Igor Daniloff
VIRUS BULLETIN
October 1997
The Anarchy family, first seen in 1994, was named after a string in its code and a reference to an anarchist musical ensemble from Omsk. In the West, aliases include GrOb. Unto, and Vivat. In June 1997, two years after the release of Anarchy.6503, the last specimen of the series, I was surprised to receive a copy of the latest addition to the family, Anarchy.6093 - intelligent enough to infect not only DOS COM and EXE files, but also Word documents.
On starting an infected COM or EXE, the polymorphic decryptor explodes the main virus body and passes control to it, which first computes a 16-bit CRC of its code. This is compared to the CRC saved at file infection. If there is a discrepancy, it hangs the system by looping back to itself.
If all is well, the virus checks whether it is already resident by opening the file 'JANKA DYAGILEVA', reading the first 81 bytes, and comparing them to some strings in its body. If Anarchy.6093 is already in memory, it simulates opening that same file with the file handle BX=FFFPh and reading the necessary bytes for verification. If it is already active, then the newly-run copy simply returns control to the host program. If it is not active, it searches the DOS environment for variable names ending 'IR*' and 'EC=' (normally WINDIR and COMSPEC). On finding them, it infects both the WIN.COM file in the WINDIR directory, and the command processor specified by COMSPEC.
Further to this, the virus writes its code in the segment immediately after the PSP of the loaded program, beginning from offset 0142h, and intercepts Int 2Fh, taking over the Get Job File Table Entry function (AX=1220h). When this function is called, the virus' handler sets the JET ES:DI pointer to the virus data, whose first byte is FFh, as though the requested file had not been opened by the system. Thus, the virus tries to prevent analysis of the System File Table. Since Anarchy is invisible at the Int 21h level, denying any program access to the SET is a reliable tactic for hiding itself in an infected file.
Anarchy also checks whether Windows 95 is loaded and sets an internal flag for later reference. It then intercepts Int 21h. adjusting the memory block size necessary for the operation of the resident copy, and sets a DOS memory allocation flag. Then it starts the infected program (Int 21h AX=4BOOh), receives the return code (Int 21h AX=4Dh), and terminates the host program (Int 21h AX=4Ch). In this way. Anarchy stays resident and controls interrupts Int 21h and Int 2Fh.
Aside from providing its 'Are you there?' call, the Int 21h handler controls nineteen functions for infection and stealth. These are typical of DOS stealth viruses, such as Find First. Find Next, Create, Open, Close, Read, Write File, etc.
When the Load Program (AX=4BOOh) or Close File (AH=3Eh) function is called. Anarchy again checks whether Windows 95 is running and if its internal flag was set. If Windows 95 was not loaded, and started subsequently in an infected DOS environment, the virus, using the function Int 15h AH=87h (Copy Extended Memory), reads the six bytes located at physical address 11OOOh, and checks whether the first machine word at this address is 60FCh (CLD, PUSHA). If this word is detected, the virus assumes that a procedure of driver VMM32.VXD (Virtual Memory Manager) is loaded at 11OOOOh, and modifies the initial bytes of this procedure so that control is first passed to the part of the virus' 32-bit code that is designed to hide the virus in infected COM and EXE files.
This stealth mechanism intercepts file functions of virtual device drivers and, if necessary, 'corrects' the results of the requested operations to hide the virus' presence. I could only identify the 60FCh in computers running the Pan European edition of Windows 95. This part of Anarchy's functionality is probably specifically linked to that edition of Windows 95, which is widely used in Russia. The virus disables its DOS stealth mechanism if it detects that any of the archiving utilities ARJ.EXE, ZIP.EXE, RAR.EXE, or RAR20.EXE are running.
On intercepting file Create, Open and Close functions, the virus checks the extension of the file being accessed. If it is COM. EXE or DOC, the file is infected. For COM and EXE files, the virus makes an encrypted polymorphic copy of its code, appends it to the file, and modifies the header of EXE files, or the initial bytes of COM files, to transfer control to the decryptor in the virus' body. DOC files are treated in an unusual manner. The infection technique used had not been seen prior to the release of Anarchy.6093, which is the first virus to infect OLE2 documents by independently analysing their structure.
When programs named AI??????.EXE, WE?.EXE, or DR???.EXE (AIDSTEST.EXE, WEB.EXE, DRWEB.EXE are Russian scanners) open a document file, the virus disables its document infection engine.
On detecting access to a DOC file. Anarchy reads the first 512 bytes into a buffer and checks the first word for the OLE2 signature. It also checks the machine word at offset 1Eh. This word must be equal to nine, which corresponds to the 512 bytes in the document cluster. If these conditions are satisfied, the virus proceeds to analyse the DOC file. It computes the offset of the stream directory in the document, sets the pointer in the file to the header of the second stream (256 bytes past the Root Entry), and reads 256 bytes into a buffer. Then it attempts to find the 'Word Document' header of the stream in the second or third directory entry. The header of this stream is verified only by the first character, 'W' in the stream name. Having detected this, the virus computes the offset and reads 288 bytes from the File Information Block (FIB).
At this point probably the only serious bug In the virus occurs - it does not verify the FIB signature, but assumes that the FIB offset computed in the previous step is correct. This is true only for documents that are longer than 4096 bytes. The virus' FIB computation algorithm is ill-designed for documents with the so-called mini-FAT. With such documents, instead of reading the FIB, Anarchy mistakenly reads the mini-FAT. and all subsequent operations designed to inject the virus code into the document are implemented incorrectly, so the document will obviously be corrupted. What will happen when such a document is opened is only a matter of conjecture. All these points apply equally to Word 8 documents, as they utilize a format different from that of Word 6/7. Word 8 documents will most likely be corrupted by an attempted Anarchy.6093 infection.
Word generally creates documents longer than 4096 bytes, and for such documents. Anarchy computes the FIB offset properly. Next, the virus checks whether the file is a template and whether it is password-protected. In either case, the virus does not infect the file. Otherwise it sets the template bit in the FIB, then it checks the Macro Table size, which as a rule is equal to two. Finally, it checks that the document size is a multiple of 512 bytes.
Documents deemed 'infectible' have their FATS modified so the virus can append a macro to the file. The virus then writes 512 bytes at the end of the infected document, and adds a reference to the Macro Table, which it creates after the 512-byte block. It also specifics the size of this Macro Table and creates the Macro Table. Anarchy writes a flag for only one macro, a randomly-chosen macro encryptor key and the two macro name tables. In the macro name table used by Word's internal macro handling procedures, the macro is named AUTOOPEN, so it is automatically executed on opening the document. However, in the other name table, which is where the macro names displayed in Organizer, Tools/Macro and the like are stored, the virus leaves the macro nameless. More correctly, there is a name, but it is a line containing no printable characters. 'Normal' macro viruses cannot play such tricks, as they depend on Word itself setting up these tables, and Word always creates a displayable name entry in the second table.
Thus, the virus attaches the Macro Table at the file end and then proceeds to create the macro in a buffer. It copies 104 bytes from its body to the beginning of the macro. These 104 bytes start with the standard macro 'SUB MAIN'. Then follows a simple routine to find a currently unused EXE filename and create a file with that name. This file is then opened for writing with the file handle '#1'. Using string manipulation and print commands, the virus builds a WordBasic routine in the macro to drop a copy of the virus binary code. To achieve this, it scans its resident code, splitting it into sub-strings up to 128 characters long, and writes these into the macro. As a simplified example: <skiped>
Incredible! Anarchy assigns characters to C$ that cannot be created at the keyboard. It transfers the binary virus code, including all the characters from 0 to 255, to the variable C$.
After scanning the resident code and creating commands in WordBasic, Anarchy writes the concluding instructions
Close close the newly created EXE Shell N$ start the newly created EXE Kill N$ delete the EXE END SUB the end of the macro
The macro in memory is then encoded with the previously generated encryption key and written to the end of the document. This completes the infection mechanism. It is clear that on opening an infected file in Word, a file in NewExe format will be created, run, then deleted. It only remains to discover what this program does.
The Windows NewExe file dropped by the virus' macro is quite novel. Its NE signature is immediately after the MZ signature of the DOS EXE file and, as a result, there is no DOS stub for the NewExe file.
On execution, this program calls the KERNEL. 192 (Global- PageLock) and KERNEL. 172 (AllocAlias) functions. Then control is transferred to the 16-bit code that is also used in infected DOS files for finding and infecting the command processor defined in the COMSPEC variable, and the WIN.COM file in the WINDIR directory. After these operations, the functions KERNEL. 176 (FreeSelector) and KERNEL. 192 (GlobalPugeUnlock) are called, and the program exits by calling Int 21h AX=4COOh (Terminate).
On 8 and 30 April, and 9 May, the virus writes a Russian quatrain to randomly-selected hard disk sectors. This routine runs only if the disk handler of lnt 13h has 63h (ARPL) as the first byte - this is true under Windows 95.
Anarchy.6093 is the first multi-platform virus to infect COM and DOS EXE files, drop a Windows NewExe virus, and inject a dropper into Word 6/7 documents. It is also the first virus known to hide its presence under Windows 95 by modifying the system driver VMM32.VXD, which operates in protected mode as a supervisor.
Anarchy.6093 is the first multi-platform virus to infect COM and DOS EXE files, drop a Windows NewExe virus, and infect a dropper into Word 6/7 documents. It is also the first virus known to hide its presence under Windows 95 by modifying the system driver VMM32.VXD, which operates in protected mode as a supervisor.
The ability to migrate along with documents explains why Anarchy.6093 hit Russia at such a rate. I received the first specimen from Siberia. A day later I received an avalanche of infected files from Moscow and other central Russian cities miles away. The epidemic spread the length and breadth of Russia in literally two or three days and even visited the LAN at Duma (the Russian State legislative assembly). I cannot recall any other virus that hopped from one computer to another at such lightning speed.
Anarchy.6093
| Aliases | None known |
|---|---|
| Type | Memory resident parasitic, stealth, polymorphic COM, EXE file and DOC 0LE2 infector. |
| Infection | COM, EXE, and DOC flies and drops a Windows NewExe file from Trojanized DOC flies. |
| Self-recognition in COM and EXE Files | Bit 15 in year field of file time-stamp. Russian text strings at file end. |
| Self-recognition in DOC Files | Will not infect If template bit set. |
| Self-recognition in Memory | Open file JANKA DYAGILEVA and read 81 bytes: see descriptions |
| Self-recognition in Files | Bit 1 and bit 4 in seconds field of file's time-stamp set |
| Hex Pattern in Files | None possible. |
| Hex Pattern in Memory | 9C3D 0042 751B 83FB FF75 162E 381E 6CI9 750F 23D2 750B 23C9 |
| Intercepts | lnt 2Fh for stealth routine and lnt 21h for infection and stealth routine in DOS. Patch VMM32.VXD in Windows 95. |
| Trigger | On 8, 30 April and 9 May, overwrites random disk sectors. |
| Removal | Infected files are identified and restored from a clean system. |