W32.Demiurg.16354

SUMMARY

W32.Demiurg.16354 is a virus that can infect DOS programs, batch files, Windows program files, and Excel 97/2000 spreadsheets. The computer that runs this virus will be the only infected computer. This virus does not email itself out, and it is not network aware.

Protection

• Virus Definitions (Intelligent Updater) January 9, 2001

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: 50 - 999
• Number of Sites: 3 - 9
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: High
• Payload Trigger: No payload but infects many files on system of various type
• Modifies Files: Infects various files on system: *.com *.exe *.bat *.xls and kernel32.dll

Distribution

• Distribution Level: Low
• Target of Infection: DOS (*.com) and (*.exe), Windows PE and NE executables, Excel files and *.bat files. Also infects the Kernel32.dll.

TECHNICAL DETAILS

The virus copies the WindowsSystemKernel32.dll file to the Windows folder. It infects this new copy by hooking specific Application Program Interface (API) routines. The ten API routines that it hooks are:

• CreateFileA
• CreateFileW
• GetFileAttributesA
• GetFileAttributesW
• SetFileAttributesA
• SetFileAttributesW
• CopyFileA
• CopyFileW
• MoveFileExA
• MoveFileExW

NOTES:

• In Windows 95/98/Me, the Kernel32.dll file in the WindowsSystem folder remains unchanged; however, Windows will load the infected copy of the Kernel32.dll file from the Windows folder after you restart the computer.
• In Windows 2000, the virus moves the infected copy of Kernel32.dll from the Windows folder to the WindowsSystem folder after you restart the computer. The original Kernel32.dll file is overwritten.
• In Windows NT, the infected computer can no longer load Windows after it is restarted.

The virus infects Excel 97/2000 spreadsheets by disabling the macro virus protection feature of Excel. The virus then creates an infected spreadsheet in the Xlstart folder, and also creates the file Demiurg.sys in the root folder. When Excel 97/2000 starts, it loads the infected spreadsheet, which is in the Xlstart folder.

When the computer is restarted, the virus infects DOS programs, batch files, and Windows programs whenever these files are accessed, as follows:

• The virus infects batch files by appending a few lines of code and its own body. When an infected batch file is run, these few lines of code create a DOS program named Demiurg.exe. When this DOS program is run, the name of the batch file is passed as a parameter. The DOS program then creates a Windows program, Demiurg.exe, that contains the entire virus. This Windows program is then called for execution by the DOS program.
• The virus infects DOS .exe and Win16 .exe files by appending a few lines of code and the virus body to the host program that it infects. When the infected program is run, those few lines of code creates another file that contains the virus body, and this newly created file is executed.
• The virus infects DOS .com files by converting them to DOS .exe files. It then infects these files in the same way in which it infects DOS .exe files.
• The virus infects a Win32 .exe program by appending its virus body to the last section of the program. It modifies the entry point field of the Win32 program to point directly to the virus body.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

Current virus definitions will detect this virus. Run LiveUpdate to make sure that you have the most recent virus definitions.

If the computer is already infected with W32.Demiurg.16354, follow these steps to remove the virus:

1. Start NAV, run a full system scan, and delete any infected spreadsheets.
2. Boot the computer from a Windows Startup disk, Rescue disk, boot disk, or the Norton AntiVirus 2001 CD, depending on the computer and operating system.
3. Run a full scan using the Norton AntiVirus DOS scanner. If any files are detected as infected with W32.Demiurg.16354, choose Repair.

NOTES:

• After you run the DOS scanner and you choose to repair infected files as recommended, then run the DOS scanner a second time. If files are again detected as infected, Norton AntiVirus was not able to repair them. In this case, choose Delete.
• For instructions on how to run the DOS scanner, see the document How to remove viruses with Norton AntiVirus.