Libertine
Libertine
Type File virus
Creator NeverLoved
Date Discovered 1998
Place of Origin
Source Language
Platform Microsoft Windows
Infection Length 31,672 bytes
Reported Costs

Libertine is a polymorphic Windows 9x virus. It infects both Windows 32-bit and DOS files, but can only replicate properly under Windows 9x systems. The behavior of Libertine can vary a bit depending on what type of file it is executed from. Its name comes from a song by French Canadian singer Mylene Farmer, and the virus's payload features a picture of her as a desktop wallpaper.

Behavior

The virus can be executed from an infected .com, .exe, or a dropper .exe file containing pure virus code. It has slightly different behaviors depending on which it is executed from, but infected .com or .exe files typically serve as carriers of the dropper. It is unable to replicate properly under anything other than Windows 9x (95, 98, ME).

Execution from a .com file

By using 32-bit i386 instructions this routine gets the offset of main virus code, stored at the address 001Ch in header, converts it to 16-bit segment:offset format, and jumps to there. The entry routine also hooks INT 24h to prevent DOS from throwing an error message when writing to write-protected volumes. Some researchers noted it was unusual that this was in the header rather than the main virus code.

The virus checks for the version of Windows after receiving control. If no Windows or a version earlier than 95 is found, it returns control to the original host program. If it finds a compatible version of Windows, it creates the C:\MYLENE.EXE file and writes the dropper there. It then executes the dropper which takes the infection from there.

Execution from a PE file

When Libertine is executed from an infected PE file, the polymorphic routine decrypts the virus and jumps to the main routine. This is a bit different from a .com file. It is 32 bits from the start and operates with Windows memory and resources. It does however serve the same function, too drop and execute MYLENE.EXE.

To access Windows functions, the virus parses the Windows kernel, searching for the CreateFileA, WriteFile, CloseHandle and WinExec functions (the other option would have been to use the PE Import Table, but opted to parse the kernel instead). Being little more than a vehicle to drop the virus dropper, it only needs these four functions. It creates the file MYLENE.EXE in C:\, writes the dropper's code there, then closes the file. It then executes the dropper and allows it to take control.

Dropper routine

When a file infected with Libertine is executed, it searches for the virus dropper located at C:MYLENE.EXE, executes it, and returned control to the host program. If it doesn't find the dropper, it creates and then executes it. In both .com and .exe files, the dropper routines are quite short, though the .exe routine is slightly more sophisticated. At this point, all infection and payload function is carried out by the dropper.

After the dropper is executed, the dropper attempts to hide its presence on the system. It prevents access violation messages from being shown, using the SetErrorMode KERNEL32 function, so the virus will execute without any complaints about protection violation. It then checks what operating system it is running. It it finds it is on a Windows 9x system, it patches the system undocumented processes database and sets the flags NukeProcess and ServiceProcess. The flags ensure that its processes will not be visible in the Ctrl—Alt-Del task list and that the process is not terminated when the user logs off. It enables these flags by re-executing its dropper with a "sexy" ID argument.

Infection

When the infection routine gets control, Libertine checks for the presence of a non-fixed disk (remote drive, floppy, CD-ROM, etc.) and if it finds one, the routine terminates itself. It scans for files on the C: drive for files and checks each for a .com or .exe extension. There is a 1 in 8 chance it will skip infecting any given file. The virus looks into the files to check for "MZ" stamp and on finding that, looks for "PE" and "I M!" indicating a portable executable.

It checks for the the presence of the string "ENUN" at the end of the files and does not infect them. It will also avoid files that are under 2kb or over 60kb in length. Before infecting a file, Libertine calls the "Sleep" API function and delays infection for 3 seconds. It stays in memory in spite of acting in some ways like a direct action infector (one that typically chooses a directory or infects all files on a certain disk while not going resident). It will stay resident like this until all .com and .exe files are infected (if there are 1200 infectable files, it will stay resident for an hour). When infecting any file, Libertine appends itself to the end of a file and modifies the headers so control can be passed to the virus upon execution. In Portable Executables, it adds a section named _Mylene_ then runs its polymorphic engine to encrypt it.

When infecting a .com file, it converts the file to an .exe by adding an .exe header. The new header has the usual "MZ" magic stamp and all the necessary fields, but there are a few ways to tell it is not a genuine .exe. For example, the header size is set to zero, which means there should be no bytes in the header (even though the M and Z are there). Another is that the "CS at entry" field has the value -100h (FFF0h). These twop fields in the header force DOS to load the .exe as a standard .com file as the bytes from 0000 to 00FFh are occupied by Program’s Segment Prefix, bytes from 0100h to the end of allocated memory are for file image, and very first byte of file is placed at the offset 0100h. Files converted from .exe to .com retain all of their functionality even if they end up longer than 64kb. It also gives the virus an easier way to return control of the host program as it can simply restore first 4Fh bytes of file header and jumps to there.

The following strings can be found inside the virus:

[Win32.Libertine v1.07b]
Copyright 1998-xxxx by

Payload

mylene.jpg
The replacement desktop picture.

After execution, Libertine releases its payload. There is a 1 in 8 chance of this routine being executed depending on
the system time counter and changes the Windows wallpaper. The virus contains a compressed JPG image which is 16kb in length. From this, it decompresses the file to C:MYLENE.BMP, a picture of French-Canadian singer Mylene Farmer, which ends up being 160kb.

While doing that the virus accesses the installed JPEG viewer from the system registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphics Filters\ImportJPEG

It then adds it to the registry key HKEY_CURRENT_USER\Control Panel\desktop, making it the desktop wallpaper.

Disabling Antivirus

Libertine targets AVP Inspector, a CRC scanner. It looks for the AVPI file by checking the value of the registry key HKEY_USERS\Default\Software\KasperskyLab\AVPI and on finding it, scans it for specific code. When found, it replaces it with NOP instructions. This can have different effects depending on AVPI versions, either simply causing it to not detect changes to the system or causing it to stop scanning and display a statistics dialog. To prevent patching more than once, it adds the string "kcah" to the file header at offset 0030h. It may also terminate AVPI.

Other Facts

Researchers did not agree on whether to classify the virus as a Win9x virus or a Win32 virus because of its issues with replicating under Windows NT. The dropper, which was a pure form of the virus (not an infected file) could infect files under Windows NT, but infected files could not then infect other files.

Sources

Kaspersky Threats, TROJAN-BANKER.WIN9X.LIBERTINE.

F-Secure, Libertine.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License