Zhengxi.7271, Zhengxi.7307, Zhengxi.7313

This is a family of very complex stealth, polymorphic viruses coming from Russia. They are obviously on purpose written in a rather confused way. The viruses attack EXE, OBJ and LIB files. Moreover, they insert COM dropper with a random name into archives created by means of compressive programs Pkzip, ARJ, RAR and HA. In that case they remove a potentially present -AV information attached to the archive. The virus does not infect files with current date and files with the extension OVL. Furthermore, it does not infect files on the drives A: and B: in case that there is not enough space on the hard disk. The virus also avoids infecting programs UUENCODE, PKLITE, LZEXE, NDD, DIET, SCANDISK, SD, SPEEDDISK, DEFRAG, TLINK, WLINK, LINK, DPMI16, DPMI32, RTM32. Moreover, if these are run, it disables stealth of infected files. The virus marks the already attacked files so that after their total length is divided by the number 157 the number 37 will remain. Upon being executed the virus tunnels the interrupt INT 21h and redirects it to the INT 25h (absolute reading from the disk). It alters the INT 25h service so that control is taken over by the resident copy of the virus. By means of the address from which the call arrived the virus copy finds out whether it is an INT 21h or INT 25h calling. Installation of the virus into memory will not take place if system was loaded from the drive A: or B: and if Windows is in operation and the file from which the virus is installed has a date close to the current system date. When the installation is completed the virus may move also into a different part of the memory. By hooking the interrupt INT 21h the virus services altogether 18 DOS functions. A peculiarity of the virus is the way in which it attacks files. In addition to the classical attaching of the virus body to the end of a file and modifying the header is can insert a dropper into self-extracting files. But even more interesting is the way in which the virus infects EXE files from which more than 32 KB are recorded into the memory (if less is recorded it infects in a “classical” way). At the beginning of the file code the virus looks for code sequences typical for calling subprograms in languages C or Pascal. If it finds such sequences it replaces the subprogram by a code with the length of 84 bytes; that code ensures that installation of the virus into memory will continue. To the end of the file encrypted virus, rest of the code loader, the original subprogram and random bytes are attached. Infection of OBJ and LIB files is rather similar to the infection of longer EXE files. The virus again looks for code sequences typical for calling subprograms in languages C or Pascal; in contrast to EXE files it does not substitute these functions but modifies their calls so that the virus code takes over the control. Another peculiarity is the fact that all comparisons of data regarding the files which the virus tries to infect are implemented by means of addition of 32 bites CRC. The resulting CRC is then compared with values stored in the virus body. This means that in the virus body there are no “suspicious” filenames and it is not easy at all to find out what in fact the virus is comparing. The virus uses CRC also to distinguish the type of file it is infecting. It does not distinguish files by their extension but by their true internal structure. It does it by adding CRC typical sequences to a program (e.g. 'MZ' and 'ZM' at the beginning of EXE files). The virus uses a two-phase polymorphic library and the polymorphic decryptor can have even more than 2 KB. In the virus body are text strings which are at certain conditions displayed as follows:

Abnormal program termination $ The Virus/DOS 0.54 Copyright (c) 1995 Zhengxi Ltd Warning! This program for internal use only!

The virus contains an unpleasant destructive procedure. If the virus upon searching through the ZIP archives finds a file saved by the method “store” and if the date of its last modification is the year 1996 or more, the virus deletes all files on all disks as well as the whole directory tree.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.