MetaPHOR
MetaPHOR
Type File virus
Creator The Mental Driller
Date Discovered 2002.02.11
Place of Origin Spain
Source Language Assembly
Platform MS Windows, Linux*
File Type(s) .exe, ELF*
Infection Length 32,828 bytes*

MetaPHOR is a metamorphic virus by 29A coder The Mental Driller. The original infects only Windows 32-bit files, but a later variant of this virus was a cross-platfom infector capable of also infecting Linux ELF files. Its source was published in issue 6 of 29A magazine.

Behavior

When a file infected with MetaPHOR is executed and the virus takes control, it runs the polymorphic decryptor (unless the virus is unencrypted, as the virus is programmed to produce an unencrypted copy every few infections). The decryptor allocates 3.5 megabytes of memory and uses it to decipher the the body of the virus. Unlike most other decryptors which decrypt the virus linearly, this decryptor uses "pseudo-random index decryption" (a term coined by The Mental Driller) to decrypt it in a seemingly random order. This is an effort to hide from decryption heuristic scanners. When the actual virus is executed, it checks for the 20 API's it needs for replicating and displaying its messages. It then checks the date to see if it should display the messages.

MetaPHOR then generates a new virus body in memory. It starts with an intermediate form of itself that is independent of the operating system or CPU. It removes any redundant instructions from the previous infection, shrinking this new form. It then changes this form by reordering some subroutines and moving parts of the virus code then linking them with jump instructions. It then randomly adds redundant, unused instructions. This form is then reassembled into the form native to the CPU and OS that will be added to .exe files.

MetaPHOR looks for all .exe folders in the current directory, then checks all fixed and mapped network drives. It checks several things before it infects a file. The virus avoids infecting files beginning with the characters PA, F-, SC, DR or NO, or if the letter V is found anywhere in the file. It avoids infecting files in directories beginning with the letter W. Because of the method it uses to match these characters, files that begin with FM or contain the number 6 will also be avoided, along with directories beginning with the number 7. It also avoids goat files. The file must have a checksum, be an executable for 386 and above processors, and have sections named .text and .data.

After passing these checks, MetaPHOR infects the file. If the name of the last section is .reloc, the virus adds itself to the beginning of the data section of the file and updates the file's offsets. If there is no .reloc, the virus will be placed in a random section of the file. There is also a small chance it may do this even when there is a .reloc section.

It displays a message box on the 17th of March, June, September and December with the text "MetaPHOR v1 by The Mental Driller/29A". The letters may be lower or upper case, which the virus decides randomly for each letter. On the 14th of May, if the system locale is set to Hebrew, it displays a message box with the text "Free Palestine".

Variants

In addition to the original, The Mental Driller created two variants of the virus. There is also a variant coded by someone else, sometimes called the "Unofficial C variant". MetaPHOR.D, which can infect both Windows and Linux executables, may sometimes be called the "Official C variant". MetaPHOR.B replaces "V1" in the metamorphic message it displays with "1b". MetaPHOR.C (the "unofficial" C variant) was not coded by The Mental Driller replaces the whole message with "Deutsche Telekom@by@Energy rpp2@g".

MetaPHOR.D

MetaPHOR.D (also known as the official MetaPHOR.C variant and named MetaPHOR 1C by The Mental Driller) is capable of infecting both Windows .exe and Linux ELF executables. Its infection length is around 110 kilobytes, but can vary widely because of the metamorphic engine. Unlike Winux, the first cross-platform Windows/Linux infector which uses two different infection routines for ELF and .exe files, MetaPHOR.D uses mostly the same code between the two infections.

Origin

MetaPHOR was coded by The Mental Driller of the VX group 29A, based in Spain. The Mental driller named it MetaPHOR from the words "Metamorphic Permutating High-Obfuscating Reassembler", which accurately describes this virus. He was going to name it "Metastasis", but someone in his family got cancer, and he did not want to trivialize the suffering of people with cancer. He went with MetaPHOR, which he later thought was a perfect name, since every generation of the virus would be a "metaphor" of the previous one.

The Mental Driller created this virus with the intent of adding many new features to it. He intended early on to create a variant that could infect Linux. While it has yet to materialize, a cross-CPU infector is also a possibility for this virus. Mister Sandman, also of the 29A group attempted this with his Esperanto virus.

Effects

While MetaPHOR was never released into the wild, it was published in 29A magazine, meaning someone could assemble the file and release it. Most antivirus products have detections for this virus to prevent a possible outbreak. F-Secure antivirus detected several non-infected files as being MetaPHOR-infected, including a Visio .dll, a Norton Utilities .dll and a Lexmark printer driver.

Sources

Peter Szor. The Art of Computer Virus Research and Defense, Chapter 7, Section 6, pp 281-286. Addison Wesley, Symantec Press, 2005. ISBN 0-321-30454-3

The Mental Driller. 29A Magazine, MetaPHOR v1B. 2002.02

Frédéric Perriot, Peter Ferrie, Péter Ször. VIRUS BULLETIN, Symantec Security Response, Striking Similarities. 2002.05 (PDF)

PetiK. PetiKVX Ezine #1, Interview with The Mental Driller/29A. 2002.03.21

Peter Ferrie. Norton Antivirus, W32.Simile. 2007.02.13

F-Secure Antivirus, F-Secure Virus Descriptions : Etap.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License