Zperm | |
---|---|
Type | File virus |
Creator | Z0mbie |
Date Discovered | JUN-2000 |
Place of Origin | Russia |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length |
Zperm was coded by Z0mbie in Russia. It is a rare example of a metamorphic virus. It changes its body entirely without encryption. The one constant thing about the virus is its core instruction set, so the number of possible generations of this virus is at least n! (where "n" is the number of core set instructions). It was the first to use the real permutating engine (RPME). It shares many characteristics with Bistro and Zmorph.
Behavior
When a file infected with Zperm is ececuted, it creates its own thread in the infected process. When an uninfected Portable Executable is run, the virus waits for it to run a certain amount of time and then infects it. The virus turns off the relocations in the PE header and overwrites the relocation area.
The virus will mark an infected application by using the ID 0x5A ("Z") as the minor linker version value in the PE headers. The entry-point will be changed to point to the first instruction of the virus code in the last section of the host application. The last section is enlarged with about 20KB of code while the pure virus body is only a few kilobytes in length.
Zperm does not regenerate a similar virus body anywhere, rather mutating each time with the addition or removal of jump instructions and sometimes garbage code. The jumps will be inserted to point to a new instruction in the virus. This makes it difficult to detect by matching code in memory. Sometimes Zperm replaces instructions with similar instructions. For example, the instruction xor eax, eax (this sets the eax register to zero) will be replaced by sub eax, eax (which also zeroes the contents of the eax register). The opcode of these two instructions will be different.
Zperm uses Win32 APIs to replicate, yet it can still only function under Win9x systems. Neither the original nor any variant can work under Windows NT or any version made after Windows 98.
Variants
Zperm.B uses garbage instruction insertion and removal such as nop (a do-nothing instruction).
Zperm in other viruses
Bistro, appearing in October of 2000 contains code from both Zperm as well as the RPME. This one has the ability to challenge a code emulator's speed, generating millions of iterations.
Sources
Peter Szor. The Art of Computer Virus Research and Defense, "Chapter 7—Advanced Code Evolution Techniques and Computer Virus Generator Kits", 274-276. Addison Wesley, Symantec Press, 2005.
Peter Szor. Symantec Security Response, W95.Zperm.A. 13-FEB-2007
Z0MBiE's HomePage (contains samples and source code)