Vulcano
Vulcano
Type File virus
Creator Benny
Date Discovered 1999
Place of Origin Brno, Czech Republic
Source Language Assembly
Platform MS Windows
File Type(s) .exe, .scr, .sfx, .cpl, .dat, .bak
Infection Length

Vulcano is a virus coded by Benny, appearing in issue 4 of 29A magazine. It is the first multiprocess 32-bit Windows virus with interprocess communication. Vulcano does little to nothing inside the virus body itself. It was also polymorphic, using an advanced BPE32 (which also compressed it) and a second semi-polymorpher.

It's most interesting feature is that it primarily infects and does many other things using InterProcess Communication (IPC). In practice, this means that if a virus wants to infect a file, it will try to find the same virus running in another program. If it finds another copy, it will give the copy a command to perform the infection for it. Debugging becomes a problem because the virus is executed from one program, but its operations take place in a totally different (seemingly uninvolved) one.

Table of Contents

Behavior

When executed, Vulcano first decrypts its body with a polymorphic decryptor. It then decompresses itself and then decrypts itself with a second decryptor. It uses CRC32 to check the consitency of the virus body. It then checks for a Pentium processor and finds the base of Kernel32.dll in memory. It calls a patched API to find any APIs it needs. It checks for an application-level debugger then a system-level debugger (SoftIce), and terminates the process if so. It also looks for AVP and AMON antivirus programs and tries to shut them down. Vulcano then creates a thread which will hook some API functions.

While waiting for thread termination, it opens space in the swap file and creates a new record for interprocess communication (IPC) and creates a new IPC thread. The virus uses the IPC thread for infecting files. It gets a random file name and checks the file properties. It opens the file, checks it, and infects it through IPC. It then calls the original API.

It doesn't contain any payload. It also avoids infecting system files, files without .reloc sections, and files under a certain size (16 kilobytes).

Origin

Vulcano was coded by Benny in Brno in the Czech Republic. It appeared in the 4th issue of 29A magazine in 1999. Benny considered it his best virus up to that point (an honor he previously gave to Begemot. He also described it as one of the most difficult to code and even harder to debug. He at first used normal variables but found this slow, so he switched to using mutexes.

Sources

Benny. 29A, Issue 4, Vulcano Source Code.

SHaC, Viri.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License