Win32.Polipos

SYMPTOMS:

  • Size of executable increases with about 60-70 KB.
  • There could be detected unusual network activity.
  • Suspect activity for the running processes (searching and modifying executable files).

TECHNICAL DESCRIPTION:
Win32.Polipos.A is a dangerous, polymorphic file infector, with a worm-like spreading capability. It’s targets are EXE and SCR files.

It is a memory-resident virus, because once executed, it injects code in the running processes. The first files it infects are those located in %ProgramFiles% and %WINDIR% directories. But it hooks imported functions for the infected proceses, so that all executables accessed by those processes will be infected.

This infector uses different encryption layers, the first of them being the hardest to decrypt. It is a simplified version of XTEA (eXtended Tiny Encryption Algorithm), but decrypting it could take a long time.

It also has an advanced polymorphic engine, combined with a junk-code generator, antidebugging and antiemulation techniques, making it’s detection more difficult.

FILE INFECTION METHOD:

Using different entry-point obscuring techniques, Polipos makes itself a hard to detect virus:

  • It chooses a random imported function from the victim, and hooks all calls or jumps to that function.
  • It searches for functions that have the same stack-frame-restore code, and patches all instances of that code, with a call to its own body.

If it finds unused space in victim’s code sections, it inserts code into them, as much as it can, without increasing those sections’ sizes.
It increases the VirtualSize for the data sections of the victim, and will use that space from it’s junk code.
If a resource section is found in the victim, sometimes it shifts that section, and inserts a new section after the last data section, and before the resources (other times it appends it’s section after the resources), and repairs the resource section (otherwise it would damage the victim).

When infecting a file, it searches for the following files in same directory as the file that is going to be infected:

  • drwebase.vdb
  • avg.avi
  • vs.vsn
  • anti-vir.dat
  • avp.crc
  • chklist.ms
  • ivb.ntz
  • ivp.ntz
  • chklist.cps
  • smartchk.ms
  • smartchk.cps
  • aguard.dat
  • avgqt.dat
  • lguard.vps

It will delete these files if they are found.

Once the control of an infected file is passed to the virus body, it cleans the memory copy of the file (restores the original code at the patched locations), to make sure it is run only once from a certain file.

When the virus is executed from an file with overlay, it makes a copy of that in the %TEMP% folder, disinfects it, and runs it from that location. This is useful in case of installers or SFX archives that use integrity checks.
The virus will not infect the files matching the following names:

  • vtf tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn
  • pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup
  • temp norton mcafee anti tmp secure upx forti scan “zone labs”
  • alarm symantec retina eeye virus firewall spider backdoor
  • drweb viri debug panda shield kaspersky doctor “trend micro”
  • sonique cillin barracuda sygate rescue pebundle ida spf
  • assemble pklite aspack disasm gladiator ort expl process
  • eliashim tds3 starforce sec avx root burn aladdin
  • esafe olly grisoft avg armor numega mirc softice norman
  • neolite tiny ositis proxy webroot hack spy iss pkware
  • blackice lavasoft aware pecompact clean hunter common kerio
  • route trojan spyware heal alwil qualys tenable avast a2
  • etrust spy steganos security principal agnitum outpost avp
  • personal softwin defender intermute guard inoculate sophos
  • frisk alwil protect eset nod32 f-prot avwin ahead nero
  • blindwrite clonecd elaborate slysoft hijack roxio imapi
  • newtech infosystems adaptec “swift sound” copystar astonsoft
  • “gear software” sateira dfrgntfs

The decrypted virus body contains the following text:

Win32.Polipos v1.2 by Joseph.

PROCESS INFECTION METHOD:

The virus will infect all running processes excepting those matching the following names: savedump, dumprep, dwwin, drwatson, drwtsn32, smss, csrss, spoolsv, ctfmon, temp.

For the processes it infects, it hooks the following APIs, by patching directly the kernel copy from each process address space:

  • CreateFileW
  • CreateFileA
  • SearchPathW
  • SearchPathA
  • CreateProcessW
  • CreateProcessA
  • LoadLibraryExW
  • LoadLibraryExA
  • ExitProcess

These hooks will allow the virus to infect all files that an infected process accesses through the APIs mentioned above.

SPREADING METHOD:

The virus is able to connect to Gnutella P2P network, acting as a client. It uses a predefined list of Gnutella webcache servers, in order to obtain lists of available nodes (connected clients). Using the P2P network, it has a strong ability to spread itself like a worm.

Source