Selected viruses, spyware, and other threats: sorted alphabetically
Upon infection, the virus starts a new thread and after that passes control to the original host file code. The virus hooks the file system open function via undocumented Kernel API call ( VWIN32::QueueUserApc) so that it is able to infect executable files on open.
The virus is memory resident.During the infection process, Tenrobot appends its code at the end of the last section of its host file.
It also adds garbage bytes after the attached code; hence the size increase of infected files might vary. However, the raw virus code size is 4257 bytes, so any infected executable will increase at least by this number of bytes.
If the infection Marker ( "NETR") is already present in the file header, the virus skips infecting this file again because it knows that it's already infected. This prevents multiple infections which would result in endlessly growing files until the hard disk space is full.
A closer look into the disassembly shows that this infection marker is always located at offset 58 hex (88 dec) relative from the PE Header Offset.
Tenrobot tries to connect via static IP 22.214.171.124 to an IRC server (efnet.pl).
The IRC function of Tenrobot generates a random user name and password and joins the channel "#NetRobot".
The supported IRC commands are:
KICK, JOIN, PING and PRIVMSG, which the backdoor's component uses to perform specific actions on the local compromised system.
If the attacker sends the message "!die" via IRC commands, the virus will unhook itself from the file system and terminate the backdoor functionality. (unloading)
The backdoor is able to download and execute a program from a remote Internet site using Port 80 (HTTP protocol).
Note: The virus does not infect executables whose name commences with:
SETU, INST, WINC, WC32, WCUN, PSTORES.
On a Windows NT system, the virus calls directly the host without activating a malicious
code. That said: The virus is not able to replicate under NT-based systems.
History: Analysis and Write-up by: Michael St. Neitzel
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.