fab
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Fabi
This is a multi-platform virus infecting Windows32 executable files (PE EXE) and MS Word documents and templates. As every multi-platform virus its code contains several parts (components), each of them does its work in its native environment: as a Win32 application in MS Windows, or as a macro program in MS Word. When any of two virus components starts in its environment, it not only infects objects in this environment, but also spreads virus code to another one: from Windows EXE file to Word documents, and from Word document to Windows EXE files.
The virus does not contain any destruction and does not manifest itself in any way. The infected EXE files contain the text:
(c) Vecna
Parecia inofensiva mas te dominouall
Infecting EXE -> EXE
When an infected EXE file is executed, the EXE virus component takes control. It checks the installed operating system type and if it is Windows NT, the virus return control to the host program and does not perform any other action. The virus runs its infection routine only when it is run in Windows95/98. This routine searches and infects all Win32 executable files in current directory as well as in \WINDOWS and \WINDOWS\SYSTEM directories. While infecting the virus writes its code to the end of last section, increases its size and modifies necessary PE header fields.
Because of a bug the virus corrupts EXE files in case the last section size is more than 64Kb - the virus writes its code to the file middle, and corrupted program stay unusable and do not work anymore.
Infecting Macro -> Macro, Macro -> EXE
In infected documents and templates the virus contains one macro AutoClose. It installs itself into Word global macro area on opening an infected document, and infects other documents they then are closed. To copy its code from one document/template to another one the virus uses macro code editing instructions.
To run infected Windows EXE file the virus uses the standard way. The EXE file binary data are stored in virus macros in text stings - the binary EXE data is converted to ASCII hexadecimal dump. The virus saves these data to disk, creates a temporary DOS BAT helper and by using this helper and DOS DEBUG utility converts hexadecimal dump back to binary EXE format, and executes it. The EXE component of the virus takes control, it runs and infects EXE files on the hard drive as it is described above.
The known version of the virus has a bug here, and cannot to create EXE files from the macro virus component. As a result, Windows EXE files stays not infected.
Infecting EXE -> Macro
The routine that drops the macro component to Word from infected EXE files is activated just after the searching and infecting disk EXE files procedure is complete. This routine is more complex than other ones described above, and needs more temporary files to carry the virus code from EXE to Word. The virus creates three main files here:
FABI.SYS - "dummy" PE EXE file that gets infection by EXE virus component
FABI.SRC - the source virus macro code, plus FABI.SYS binary data
converted to hexadecimal ASCII strings
NORMAL.DOT - Word template with a small macro that completes virus
installation: imports main virus code from FABI.SRC to
NORMAL.DOT
To start spreading from EXE to Word the virus creates a short PE EXE file C:\FABI.SYS and infects it. The virus then creates the C:\FABI.SYS file and writes its macro program AutoClose source code to there. Then it appends to this file the C:\FABI.SYS file data converted to hexadecimal ASCII lines. To complete this step the virus creates a specially prepared NORMAL.DOT file. The virus looks for a good place to drop this file in directories:
C:\ARQUIV~1/MICROS~?/MODELOS
C:\ARCHIV~1/MICROS~?/MODELOS
C:\PROGRA~1/MICROS~?/TEMPLA~1
where '?' is counted from 1 till 9. The NORMAL.DOT file that is created in first directory found contains a short macro AutoExec that is activated when MS Word starts. This macro just imports the virus macro source code from the C:\FABI.SRC file, and completes virus installation procedure: the NORMAL.DOT now is infected by complete virus code.
Copyright @2006 fab