create an anti-virus of their own.

While analyzing the virus algorithm, the following has to be ascertained:

• the virus’ means of multiplication;
• possible kinds of damage to disk information inflicted by virus;
• method of RAM and infected files (sectors) treatments and cure.

In solving these problems, one should not work without a disassembler or debugger (for example, AFD, AVPUTIL, SoftICE, TurboDebugger debuggers or Sourcer or IDA disassemblers).

Both debuggers and disassemblers have their strong points and drawbacks. Everybody chooses what’s best for him. Small uncomplicated viruses may quickly be “cracked” by the standard DEBUG DOS command; but it is impossible to analyze highly sophisticated and bulky polymorphic Stealth viruses without a disassembler. If it is necessary to find a fast method of restoring all infected files, it is sufficient to trace the beginning of a virus using a debugger are to the point where the virus restores the loaded program before passing control to it (in fact, this particular algorithm is most commonly used when curing viruses). If it is required to receive a detailed virus-operation feature, or a well documented listing, then hardly anything will help except for Sourcer or IDA disssemblers with their capability of restoring cross references. Apart from that, it is necessary to remember that first of all, some viruses can successfully block attempts at tracing them; and second of all, while working with a debugger, there is some probability that a virus might take control.

To analyze a file virus, it is necessary to find out which files (COM, EXE, SYS) are targeted by the virus, into which area(s) of file is the virus code saved: at the top, end or middle of a file; an how completely a file can be restored, in what place does the virus keep the information to restore.

When analyzing a boot virus, the main problem is finding out the address(es) of the sector(s) in which the virus saves the original boot sector (if, of course, the virus saves it at all).

For a resident virus, it is also necessary to determine the code fragment, creating a resident copy of the virus, and to calculate possible addresses of entry points to the interrupting vectors intercepted by the virus. It is also necessary to determine by what means and where in the RAM a virus reserves a place for its resident copy: whether the virus records itself at fixed addresses in DOS and BIOS system areas, decreases memory size reserved for DOS (a WORD at [0000:0413]), creates a special MCB block for itself or uses some other method.

There are special cases, when analysis of the virus may turn out to be a problem too complicated for a user to handle, for example, the analysis of a polymorphic virus. In this case, it is better to turn to an expert program code analyst.

To analyze macro-viruses, it is necessary to obtain the source texts of their macros. For non-encrypted, non-Stealth viruses, this is achieved with the help of the menu item “Tools/Macro.” However, if the virus encrypts its macros or uses a Stealth technique, it is necessary to use special macro viewing utilities. Such utilities may be found among the products of virtually any anti-virus development company, but they are for internal use only and are not distributed outside the company.

Nowadays, there are several known shareware programs for macro viewing. They are Perforin, LWM, and HMVS, but so far, not all of them support the Office97 formats.