2012-10-10
Abstract
Raul Alvarez takes a close look at a recently discovered piece of malware that infects documents and executable files at the same time.
Copyright © 2012 Virus Bulletin
We are so focused these days on analysing advanced persistent threats, spamming trojans, phishing scams, fake AV, and everything in between, that I wondered for a moment whether viruses had stopped infecting documents. But just a few weeks ago, we heard about a piece of malware that infects documents and executable files at the same time.
We know all about the old macro viruses that infect documents and spreadsheets through Visual Basic scripts, but we seldom hear of binaries infecting documents directly. Labelled with many names including Quervar, Dorifel, and XDocCrypt, this virus infects both documents and executable files. In this article we will look at what is really happening during the infection process and describe the flaws of the malware’s execution.
The virus tries to maintain a low profile by being meticulous about selecting the drive that it wants to infect. It doesn’t infect files in the root directory of the machine and prefers to look for remote drives mapped to the system.
It checks for the available drives in the system and avoids the CD-ROM drive (code = 5), DRIVE_NO_ROOT_DIR (code = 1), and DRIVE_UNKNOWN (code = 0) by getting the drive type information using the GetDriveTypeW API. It also avoids drives containing the ‘System Volume Information’ folder – a hidden folder normally found in the root directory, for example, in drive C. When all of these conditions have been satisfied, one of the possibilities left is that the drive is a remote one.
After determining that the drive is a network drive or a mapped drive, the virus starts by enumerating all available files in the folder. It looks for files with extension names such as .DOC, .XLS, and .EXE. Figure 1 shows a snapshot of the code that checks for the file’s extension name. We instantly recognized that the virus is looking for documents and executable files.
If the extension name is .EXE, the virus checks if the file is an executable by calling the GetBinaryTypeW API. If it is an executable, it loads the binary file into memory, then closes the file. (It will use the memory version of the file for further processing.)
It parses the whole binary file from memory, searching for the marker ‘[+++scarface+++]’, byte by byte, until it reaches the end of the file. If the marker is not found, it proceeds to load Quervar into memory and copies it to a temporary file in the %temp% folder with a random name. Then it loads the victim file into memory and encrypts it.
Afterwards, Quervar allocates enough memory to hold the virus body, the marker, and the encrypted victim file. It will use the collected binaries to overwrite the content of the original victim file on the remote drive.
The temporary file, used by the malware in the %temp% folder, is deleted after a successful infection of the binary file.
The next time the virus checks for this .EXE file, it will skip the infection process when it finds the infection marker ‘[+++scarface+++]’. The filename of the .EXE file remains the same after infection.
Files with the .DOC and .DOCX extension are normal document files. We assume that Quervar targets these documents specifically. Let’s look at how it does this:
If the extension name is .DOC, there is no check for a marker from within the file. The malware proceeds to load Quervar into memory and copy it to a temporary file in the %temp% folder with a random name (as with the .EXE infection). Then, it loads the victim file into memory and encrypts it.
Afterwards, the virus allocates enough memory to hold the virus body, the marker, and now, the encrypted .DOC file. Then it will overwrite the victim document file with the contents of the memory containing the virus and the encrypted host file.
It will attempt to rename the .DOC file to <Filename>.COD.SCR (the .DOC extension is reversed to .COD) using a call to the MoveFileW API. There is no check as to whether the new name already exists. If the new filename does already exist, the MoveFile operation will fail. (Later, we will discuss what happens once the renaming fails.)
Files with the .DOCX extension will also be infected, but not because they are document files. The main reason is that the malware only checks for the first three characters of the extension name. No matter what characters exist after the .DOC string, the file is still considered a candidate for infection. Below is a list of some of the filenames that can be infected by the malware (‘TEST’ is just an example filename, any name will do):
TEST.DOC
TEST.DOCX
TEST.DOC1
TEST.DOC12345
TEST.DOC099787
TEST.DOCQWERTY
They will all be renamed to TEST.COD.SCR (the format is <Filename>.COD.SCR).
Any file whose first three extension characters are .DOC can be infected. If you rename a database file, a screensaver file, an icon file, an image file, or any other file with the .DOC extension, there is a high chance that they can be infected.
Spreadsheet infection is similar to the .DOC infection. Once again, the virus just looks at the first three characters of the extension name – thus it can also infect any file whose extension starts with .XLS, regardless of any other characters that follow. When the infected file is renamed by the virus, the filename will be <Filename>.SLX.SCR.
The file structure of the infected file is as follows: the main virus is at the very beginning of the file, while the marker, ‘[+++scarface+++]’, and the encrypted victim binary are at the end of the file.
Infected files are easy to detect due to the nature of infection – the virus codes are similar in all infections including the original mother virus. Figure 2 shows the content of an infected file with the partial view of the malware above the partial view of the encrypted host separated by the string ‘[+++scarface+++]’. The encrypted victim binary can be the original executable file, document file, spreadsheet file, or any other file.
The string ‘[+++scarface+++]’ also serves as the marker to avoid reinfection in .EXE files. The encrypted version of this string is ‘[+++fpnesnpr+++]’, which can be found in the virus body.
Quervar doesn’t seem to hold the encrypted file for ransom. If you were not aware that the file was infected and double clicked or executed the infected file, the virus would run in the background and would show you the original file opened with the associated application.
Here is one of the interesting parts about the virus: if there are two document files with the same filename but different extension names, e.g. TEST.DOC and TEST.DOCX, they can both exist in the same folder without any problem.
When Quervar looks for files in the drive with the same filename but different extension names (e.g. TEST.DOC and TEST.DOCX), it will infect the TEST.DOC file first and rename it to TEST.COD.SCR. There should be no problem with the process.
However, when it tries to apply its infection routine to TEST.DOCX, renaming the file will fail: the new name for TEST.DOCX will be TEST.COD.SCR, which already exists because of the previous infection of TEST.DOC. When the renaming fails, the original filename TEST.DOCX will remain – the file is now infected. The next time the virus searches in the remote drive, it will see the TEST.DOCX file in the folder and start the infection routine again. There is no internal check as to whether the document is already infected.
In our tests, the TEST.DOCX file size grew from 12KB to 30,795KB following infection. Figure 3 shows the document files before and after infection. The good news is that the infection seemed to stop once the document file reached 30,795KB. (This could be a limitation on our machine or network, but at least it seems as if it would not consume your hard drive overnight.)
It should also be noted that the machine we used for testing didn’t have Microsoft Word installed. Prior to infection, the icon for TEST.DOC was the WordPad document icon and there was no associated icon for TEST.DOCX. After infection however, the infected version of TEST.DOC (TEST.COD.SCR) had the Word icon (even though it has a screensaver extension).
It creates an event named ‘SayHellotomyLittleFriend’.
It adds a global atom string named ‘BreakingBad’ to tell the malware that it has already run on the system. The atom table contains global character strings, called ATOMs, which are used by applications like a global constant value.
It creates a file in ‘%AppData% \[six random characters]’ named ‘[6-random characters].exe’.
It creates a file in ‘%AppData% \[six random characters]’ named ‘[6-random characters].exe.lnk’.
It creates a file in ‘%AppData% \[six random characters]’ named ‘[six random characters].exe.ini’.
It creates/modifies a registry entry (to enable itself to run after restarting the computer):
Key = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Value = load Data = “%AppData% \[six random characters]” named “[six random characters].exe.lnk”.
Quervar has proven that there are lots of ways a malware author can use the files from your machine – regardless of whether those files are documents, executables, database files, or any other files. Although the malware still looks very new, the addition of a polymorphic engine and more checking of its malicious code is likely to give us greater headaches in the future. Adding more checking on the documents that it attempts to infect (i.e. not just the extension name) will make it more resilient to detection.
By learning its methodologies, anti-virus researchers can develop stronger protection for the files residing in our computer.