Avast WEBforum
Other => General Topics => Topic started by: polonus on April 11, 2006, 03:02:37 PM
-
Hi malware fighters,
In almost all DOS- and Windows-versions there is a small tool by the name of debug.exe, which is a small, but complete assembler/disassembler tool.
Many a macro-virus and script-virus alike create a file, that simulates keystrokes together with the ASM-listings,and a BAT-file to be able to tunnel this input-file into the debugger via pipe.
The commands to do so inside a Word document may be completely secure apparently, and as such very hard to detect by an AV-scanner. Because the virus can be recreated this way, it makes them double mobile and dangerous.
When you rename debug.exe, you pull out the rug out under a lot of this specific kind of malware, making it almost impossible for them to survive.
polonus
-
***
Good info, Polonus ... thanks! :)
Seems I did something like this on my old computer but forgot to do it on this newer one. Renameddebug.exe is now it's name. ;)
***
-
Hi CharleyO,
Here is an example of how a macro-virus did this:
-------------
Another included Macro, is "Payload" which tries to delete IO.SYS,
MSDOS.SYS and COMMAND.COM on April 5th. It is inaffective, as WordBasic
can't reset the attributes of a file which has the System attribute set.
It has been noted that a variant that does work is being circulated.
The Second part of the Nuclear Virus is the executable infector. The
DropSuriv Macro checks system time, and will attempt to drop the file
infector between 17:00/18:00. However, the routine is flawed, and
shouldn't work on any system. <fails due to a syntax error - not closed IF
statement, which makes this payload never executed> If DropSuriv DID work
properly, it would search for the standard DOS until DEBUG.EXE, if found,
the macro drops PH33r.SCR & EXEC_PH.BAT. The Bat File is executed, and
then the hex dump file PH33r.SCR is converted from a DEBUG script into an
executable, and is in turn executed. Later, the .SCR and the .BAT files
are deleted to cover its tracks. The File infector then hooks INT 21h and
writes itself at the end of COM/EXE/NewEXE files. <however, the memory is
released once this DOS task is completed, includes the memory resident
virus Ph33r> Unconfirmed reports state that a NUCLEAR infected Macro with a
fully operational DropSuriv Macro exist.
The following text strings are in the executable infector...
=Ph33r=
Qark/VLAD
-----------------------------
It is worth remembering that malware authors returm to the same tactics in the run of time. So we have to be aware of these their tactics.
polonus