Crypto
Crypto
Type File virus
Creator Prizzy
Date Discovered DEC-1999
Place of Origin Czech Republic
Source Language Assembly
Platform Microsoft Windows
File Type(s) .exe, .dll*
Infection Length ~20,000 bytes
Reported Costs

Crypto is a 32-bit Windows virus by Prizzy. It appeared in issue 4 of 29A magazine. It borrows many concepts from the DOS virus Onehalf. It also has a decent range of features to prevent detection, including stealth, polymorphism, anti-debugging, anti-heuristics, and anti-antivirus, among others.

Behavior

When Crypto is first executed, it runs its polymorphic decryptor to restore the original file code. It runs its anti-debugging and anti-virus disabling procedures, then installs itself to the system.

Kernel operations

It infects the Windows Kernel (KERNEL32.DLL) so the virus code is loaded when the computer is started. Because this file is protected, it creates a copy in the Windows folder, infects the copy, then forces Windows to use the infected copy on next boot. It patches export tables so the virus intercepts and filters several file access functions that are exported from the kernel, including CreateFile, OpenFile, __lopen, CopyFile, MoveFile, MoveFileEx, LoadLibrary, LoadLibraryEx, and FreeLibrary. The infected copy in the kernel will be unencrypted. After infecting the kernel, it returns control to the host program.

When an infected system is booted, Crypto is loaded into memory as a component of the kernel and hooks several kernel functions. Crypto activates its infection routine, searching for Portable Executables on all drives from C: to Z:. It waits three seconds before each drive scan to avoid raising suspicion.

Infection

To infect a file, Crypto enlarges the last section of the file for its code. It writes the encrypted code and the decryptor to this space then sets the entry point to the decryption routine.

The virus also adds droppers to ACE, RAR, ZIP, CAB, and ARJ archive files. All have an .exe extension, an ! at the beginning or end of the filename with INSTALL, SETUP, RUN, SOUND, CONFIG, HELP, GRATIS, CRACK, UPDATE, or README as part of the name. It first creates the dropper on the disk then runs the program on the system responsible for the particular archive type to add it to an archive.

Encrypting Libraries

Using the Windows Crypt API WinCrypt, Crypto creates cryptographic keys while installing to the kernel. It checks for an already existing key and if not found, it will create one. The key's container name will be "Prizzy/29A". The key will be stored in the registry key "SOFTWARE/Microsoft/Cryptography/UserKeys/Prizzy/29A", which will be set to the value "Kiss Of Death". With these keys it will encrypt the DLLs used by Windows applications. It uses the LoadLibrary and FreeLibrary hooks, intercepts library loading and both encrypts and decrypts them on the fly. As WinCrypt supports custom encryption algorithms, the encryption key will be unique for each infected system, so disinfection from other systems will be impossible.

It avoids DLLs whose names start with SFC, MPR, OLE32, NTDLL, GDI32, RPCRT4, USER32, RSASIG, SHELL32, CRYPT32, RSABASE, PSTOREC, KERNEL32, ADVAPI32, RUNDLL32, or SFCFILES, in addition to files listed in the lists SystemCurrentControlSetControlSessionManagerKnownDLLs and SystemCurrentControlSetControlSessionManagerKnown16DLLs.

Self-Protection

Crypto has anti-debugging features and disables on-access scanners, including Avast, AVP, AVG, and Amon. It also searches for and deletes anti-virus data files including AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS, AGUARD.DAT, and AVGQT.DAT. It patches the file LGUARD.VPS which belongs to an antivirus database. the virus also avoids infecting files with certain stings in their names, possibly in an attempt to avoid infecting security products, including TB, F-, AW, AV, NAV, PAV, RAV, NVC, FPR, DSS, IBM, INOC, ANTI, SCN, VSAF, VSWP, PANDA, DRWEB, FSAV, SPIDER, ADINF, SONIQUE, and SQSTART.

Other

The virus will not run on Win9x systems. It also contains bugs that inhibit its spreading.

Variants

There are at least 3 variants of the original. They appear to be similar in function.

Origin

Crypto was coded by Prizzy in the Czech Republic and completed in December of 1999. At the time, Prizzy was about 16 or 17 years old. It was his second virus and it appeared in issue 4 of 29A magazine. Prizzy never released the virus himself, but did make it available for download on his website. Like most of his viruses, he named if after creating it, giving it something short that sounds good (though probably also related to its use of WinCrypt). Prizzy cites the Onehalf virus as an inspiration for the virus.

Sources

Prizzy. 29A, Issue 4, Win32.Crypto

Adrian Marinescu. Kaspersky Threats, VIRUS.WIN32.CRYPTO.

Matrix Zine, Interview with Prizzy. APR-2000

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License