Description

Win32/Legacy is a complex polymorphic virus with Entry Point Obscuring (EPO) functionality, anti-debugging tricks, anti-emulator tricks and coprocessor usage for Windows. The virus infects EXE, SCR and CPL files. It also drops infected files into RAR and/or ARJ archives. The virus creates the file LEGACY.TMP which is deleted later after infecting archive files and adding itself to the archive.

All infected archives contain a marker in the header. Infected RAR files are marked with "LG" at offset 014h and infected ARJ files are marked at 0Ch.

Win32/Legacy uses a similar trick to mark already infected executables - it places "LGCY", at offset 04Ch relative to the start of the PE Header:

The virus infects files only if the files are located in the windows directory, the system directory, the same directory as the infected file, or if a file is accessed via the file access hook functions of the virus. The file access functions that are hooked by WM32/Legacy are MoveFileA, CopyFileA, GetFullPathNameA, DeleteFileA, WinExec, CreateProcessA, CreateFileA, GetFileAttributesA, SetFileAttributesA, _lopen, MoveFileExA CopyFileExA, OpenFile, GetProcAddress, FindFirstFileA, and FindNextFileA.

Win32/Legacy checks for the presence of a MMX Coprocessor by checking the results of a CPUID call. If the MMX coprocessor is found the virus will then generate a MMX code based decryptor in front of a polymorphic decryptor without any MMX instructions. The MMX code based decryptor will always run first and then pass control to the polymorphic decryptor. Additional parts of the virus body are encrypted and decrypted on the fly.

When running the virus starts one task that controls six others. The six other tasks disable some on-access scanners, deletes some anti-virus checksum files, tries to detect and confuse debuggers, hooks imports from the host file import tables, and scans and infects files. If any of these tasks fails the virus may display the following system information dialog.

The virus will try to disable the on-access scanners of Kaspersky Anti-Virus and ESET NOD32. The following checksum files belonging to integrity checking modules of some anti-virus products are also deleted:

CHKLIST.DAT, CHKLIST.TAV, CHKLIST.MS, CHKLIST.CPS, AVP.CRC, VB.NTZ, SMARTCHK.MS, SMARTCHK.CPS

Payload

The virus activates its payload every 31st of July by lowering security setting for Internet Explorer and displaying the following message box.

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.