W95.Zperm.B

SUMMARY

The W95.Zperm.B virus is one of the first metamorphic viruses for 32-bit Windows platforms. The virus does not use traditional polymrophic encryption. Rather, it mutates its code by using jump instruction insertion. The complete virus body is permutated including the permutation engine itself. A variant known as W95.Zperm.A is known to exist.

Protection

• Virus Definitions (Intelligent Updater) June 30, 2000

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

The virus is written by the same person who previously created the W95.Zmorph.A viruses. Zperm is permutating its own code each time it infects a Portable Executable file. The permutation engine uses the following logic:

The instruction sequence of the virus code might look like the following in first generation samples:

instruction 1 < Entry point of the virus code >

instruction 2

instruction 3

.

.

.

instruction n

The virus changes itself by inserting a random number of jump instructions into its core code sequence. Thus the code order might change to:

instruction 2

JMP instruction 3

instruction 1 < Entry point of the virus code >

JMP instruction 2

instruction 3

JMP instruction n

Sometimes the virus replaces instructions with other equivalent instructions. For example, the instruction XOR EAX, EAX, which sets the EAX register to zero, will be replaced by SUB EAX, EAX, which also zeros the content of the EAX register.

The core instruction set of the virus has the very same execution order; however, the jumps are inserted at random places. The B variant of the virus also uses garbage instruction insertions, such as NOP ("do nothing" instruction.) and thus the code of the virus looks like the following:

instruction 3

NOP

NOP

JMP instruction n

.

.

instruction 1 < Entry point of the virus code >

NOP

NOP

NOP

NOP

JMP instruction 2

.

.

instruction 2

NOP

NOP

NOP

JMP instruction 3

The virus runs its own thread in the infected process. It will replicate to every available PE file once an infected application runs for enough time. It only infects PE files with an .EXE exetension. The virus turns off the relocations in the PE header and overwrites the relocation area.

The virus will mark an infected application by using the ID 0x5A ("Z") as the minor linker version value in the PE headers. The entry-point will be changed to point to the first instruction of the virus code in the last section of the host application. The last section is enlarged with about 20KB of code while the pure virus body is only a few kilobytes in length.

The virus uses Win32 APIs to replicate. However, the virus is only able to function on Windows 95 and Windows 98 systems. Neither of its variants replicate on Windows NT or Windows 2000. The actual permutation engine shows similarities to some of the older DOS viruses. Furtunately, metamorphic viruses are more difficult to create and there are currently only a few viruses that use such an advanced technique.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

At this time, infected files must be deleted from the system and replaced with uninfected copies.