Zmist
Zmist
Type File virus
Creator Z0mbie
Date Discovered 2001
Place of Origin Russia
Source Language Assembly
Platform MS Windows
File Type(s) .exe
Infection Length ~35,000 bytes

Zmist is a polymorphic virus coded by Russian hacker Z0mbie. It had a method of infection that had never been used before and has been rarely if ever used since. Z0mbie described it as an undetectable virus, which it was for most scanners of its time. For antivirus vendors, it presented major problems with detection and brought back discussions on algorithmic detection for virus scanners.

Behavior

When the user runs Zmist, the virus starts the host program as a separate process and hides the original process. After launching the host process, it checks if the system has at least 16 megabytes of memory installed and that it is running in Windows mode as opposed to console mode. If the system meets these checks, Zmist allocates several memory blocks for itself, including 32 megabytes dedicated entirely to the Mistfall engine (no indication of what happens when there is more than 16 megabytes but less than 32).

The virus searches for files in the Windows directory, along with all subdirectories, directories referred to by the PATH environment variable and all drives from A: to Z:. For Zmist to infect the file, it must be smaller than 448,000 bytes, begin with the characters MZ (indicating a DOS/Windows executable) and it must be a PE executable. It also makes sure the file is not already infected by checking for the character "Z" at offset 1C inside the file.

When Zmist finds an infectable file, it loads the entire file into memory. There is a one in ten chance that Zmist will not infect the file, but it will place jump instructions between every instruction that is not already a jump instruction. There is also a one in ten chance that the file will be infected and the virus will be unencrypted. There is an 8 out of 10 chance that the virus will infect the file with an encrypted, polymorphic copy of itself.

The virus protects the infection with structured exception handling to prevent crashes if errors occur. It scrambles the file along with itself and places various jump, relative calls and absolute indirect calls to hold the virus and program together. In addition to thwe jumps and calls, the virus may place itself in the program in such a way that it gains control as a part of the instruction flow. After rebuilding the file in memory, the original file is deleted and replaced with the infected one in memory. If an error occurs while it is being replaced, it will just be lost.

The virus has a payload that modifies 32-bit files but does not infect them. The files will not lose any functionality, but will contain added strings with Russian obscenities.

Name and Origin

Zmist was coded in Russia by a known virus coder named Z0mbie. He was a regular contributor to the group 29A, but published this particular work in his own "Total Zombification" magazine in Russian. Z0mbie created four versions of this virus, each with slight improvements aimed at hiding the virus from scanners. Neither the original nor the variants were seen in the wild.

Sources

Peter Szor. The Art of Computer Virus Research and Defense, Chapter 7, Section 6, pp 278-280. Addison Wesley, Symantec Press, 2005. ISBN 0-321-30454-3

-. SARC USA, Zmist Opportunities. 2001.03 (PDF)

Z0MBiE's HomePage. WARNING: This site contains live malware samples and may trigger warnings from some browsers and antivirus programs. The site and its programs are not dangerous unless the programs are downloaded and executed. While this site is filled with valuable and interesting information, we advise you not to download anything from this site unless you know what you are doing.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License