Ussrhymn | |
---|---|
Type | File virus |
Creator | Z0mbie? |
Date Discovered | 13-NOV-2000 |
Place of Origin | Russia |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 19,986 bytes |
Reported Costs |
USSRHymn or Zhymn is a potentially dangerous virus for Windows 9x systems that on a certain date will play the national anthem of the USSR. It also has the ability to move infected files into compressed archives. It is noted for its complex coding style.
Behavior
When an infected file is executed, Ussrhymn gains control with a modified entry point that points to a location in the first section of the file. It begins with a time-wasting loop, likely to force 32-bit code emulators to stop before the virus is found.
Ussrhymn infects EXPLORER.EXE and WSOCK32.DLL, both located in the Windows directory, then executables (.exe and .scr) in the Windows and PATH directory, then applications referred to in the registry, then process directory on all local and network drives, drives A: to Z: and infects Windows .exe files in those drives as well. It stays resident and infects any .exe files that are accessed. It also creates a dropper named KERNEL.EXE and registers it with the autorun key "Software\Microsoft\Windows\CurrentVersion\Run".
When infecting WSOCK32.DLL, Ussrhymn hooks its "recv", "send" and "connect" functions, which is quite similar to many email worms. It makes a copy of this file, infects it, and creates a file Wininit.ini file that renames the copy to WSOCK32.DLL on startup. It also hooks Winmm.dll, which will allow it to run its payload at the right time. These API names are not stored in the virus, rather it uses the checksums it needs to call. It obtains the addresses repeatedly, as often as a function is called. The virus however does not have any ability to use email in its current form. The virus places its code at the beginning of the first section and shifts down the code that was there originally, paying attention to the relocation information in that area. It can also add infected files to ZIP and RAR archives. When one of these files is executed, it is not visible in the Windows task list, and it continues to infect files even if no user is logged on.
Ussrhymn blocks connections to many antivirus sites. It patches files for antivirus products and memory resident scanners. It is also able to hide from debuggers, notably SoftICE, which it disables in memory. Ussrhymn uses a call gate mechanism for alteration of the thread context to execute these disabling routines in kernel mode. It will also restart the computer if it finds a debugger present in memory.
Similar to the Hybris virus, Ussrhymn causes the infected WSOCK32.DLL to listen for special packages being sent to the infected computer. When received, it still extract specially prepared data from them. The virus will process the data as an executable routine that acts as a sort of plugin.
On the 1st of January, it will use play the national anthem of the USSR.
Other facts
There is a DOS virus, Hymn, which also plays the USSR's national anthem. There were also noted similarities to Bistro.
Sources
F-Secure, Zhymn.
Peter Ferrie. Symantec Security Response, W95.Ussrhymn 13-NOV-2000
Kaspersky Lab, VIRUS.DOS.HYMN.