Vesselin Bontchev
Virus Bulletin, Oct 1997, pp. 10-11
ISSN 0956-9979
October 1997
As most other anti-virus researchers, we regularly receive virus collections which come not from real infections but either directly from the virus writers or from some of the many virus exchange (VX) sites. In the first case, the author of the virus probably thinks that we, as an anti-virus researcher, are the best person to "appreciate" his new creation. In the second case, it is usually some "helpful soul" who gets the viruses from the VX sites and sends them to us (and probably to a dozen other anti-virus researchers), probably with the feeling that by doing this he is helping us. In both cases, the collections are usually uploaded to our ftp site or sent to us by e-mail. In both cases, the collections contain mostly junk.
This junk consists of corrupted virus samples, programs written with the obvious intention to write a virus but too buggy to work, virus creation tools, text files, programs falsely flagged as infected by some anti-virus product, totally unrelated files and so on ([Bontchev93]). Even when they contain viruses, these viruses are usually known to us. And even when they are not, they are the usual crop of boring, stupid, buggy viruses, often created by modifying slightly some well-known virus. Processing such collections is mostly a waste of time, yet it has to be done; it is (an unpleasant) part of the job of the anti-virus researcher.
Yet occasionally these collections contain something interesting. This was the case with the latest package of macro viruses taken from the virus writing electronic magazine SLAM. This magazine was started by the amazingly inept German virus writer who calls himself The Nightmare Joker and has authored probably more than a dozen rather trivial macro viruses and macro virus construction kits. This time, however, the magazine contained a macro virus obviously written by someone else - somebody with a much more talent in the area of virus writing.
The author obviously calls his virus "Vicissitator"-whatever that is supposed to mean. Such a name looked too long to us; besides we enjoy spoiling part of the fun to the virus writers by naming their viruses with names different from those their authors have selected. Therefore, we decided to name the virus WordMacro/Vicis.A, or WM/Vicis.A for short.
Vicis is a polymorphic macro virus... that is the very least that can be said about it-and it is a major understatement. Polymorphism in DOS viruses is usually achieved by encrypting most of the virus body and prepending a randomly generated decryptor to it. The same idea has been tried in the macro virus world as well (e.g., in the Slow virus [Qin97]). However, WordBasic is a slow language, not very suitable for character manipulation, so the encryption/decryption process is always slow-which makes such a virus very noticeable. WordBasic is much more suitable for string manipulation, however. Furthermore, WordBasic is a syntactically simple language. All these properties make it easy to implement a different kind of polymorphism-polymorphism not based on encryption. The basic idea was described by Dr. Fred Cohen several years ago, but this is the first time we see it properly implemented in a computer virus.
The Vicis virus replicates using the system macros attack ([Bontchev96]). In the infected documents, it consists of a single macro named FileSave. When an infected document is opened, edited, and saved via the File/Save command, the virus receives control and copies itself to the global template (NORMAL.DOT). It also uses the ToolsMacro .Edit command to create a new macro, named ToolsMacro, which resides only in the global template (not in the infected documents). The contents of this macro is simply
The purpose of the macro is obviously to disable the Tools/Macro command of Word and to prevent user from inspecting the macros in the documents and, therefore, from discovering the virus. Needless to say, such a form of "stealth" is rather primitive and likely to be noticed quickly. Much more advanced forms of stealth have been developed by the authors of macro viruses ([Bontchev96]). However, the strong point of the Vicis virus is not stealth but polymorphism.
Once the virus has infected the global template, each time the user edits and saves a clean document with the File/Save command, the virus will infect it. The virus invokes its polymorphic routine only when replicating from the global template to a document-not when replicating in the opposite direction. If the global template or the document already contains a macro named FileSave, the virus considers it to be already infected and does not attempt to infect it.
The main mutation routine of the virus works the following way. The virus marks a random number (between 1 and 10 inclusive) of consecutive lines. Then it checks whether the contents of the marked lines satisfies the following conditions:
If all of the above conditions are satisfied, the marked lines are cut and replaced with a "Call" operator to a randomly generated subroutine name. Then the virus pastes the cut lines at the end of its body between a Sub/End Sub pair which it creates and which uses the same randomly generated operator as the Call line that has replaced the cut lines.
After the virus has invoked its main mutation routine, it does the following (the different operations are explained below):
Only one of the above four replacements can happen during a single replication of the virus. The second operand of the replacement expression is always a randomly generated number between 1 and 10 inclusive.
If <identifier1> = <identifier2> Then <identifier3> = <number>
where the three identifiers and the number are generated randomly. The line is inserted at the beginning of a randomly selected subroutine of the virus body.
Regardless of the convoluted polymorphic mechanism described above, the Vicis virus can be detected reliably with a simple scan string-even no wildcards are necessary. This is due to the fact that all replicants of the virus contain reasonably large chunks of constant code-although the location of these chunks is not constant. Furthermore, like all other WordBasic viruses which attempt to be polymorphic, the macros of the Vicis virus are not Execute-Only-that is, they are not encrypted even with the trivial encryption algorithm used by Word for this purpose. Therefore, they can be listed and edited freely.
For instance, the following command is always present in all working replicants of the virus:
MacroCopy "Global:FileSave", "Global:Vicissitator"
Its binary representation is
64 67 C2 80 6A 0F 47 6C 6F 62 61 6C 3A 46 69 6C 65 53 61 76 65 12 6A 13 47 6C 6F 62 61 6C 3A 56 69 63 69 73 73 69 74 61 74 6F 72
Like most other polymorphic macro viruses written in WordBasic, the Vicis.A virus is too buggy, slow, and obvious when replicating. It, therefore, has no chance of surviving in the wild and becoming widespread. Even should an outbreak of it happen, it is very easy to detect the virus with a simple scan string. The only problems its sophisticated polymorphic mechanism poses are to the anti-virus products which attempt to identify exactly the viruses they detect. Nevertheless, it is worrisome to think what CyberYoda might be able to achieve with Visual Basic for Applications-the macro programming language of Microsoft Word 97. A language which is much faster, more powerful, and more suitable for implementation of polymorphic engines than WordBasic. And, as usual when analyzing a clever virus, we feel pity for the obviously ingenious mind behind it that has been wasted on creating something utterly useless and damaging.