Introduction

This virus was written based on the following documents:

Research paper on the vulnerabilities of PE File Format for Win32 Architecture

Win32/Tenga.A is a typical file infector virus, with downloading functionality.

Before the virus tries to infect files he performs several tests for a valid Win32 Executables and checks the file header at offset 032h from the start of the file for the presence of the infection marker 056h, which equals the ASC-II character "V". ( see disassembly illustration below )

Note: ESP points to file offset 00h during "MZ" and infection Marker checks.

If the infection Marker (056h - "V") is already present in the file header, the virus skips infecting this file again because it knows that it's already infected. Thus avoiding multiple infections which would result in endlessly growing files until the hard disk space is full.

Note: All infected executables having this "V" mark at position 0x32 (50 dec) relative to the file offset Zero.

The virus starts a thread to enumerate all files - if the file extension matches *.exe the virus tries to infect this file. That said: The virus will only infect Executable files - Screensaver files with the file extension .SCR are not affected. The virus attaches itself to the end of host files.

The virus creates its own Mutex if one virus instance is actively running:

Note: This disassembly will result in a Mutex called "gaelicum". CPU Register EAX contains at this time, the Address of the kernel32 function "CreateMutexA". This Register calling convention was included to make it more difficult to understand the virus's behavior.

Background Information: This mutex is required, because otherwise the virus might corrupt a lot of executable files when 2 virus instances try to infect the same executable at the same time.

The virus tries to download and to execute "dl.exe" (3072 bytes in size) from utenti.lycos.it/vx9 This file is detected as "Win32/TrojanDownloader.Small.BDC" by NOD32.

Upon execution of "dl.exe" the downloader checks for an existing internet connection:

The downloader tries to resolve via "gethostbyname" the webserver "w3.org". If this fails (in the case when no internet connection is present) then the CPU Register EAX will contain Zero.

This causes the downloader to go into a loop until an internet connection is available. Because this procedure would boost up the CPU usage to maximum and the program might show a "not responding state" the trojan author included a "Sleep" of 5 sec per try.

This gives other running processes priority and the performance loss of this continuously repeating loop is not recognizable by the user.

That said: The malicious process runs in a loop in the background as long as no internet connection is available. This process is visible in the taskmanager as "dl.exe".

This downloader tries to download "CBACK.EXE" and "GAELICUM.EXE" from utenti.lycos.it/vx9.

Note: CBACK.EXE is a trojan and is detected by NOD32 as "Win32/Small.GL".

GAELICUM.EXE is another Win32/Tenga.A infected file and is also detected by NOD32.

The trojan tries to connect to "vx9.users.freebsd.at" and creates a mutex "CBACK_GAELICUM".

The downloader dl.exe also adds for these two files, registry autostart entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"GAELICUM.EXE"="<Path>\GAELICUM.EXE"

and

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"CBACK.EXE"="<Path>\CBACK.EXE"

Other Details: tries to spread via DCOM RPC Interface Buffer Overrun Vulnerability by generating random IP addresses.

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.