Memorial
Memorial
Type File virus
Creator Qark
Date Discovered 1997
Place of Origin Australia
Source Language Assembly
Platform MS Windows
File Type(s) .com, .exe
Infection Length 12,413 bytes

Memorial is co-authored by Qark and fellow VLAD virus writer Quantum. In spite of announcing his retirement with the Goodbye virus, he published this one dedicated to Clinton Haines, a young deceased Australian virus writer. Memorial is a memory-resident oligmorphic infecter of MS-DOS .COM and .EXE files, and Win9x PE (Portable Executables). Memorial is the first oligomorphic Win9x virus and also contained retro virus (anti-anti-virus) features. It appeared in 1997 and is published independently.

Although Memorial infects MS-DOS executables as well, it can not be considered truly cross-platform: It requires the presence of Win9x Operating System to go resident and continue infecting files. The heart of Memorial is a 12,413 byte VxD file (Win9x LE Virtual Driver). Memorial uses a simple packing algorithm to reduce the file in the virus body down to 7,508 bytes.

Behavior

Going Memory Resident

Memorial in action

When run from an infected MS-DOS .COM file, Memorial checks if Windows is running and immediately returns control to the host if this case. Otherwise Memorial issues its MS-DOS residency-check and takes action if the virus is not already resident. Memorial unpacks its VxD body to "C:\CLINT.VXD" and goes memory-resident under MS-DOS. MS-DOS residency is achieved by copying a small stub of code to the second-half of the Interrupt Vector Table (IVT) at 0:200h and hooks INT 2Fh (MS-DOS Multiplex Interrupt). The INT 2Fh handler serves two purposes: It handles Memorial's residency check and waits for Windows to load (INT 2Fh AX=1605h). When Windows loads Memorial initialises a "Win386_Startup_Info_Struc" structure and points the "SIS_Virt_Dev_File_Ptr" field to its VxD's filename. This causes the VxD to be loaded during Windows start-up and is preferable to modifying "system.ini". The MS-DOS stub is 275 bytes of code, plus packed VxD.

When run from a MS-DOS .EXE file Memorial attempts to execute basically the same plan as with a .COM file but this does not go to plan. Erroneous parameters passed to the VxD unpacking code cause Memorial to go into an infinite loop, filling up the C: drive. This effectively makes infected MS-DOS .EXE infections dead files. When run from an infected PE files, the virus decrypts itself first. Memorial then uses internal Windows structures to resolve address of Kernel32 procedures 'GetModuleHandleA' and 'GetProcAddress'. These functions are used to resolve all other Kernel32 and User32 procedures.

Messages

Next Memorial calls Kernel32!GetLocalTime for its activation routine. If the date is April 10th (both the day of Clinton Haines birth and death) Memorial calls User32!MessageBox displaying a Message box with title:

Clinton Haines Memorial Virus by Quantum/VLAD and Qark/VLAD

and message body:

Clinton Haines, also known as Harry McBungus, Terminator Z and Talon
died of a drug overdose on his 21st birthday, April the 10th, 1997.
During his time as a virus writer he wrote the Nofrills|No Frills family, X-Fungus,
Daemon and 1984 viruses.  He was a good friend to VLAD and so we write
this virus in his honour.  We hope it's good enough to do him justice.
VLAD Remembers. Rest in Peace
R.I.P.

The VxD

If the date is not April 10th, Memorial uses Kernel32 calls CreateFileA, WriteFile, ReadFile, SetFilePointer, CloseHandle and LocalAlloc to unpack and write the virus VxD to "C:\CLINT.VXD", the same as MS-DOS infections. The VxD is executed and Memorial passes control back to the PE host. PE infection stub is 1,360 bytes + 46 byte oligomorphic decrypter.

When Memorial's VxD is loaded, 4 control messages are handled: W32_DEVICEIOCONTROL, INIT_COMPLETE, SYS_DYNAMIC_DEVICE_INIT and SYS_DYNAMIC_DEVICE_EXIT. In case of first message the virus returns 0 signalling it does not want to interact with other Win32 applications. In case of second and third message the virus runs its VxD initialisation code. In case of the fourth message the virus returns 1 to disallow the VxD from being unloaded. Memorial's VxD initialisation code begins by hooking DOS IFS API (Installable File System) first. This is used to catch files to infect.

Retrovirus

Next Memorial takes retro (anti-anti-virus) action deleting several anti-virus registry keys. From '\System\CurrentControlSet\Services\Vxd' (statically loaded VxD drivers) it deletes keys with values: 'VETMON95', 'VETMACRO', 'NAVAP', 'virusafe' and 'WIMMUN32'. From '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' it deletes keys: 'NORTON AUTO-PROTECT', 'TBAV for Windows 95', 'Anywhere Antivirus Validation', 'Vshwin32EXE' and 'ViruSafe'. From '\SOFTWARE\McAfee\ScreenScan' it deletes 'bEnableScreenScan', 'bScanAllFiles' and 'bScanSubDirs'. From '\SOFTWARE\Cybec\VET Antivirus for Win32\' it deletes 'Actions\InfectedAction', 'Actions\SuspectAction', 'Memory\Enabled', 'Resident\FileCheck', 'Resident\InfectedAction', 'Resident\SuspectAction', 'Scanning\Scan All Files', 'Scanning\Scan Type', 'Scanning\Skip Renamed', 'Scanning\Subfolders'. From this location it also sets 'Scanning\Extension List' to 'bin, dll, doc, drv, ovl, sys, dot', omitting .COM, .EXE and .SCR.

File Infection

The Memorial VxD file then allocates two buffers. It clears the attributes of CLINT.VXD and reads the file into the first buffer, closes the file and deletes it. The unpacked VxD images is then pack into the second buffer. When infecting .COM files Memorial checks for .COM extension and absence of MZ header. Memorial also avoids .COM files ending with "NS" - this is to avoid Windows 95 "ENUNS" vaccinated files. When infecting MZ/PE files Memorial checks for .EXE or .SCR extension and presence of MZ header.

MS-DOS .COM and .EXE files are infected by fairly standard algorithms. In the case of PE files Memorial creates a new last section containing the virus, increases the section count and modifies the entrypoint. The 'name' of the last section is 'CLINTON' encrypted with a random 8-bit XOR. A checksum byte is appended to the section name to mark the PE as infected. Memorial is oligomorphic in PE infections, capable of creating 96 46-byte long decryptors. Memorial's random number generator is initialised calling 'IFSMgr_Get_DOSTime' on EXE/SCR infections.

The Oligomorphic Engine

This engine is simple but effective. The basic decrypor consists of 11 different parts. The mutation engine modifies the order of these small blocks by changing some of them with each other. Thus block 1 with 2, 8 with 9, 6 with 7 , 3 with 4, 5 with 4 and 10 with 0 can be replaced by each others. This gives 2*2*2*2*6 all together 96 different cases. This makes the detection of the virus difficult in PE files.

Effects

Memorial had a number of bugs that prevented it from spreading very widely. It was however reported wild in Sweden.

Background

The virus is a "memorial" for Clinton Haines, a virus coder and hacker from Brisbane, Australia. His was nearing completion of his undergraduate studies in microbiology when he overdosed on heroin celebrating his 21st birthday. Haines was an influence on many virus coders, including Qark. Rod Fewster, director of Thunderbyte (TBScan Antivirus) said he believed Haines had not coded a virus (or at least released one) in the two years before his death. Some of his viruses gained a certain degree of notoriety, including No Frills, X-Fungus, Daemon and 1984.

Sources

Original research by JPanic aka @JPanicVX

Peter Szor. SecureList, Virus.Win9x.Memorial.

Julie Robotham. The Sydney Morning Herald, Death of the virus king. 1997.05.05

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License