Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win95/Tenrobot.B

Description 

Upon infection, the virus starts a new thread and after that passes control to the original host file code. The virus hooks the file system open function via undocumented Kernel API call ( VWIN32::QueueUserApc) so that it is able to infect executable files on open.

The virus is memory resident.During the infection process, Tenrobot appends its code at the end of the last section of its host file.

It also adds garbage bytes after the attached code; hence the size increase of infected files might vary. However, the raw virus code size is 4257 bytes, so any infected executable will increase at least by this number of bytes.

If the infection Marker ( "NETR") is already present in the file header, the virus skips infecting this file again because it knows that it's already infected. This prevents multiple infections which would result in endlessly growing files until the hard disk space is full.

A closer look into the disassembly shows that this infection marker is always located at offset 58 hex (88 dec) relative from the PE Header Offset.

Backdoor Functionality

Tenrobot tries to connect via static IP 217.17.33.10 to an IRC server (efnet.pl).
The IRC function of Tenrobot generates a random user name and password and joins the channel "#NetRobot".

The supported IRC commands are:
KICK, JOIN, PING and PRIVMSG, which the backdoor's component uses to perform specific actions on the local compromised system.

If the attacker sends the message "!die" via IRC commands, the virus will unhook itself from the file system and terminate the backdoor functionality. (unloading)

The backdoor is able to download and execute a program from a remote Internet site using Port 80 (HTTP protocol).

Note: The virus does not infect executables whose name commences with:
SETU, INST, WINC, WC32, WCUN, PSTORES.
On a Windows NT system, the virus calls directly the host without activating a malicious
code. That said: The virus is not able to replicate under NT-based systems.

History: Analysis and Write-up by: Michael St. Neitzel