![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
Manzon is an 'in the wild' polymorphic memory-resident file infector which targets COM and EXE files. Its name is taken from a text string inside the virus body, which is visible after decryption: 'MANZON (c) Sgg1F5PZ'.
When an infected file is executed, the virus takes control before the host code executes, decrypting the main body of its own code. Two sub-routines decrypt the remainder; then the virus is ready to execute. The two sub-routines usually work together to provide double encryption; however, the first routine sometimes simply sets up registers for the second.
On return from the decryption routine, control passes to the next line of code, which now contains a valid instruction. This is a call to another sub-routine which handles the 'Are you there?' call and, if necessary, the installation of the memory-resident part of the virus and the eventual execution of the host.
The virus first calls Int 21h with AX=DCBAh. If it receives DX=DCBAh when it returns, the virus is deemed resident, and Manzon allows the host to run. Otherwise, it installs itself into memory, using standard DOS Int 21h calls.
The next call is made to function 4Ah, which is used to request DOS to extend the current code segment to FFFFh paragraphs. This is bound to fail, but its purpose is to return, in the BX register, the maximum size in paragraphs (16-byte chunks) of the code segment. Manzon then subtracts 1744 bytes from this and shrinks the segment accordingly by repeating the call. The virus has now created a 1744-byte hole in memory.
It next calls function 48h, requesting a new segment of 1728 bytes. DOS obliges, returning to the virus in the AX register the address of its new home. The difference between the bytes freed and those requested is 16. This is not wasted: the programmer seems aware that he must allow DOS to keep 16 bytes in the newly-created segment to hold the MCB (memory control block) header.
Before making use of the new segment, Manzon modifies the MCB, placing in it a reserved marker which makes the block appear to be owned by DOS. This is a convenient lie which will enable the virus to avoid leaving any tell-tale signs, should the user use a memory mapper to investigate the contents of memory. Manzon then copies over 1712 bytes from its body to the new segment.
Manzon's next job is to hook the chosen interrupt vectors. It targets only Int 21h: this handler will give the virus control when file activity takes place.
First, DOS function 35h is used to get the address of the current Int 21h handler. If Manzon recognises the data at this address, it pulls out that of the next handler in the chain, using this rather than the value it has, effectively removing this 'known' process from the interrupt chain. I do not know what process Manzon is looking for here: it may be that it is a resident anti-virus product which the virus is disabling.
The virus uses the obtained address to construct a JMP instruction it will use to pass control to the next Int 21h handler down the line in the future. It then uses DOS function 25h to make the Int 21h vector point to its own handler. Once complete, all future DOS file activity must pass through the virus for inspection.
Now the virus is resident, it must allow the host to run. The actions to enable this are different for COM and EXE files. The virus determines file type by examining a word in the virus body: if the value is 100h, which signifies a COM file, the start of the file's image in memory is repaired using the values saved during infection. All registers are set to zero and the virus constructs a return to offset 100h in the current code segment -- sufficient to call the host as normal.
For EXE files, the stored header values are used to calculate the program entry point. The registers are set to zero and the virus makes a RET instruction to the start of the EXE code.
All other functionality of the virus, including its infection routines, is provided by its interrupt handler -- this is invoked automatically every time software generates an Int 21h. Each time this happens, the code in the handler checks to see whether the interrupt request is an 'Are you there?' call. If the AX register contains DCBAh on entry, the virus simply loads DX with the same value and returns this to the caller.
If it is not an 'Are you there?' call, Manzon checks the AH register to see if it is a Close File (3Eh) request. If so, the request is interrupted and processing passes further down the handler to determine if infection is required.
In the event that it is not a request to close a file, Manzon next checks to see whether it is a File Execute (4Bh) call. If so, Manzon interrupts the call, uses standard Int 21h calls to open the file, and closes it immediately before allowing the original EXEC call.
When Manzon's Int 21h handler uses an Int 21h instruction itself, it forces the PC to make a recursive call to Manzon's interrupt handler. This time, as the virus has opened and closed a file, it will satisfy its own requirement for the 3Eh close function mentioned above.
When a Close File function is intercepted, Manzon checks to ensure that this handle is not one of the DOS standard file handles; e.g. CON, LPT, PRN. This it does by ensuring the handle value is greater than or equal to five. If the handle value does not pass this test, it is ignored, and control passes down the chain to the next Int 21h handler.
By this point, Manzon is seriously interested in this file as a candidate for infection, but the fact that the virus author has chosen to infect on File Close complicates matters. Once a file is successfully opened, DOS gives it a handle (a unique number) and refers to it only by this handle.
However, Manzon needs to know the file name to ensure that it is a program file, not a data file. The answer is to delve within DOS' internal structures, in particular the SFTs or System File Tables, which contain, amongst other things, the file names associated with all open handles.
Manzon navigates the tables and obtains a pointer to the file name. It picks up the first two letters of the file name and encodes them; then goes through a series of comparisons against like-encoded values to ensure that the file does not start with any letters likely to indicate it is an anti-virus package (SC, F-, TB, TO, FV, FI, VI and K-). The last three letters of other file names are tested to see if they contain the letters 'COM' or 'EXE' -- if not, they are also ignored.
Although Manzon now has a likely file to infect, another problem presents itself. What if the file was not opened for writing? Manzon's creator again resorts to the SFT, which contains a byte to control the file access mode. Manzon toggles on the Write bit in this field, making DOS think the file was always opened for Read/Write access.
Manzon passes control to one of two routines, depending on whether the file names have the extensions EXE or COM. Modifying the SFT entry will also bypass behaviour blocker software which is monitoring for file writes to program files.
When a COM file is being infected, Manzon obtains its size and reads its first three bytes into a buffer. The virus then makes the sweeping assumption that all COM files start with a JMP instruction and it therefore has the code which makes up this instruction in memory.
It uses this assumed JMP instruction to calculate how far from the end of the file the jump is aimed. If this value is less than 1398 or greater than 1670, the file is still of interest; otherwise it is ignored. This is the virus' self-recognition test: after infection, a COM file receives no future attention at this point.
If the potential host file is more than 62000 bytes long, it is also reprieved. Otherwise, the small three-byte portion of the host in memory is replaced with a JMP instruction to the end of the file, and a freshly-generated polymorphic image of the virus is written to the end of the host file. Manzon now simply writes the patched jump instruction, which will ensure control passes to the virus when the host is next executed, out to the start of the next file.
Infection of EXE files is similar. First, nineteen bytes of the header are read into memory to facilitate infection: this is double-checked to ensure it starts with a valid EXE signature of 4D5Ah or 5A4Dh. The self-recognition test based on the start point from the end of the file is applied to avoid multiple infection. The polymorphic routine is then called to re-encrypt the virus and write it to the file. Finally, the EXE header is amended and rewritten to complete infection.
Manzon is an example of a file virus which has little trouble surviving and multiplying in the wild. It demonstrates some very advanced programming techniques. With its polymorphic and encrypted code it should be considered a very real threat. It is fortunate that it does not carry a payload or trigger routine.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Manzon / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |