[ Pobierz całość w formacie PDF ]

function. This is important from the point of view of the
is an elegant way to reduce the code size, in addition to
virus author, because the virus infects DLLs, whose stack
functioning as an effective anti-debugging method.
size can be very small.
Since the virus has protected itself against errors by
installing a Structured Exception Handler, the simulation
Filters
of an error condition results in the execution of a common
Files are examined for their potential to be infected,
block of code to exit a routine. This avoids the need for
regardless of their suffix, and will be infected if they pass a
separate handlers for successful and unsuccessful code
very strict set of filters.
completion.
The first of these filters is the support for the System File
Conclusion
Checker that exists in Windows 98/ME/2000/XP. The virus
author was aware of the fact that the IsFileProtected() API
It seems that some old dogs can learn new tricks. The
requires a Unicode path, while directory searching on
author of W32/Chiton has moved successfully from the
Windows 9x and ME require an ANSI path, so the virus
DOS platform to the Win32 platform, found a feature in the
transforms the path dynamically.
Windows Portable Executable file format that had (until
now) been overlooked by anti-virus developers, and found a
The remaining filters include the condition that the file
way to exploit it.
being examined must be a character mode or GUI applica-
tion for the Intel 386+ CPU, that the file must have no
Additionally, the virus author distributed a document along
digital certificates, and that it must have no bytes outside of
with the virus source, which describes some further
the image.
infection methods using Thread Local Storage. Interesting
times lie ahead.
Touch and Go
When a file is found that meets the infection criteria, it will W32/Chiton
be infected. If relocation data exist at the end of the file, the
virus will move the data to a larger offset in the file, and Aliases: W32/Shrug.
place its code in the gap that has been created. If there are
Type: Direct-action parasitic appender/
no relocation data at the end of the file, the virus code will
inserter.
be placed here.
Infects: Windows Portable Executable files.
The infection will then proceed in one of two ways,
Payload: None.
depending on the file type.
Removal: Delete infected files and restore
For DLLs, the Thread Local Storage method is not used
them from backup.
because a DLL will not call the TLS callbacks if the DLL is
VIRUS BULLETIN ©2002 Virus Bulletin Ltd, The Pentagon, Abingdon, Oxfordshire, OX14 3YP, England. Tel +44 1235 555139. /2002/$0.00+2.50
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. [ Pobierz całość w formacie PDF ]