NISER > Alerts > MyCERT Advisories & Summaries > MA-014.101999: W32/Bolzano Virus
MA-014.101999: W32/Bolzano Virus
Original Issue Date: 12 October 1999
W32.Bolzano is a new virus that replicates under Windows 95/98/NT infecting PE EXE applications with EXE or SCR extensions. Win32.Bolzano does not infect if the size of the host program is less than 16K. 17 different variants of the virus currently exist. Bolzano is currently the biggest in the Win32 virus family. This virus is particularly dangerous if it infects Windows NT machines as it modifies the kernel in such a way that makes the kernel's security protocols useless.
1.2.1 This is a Windows 92/98 and NT virus that infects PE EXE files.
1.2.2 It is NOT known to be in the wild.
2.0 TECHNICAL MATTERS
It is a polymorphic, per-process resident and direct-action infector. The virus is encrypted in the host file and will be decrypted by a small decryptor consisting of random opcodes. The direct-action infection is fast: when an infected file is run, the virus goes through all the PE files in the various directories for infecting them.
The decrypted virus body contains strings of Windows API functions and directories used by the virus:
CreateFileMappingA, CreateThread, DeleteFileA,
DosDateTimeToFileTime, FindClose, FindFirstFileA,
FindNextFileA, GetCurrentDirectoryA, GetDriveTypeA,
GetFileSize, GetLocalTime, GetTickCount,
FileTimeToDosDateTime, MapViewOfFile, SetFileAttributesA,
SetFileTime, UnmapViewOfFile, _llseek, _lopen, _lread,
The virus can have one or more of the following features, depending on the variant:
If the administrative privileges are present (Win NT), W32/Bolzano modifies NTOSKRNL.EXE and NTLDR.EXE in order to preserve these rights in some future sessions. With this trick it would be then possible for the virus:
- to infect any file on an NTFS volume even only with Guest rights.
- to allows any application to write to any file not depending on access permission.
Also, with an administrative rights, it will patch a routine on the MSV1_0.DLL file that is responsible for password validation. As a result of this patch any text string is accepted as valid password in affected system.
These viruses search and infect files on ALL available drives in the system. It replicates either by:
- adding its code to the end of the last file section and modifies the entry-point of the program to point to the virus body. These variants are not crypted.
- searching for 12 possible CALL instructions inside the code section of the host and hooks the randomly selected CALLs to the entry point of the virus. The virus creates a thread in the infected process for itself and replicates in the background while the host program (the main thread) continues to run.
- use inserting/polymorphic techniques (infection without entry-point modification).
Deletes the files in the Cookies sub-directory.
Has a complex polymorphic engine; check file names while infecting them but does NOT infect:
AVP*, ALER*, AMON*, AVP3*, AVPM*, N32S*, NAVA*, NAVL*, NAVR*,
NAVW*, NOD3*, NPSS*, NSCH*, NSPL*, SCAN*, SMSS*
This virus also affects the mIRC client. To do that it creates infected dropper with random name in the MIRC directory and overwrites the SCRIPT.INI file in there. New SCRIPT.INI contains a small routine that sends infected dropper to users that join infected channel.
3.0 POSSIBLE STEPS
3.1 Prevention and Detection
Although there are no indication or method of infection, it is known that the virus will only be activated if the infected file is executed (as indicated above, .exe or .scr, screensaver, files). Therefore to prevent any infections from occuring, the following are some guidelines:
Always run a virus scan on any downloadable file, attachment, file transfer, software application etc. before executing them even if they came from a trusted source. If in doubt, delete the file (or email) including those that are sent to the "Trash" or "Recycle Bin" folder.
Regularly update the antivirus definition file/library on your machine so that the software could detect the presence of a new virus before any infections can occur. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm). Users that have not installed an antivirus software on their computer is advised to do so.
As a precaution, configure your antivirus software so that it will do an automatic scan on all email attachments and downloadable files before being executed.
Change the permission on ALL shared folders or mapped drives to READ ONLY.
4.0 MORE INFORMATION
To obtain more information on this virus, please refer to the following site :
4.1 Central Command
4.2 Network Associates
4.3 Symantec Antivirus Research Center
Disclaimers and copyright information
Last Update April 19, 2001