Crypto | |
---|---|
Type | File virus |
Creator | Prizzy |
Date Discovered | DEC-1999 |
Place of Origin | Czech Republic |
Source Language | Assembly |
Platform | Microsoft Windows |
File Type(s) | .exe, .dll* |
Infection Length | ~20,000 bytes |
Reported Costs |
Crypto is a 32-bit Windows virus by Prizzy. It appeared in issue 4 of 29A magazine. It borrows many concepts from the DOS virus Onehalf. It also has a decent range of features to prevent detection, including stealth, polymorphism, anti-debugging, anti-heuristics, and anti-antivirus, among others.
Table of Contents
|
Behavior
When Crypto is first executed, it runs its polymorphic decryptor to restore the original file code. It runs its anti-debugging and anti-virus disabling procedures, then installs itself to the system.
Kernel operations
It infects the Windows Kernel (KERNEL32.DLL) so the virus code is loaded when the computer is started. Because this file is protected, it creates a copy in the Windows folder, infects the copy, then forces Windows to use the infected copy on next boot. It patches export tables so the virus intercepts and filters several file access functions that are exported from the kernel, including CreateFile, OpenFile, __lopen, CopyFile, MoveFile, MoveFileEx, LoadLibrary, LoadLibraryEx, and FreeLibrary. The infected copy in the kernel will be unencrypted. After infecting the kernel, it returns control to the host program.
When an infected system is booted, Crypto is loaded into memory as a component of the kernel and hooks several kernel functions. Crypto activates its infection routine, searching for Portable Executables on all drives from C: to Z:. It waits three seconds before each drive scan to avoid raising suspicion.
Infection
To infect a file, Crypto enlarges the last section of the file for its code. It writes the encrypted code and the decryptor to this space then sets the entry point to the decryption routine.
The virus also adds droppers to ACE, RAR, ZIP, CAB, and ARJ archive files. All have an .exe extension, an ! at the beginning or end of the filename with INSTALL, SETUP, RUN, SOUND, CONFIG, HELP, GRATIS, CRACK, UPDATE, or README as part of the name. It first creates the dropper on the disk then runs the program on the system responsible for the particular archive type to add it to an archive.
Encrypting Libraries
Using the Windows Crypt API WinCrypt, Crypto creates cryptographic keys while installing to the kernel. It checks for an already existing key and if not found, it will create one. The key's container name will be "Prizzy/29A". The key will be stored in the registry key "SOFTWARE/Microsoft/Cryptography/UserKeys/Prizzy/29A", which will be set to the value "Kiss Of Death". With these keys it will encrypt the DLLs used by Windows applications. It uses the LoadLibrary and FreeLibrary hooks, intercepts library loading and both encrypts and decrypts them on the fly. As WinCrypt supports custom encryption algorithms, the encryption key will be unique for each infected system, so disinfection from other systems will be impossible.
It avoids DLLs whose names start with SFC, MPR, OLE32, NTDLL, GDI32, RPCRT4, USER32, RSASIG, SHELL32, CRYPT32, RSABASE, PSTOREC, KERNEL32, ADVAPI32, RUNDLL32, or SFCFILES, in addition to files listed in the lists SystemCurrentControlSetControlSessionManagerKnownDLLs and SystemCurrentControlSetControlSessionManagerKnown16DLLs.
Self-Protection
Crypto has anti-debugging features and disables on-access scanners, including Avast, AVP, AVG, and Amon. It also searches for and deletes anti-virus data files including AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, and AVGQT.DAT. It patches the file LGUARD.VPS which belongs to an antivirus database. the virus also avoids infecting files with certain stings in their names, possibly in an attempt to avoid infecting security products, including TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, and SQSTART.
Other
The virus will not run on Win9x systems. It also contains bugs that inhibit its spreading.
Variants
There are at least 3 variants of the original. They appear to be similar in function.
Origin
Crypto was coded by Prizzy in the Czech Republic and completed in December of 1999. At the time, Prizzy was about 16 or 17 years old. It was his second virus and it appeared in issue 4 of 29A magazine. Prizzy never released the virus himself, but did make it available for download on his website. Like most of his viruses, he named if after creating it, giving it something short that sounds good (though probably also related to its use of WinCrypt). Prizzy cites the Onehalf virus as an inspiration for the virus.
Sources
Prizzy. 29A, Issue 4, Win32.Crypto
Adrian Marinescu. Kaspersky Threats, VIRUS.WIN32.CRYPTO.
Matrix Zine, Interview with Prizzy. APR-2000