It first infects DOS-based .COM and .EXE files as well as Win32 .PE (Portable Executable) files, respectively.
The virus is not encrypted in DOS-based .COM and .EXE files, but instead infected .PE files are encrypted with an oligomorphic (semi-polymorphic) routine. Moreover, the main virus body (the VxD image) is packed with a simple algorithm. There is already one virus encrypted in .PE files (called Win95.Mad), but Memorial is certainly the first Windows 95 virus that shows oligomorphic capabilities. It makes its first step on the way of Windows 95 polymorphism.
Memorial is also an effective retro-virus. It manipulates the Windows 95 registry to disable several well-known antivirus programs.
When an infected .COM file with Memorial is executed, the virus drops a VxD file to the root of the C: drive called C:\CLINT.VXD. First it checks whether Windows is currently running. If it is, the virus simply executes the DOS host program. If it isn't, it makes its "Are you there" call, which is INT 2Fh AX=0. If upon returning from the call, the AX register is set to 4AB3h, the virus assumes it is already active in memory, and returns control to the host program. It then creates the C:\CLINT.VXD file with a hidden attribute, and starts to write into it.
The writing routine appears as an anti-heuristic function. However, the goal of this function is different. The main body of the virus is packed to 7508 bytes, and this function is supposed to unpack it. The algorithm is very simple, but effective. VxD files are in .le (Linear Executable) format. The structure of these files contains many zeros, which is why the packing of these areas can be quite effective. When the CLINT.VXD is ready, Memorial copies a piece of code from itself into the Interrupt Vector Table at 0:200, and hooks INT 2Fh (Multiplex Interrupt). This way the virus does not have to worry about how to allocate memory, but it will be incompatible with some applications.
The INT 2Fh handler answers the "Are you there call", and waits for 1605h in AX register to check the Windows Initialization Notification. This message notifies DOS device drivers and TSRs that standard or 386 enhanced-mode Windows is starting. Windows calls this function as it starts to allow DOS device drivers and TSRs that monitor INT 2Fh the opportunity to prepare for running in the Windows environment.
When this initial calls comes into the Memorial's interrupt handler, the virus opens C:\CLINT.VXD to check for its existence. If the opening was successful, Memorial initializes a Win386_Stratup_Info_Struc structure to direct Windows to load the VxD. Any device driver or TSR can use a Windows VxD to help support its operation in the Windows environment. To specify the VxD name, the device driver or TSR sets the SIS_Virt_Dev_File_Ptr member to the address of the virtual device's filename. Memorial uses a documented means of directing Windows to load C:\CLINT.VXD. This is a more elegant than modifying the SYSTEM.INI file's device section, which is more complicated and not so successful.
When an infected .EXE files has executed the same unpacking code, it takes control from the entry point of the virus through .COM files, however this function will write into C:\CLINT.VXD endlessly because there is a major bug in DOS .EXE infection code. Memorial uses a wrong pointer and a bad virus size parameter during the .EXE infection. It does not write the packed VxD code (7508 bytes) into .EXE files, but the unpacked 12413 bytes after the unpacking code. Thus when unpacking, the dropper code extracts an already unpacked VxD image.
Because the extraction code does not know about this possible problem it writes megabytes of code into C:\CLINT.VXD until it fills all the available hard drive space, but even then the control will not come back to DOS. When using Ctrl-C during this operation or restarting the machine, the huge C:\CLINT.VXD can be find but only if the /AH (display hidden files) option of DIR command is used, and the virus in .EXE files can be classified as "Intended". Fortunately, the detection and disinfection of these files remains possible.
When an infected .PE file is executed the virus first decrypts itself, because the main virus body is encrypted and packed. The decryption is 46 bytes long and oligomorphic (see below).
In case of .COM infection the virus also drops the C:\CLINT.VXD from .PE files. If there are DOS infections, the dropper function takes 275 bytes of additional code at the entry point of the virus. With .PE files this function is in 32bit code and it is more complicated than its DOS form of it, which is why this code is longer. This function also includes Memorial's activation routine and it is supposed to load the VxD, too.
First the virus calculates GetModuleHandleA function's entry-point in memory. It does this by using a real hack; it makes a search in internal Windows 95 structures. This makes the .PE infection a bit more easier later on; the virus should not add any names to the Imported Names Table. Memorial does not need a complicated patch function in its .PE infection code for this purpose.
Later on it calculates the entry point of GetProcAddress by using the same trick, then it uses GetModuleHanldeA to get the handle of KERNEL32 module. By using this handle Memorial is able to call GetProcAddress to get and save CreateFileA-, WriteFile-, ReadFile-, SetFilePointer-, CloseHandle-, GetLocalTime-, LocalAlloc procedures addresses respectively. After this it uses GetModuleHandleA again, to get USER32's handle. It will then use GetProcAddress again to save the address of MessageBox procedure.
After this the virus calls GetLocalTime function to check the date, if it is April 10 the virus activates and displays a message box by using the MessageBox procedure:
Clinton Haines Memorial Virus by Quantum/VLAD and Qark/VLAD Clinton Haines, also known as Harry McBungus, Terminator Z and Talon died of a drug overdose on his 21st birthday, April the 10th, 1997. During his time as a virus writer he wrote the No Frills family, X-Fungus, Daemon and 1984 viruses. He was a good friend to VLAD and so we write this virus in his honour. We hope it's good enough to do him justice. VLAD Remembers. Rest in Peace
When the CLINT.VXD file is executed, the virus waits for the following Control Messages in its Control Message Handler: W32_DEVICEIOCONTROL, INIT_COMPLETE, SYS_DYNAMIC_DEVICE_INIT and SYS_DYNAMIC_DEVICE_EXIT. In case of getting the W32_DEVICEIOCONTROL message the virus returns to 0 since it does not want to communicate with other Win32 applications. When the SYS_DYNAMIC_DEVICE_EXIT message arrives Memorial returns to 1 to disallow the unload request. In case of SYS_DYNAMIC_DEVICE_INIT and INIT_COMPLETE messages the virus executes its initialization procedure.
This procedure hooks the DOS IFS (Installable File System) API call first. After this it deletes several keys from the Windows 95's registry under '\System\CurrentControlSet\Services\Vxd', where statically loaded VxD names can be found; such as anti virus VxDs. First it deletes 'VETMON95' and 'VETMACRO' keys . Then it deletes 'NAVAP', 'virusafe', 'WIMMUN32' keys. Then it opens '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' section and deletes the following values from it: 'NORTON AUTO-PROTECT', 'TBAV for Windows 95', 'Anywhere Antivirus Validation', 'Vshwin32EXE' and 'ViruSafe'. Then it goes to '\SOFTWARE\McAfee\ScreenScan' and deletes 'bEnableScreenScan', 'bScanAllFiles', 'bScanSubDirs'. Then deletes the following keys under '\SOFTWARE\Cybec\VET Antivirus for Win32\': 'Actions\InfectedAction', 'Actions\SuspectAction', 'Memory\Enabled', 'Resident\FileCheck', 'Resident\InfectedAction', 'Resident\SuspectAction', 'Scanning\Scan All Files', 'Scanning\Scan Type', 'Scanning\Skip Renamed', 'Scanning\Subfolders' and sets the 'Scanning\Extension List' value to 'bin, dll, doc, drv, ovl, sys, dot' removing 'com, exe and possibly 'scr' from this list. This way Memorial disables many Windows 95 antivirus programs.
Then the virus clears the attributes on C:\CLINT.VXD. After this it opens the file and gets and saves its size, and allocates enough memory for its unpacked and packed copy. Then it reads itself from the file to the main buffer. Memorial then closes the VxD file and deletes it.
After this it packs the VxD code into the second buffer. Finally it returns from its initialization routine.
When Memorial intercepts a file open call, it first check the extension of the file comparing it to '.COM' first. If the extension is '.COM', Memorial gets and saves the attribute of the victim file and clears it. Thus the read only attribute will not prevent the infection. Then it opens the victim and reads 4 bytes from it. If the third byte (after the initial jump) was 'Z' Memorial assumes the file is already infected. Then it checks for 'MZ', 'ZM' markers to be sure that the victim's structure is not .COM. Then it checks the victim size and does not infect it if smaller than 7168 or bigger than 51200 bytes. Then it reads the last 5 bytes of the program and checks if they start with 'SN'. If this is found the virus does not infect the file. I do not see any other reason for this functionality except to inoculate a certain PC (possible the virus writers own) by adding this special marker to the end of .COM files.
Then Memorial adds the DOS dropper code (275 bytes) to the end of the victim together with the packed virus image (7508) bytes. Finally it modifies the begging of the victim by changing the first 4 bytes to an initial jump + a 'Z' marker and sets the attribute to the original one. The size of the virus becomes 7783 bytes if there is a .COM infection.
If the file started with 'MZ' or 'ZM' markers the virus checks the extension by comparing it to '.EXE' and '.SCR'. Then it calls IFSMgr_Get_DOSTime to have a base number for its random number generator. Since in PE files the virus needs a section name added to the PE header area and it wants to be oligomorphic, it does not want to use a constant section name. Thus it mutates the standard name from 'CLINTON' to some 'garbage' string first.
Basically it uses an 8 bit XOR for the encryption. During the encryption it calculates a check byte and saves it as the last character of the section name string. This additional byte will be used when checking existing PE infections. Memorial mutates the section name during DOS EXE infections only. This makes the mutation slow enough (slow oligomorphism).
When this one is ready, Memorial opens the victim, reads it header and checks for the 'MZ' and 'ZM' signature. Then it reads 4 bytes from 3Ch position of the file. This double word holds a pointer to the Windows executables header area. If this pointer is 0 the virus assumes that the file is a normal DOS EXE file and tries to infect it as such. The it checks the checksum field of the .EXE header. If this one is 6666h the virus does not infect the file, additionally if the IP field is 100h in the header the virus wont infect either.
Then the virus increases the size of .EXE files to the paragraph boundary and adds the VxD dropper code (275 bytes) to the end of the file. It then writes the unpacked VxD to the end of the file (12413 bytes). The virus size is changed to 12688 bytes in case of DOS .EXE victim files. Finally it modifies the executable's header to point which will point to the virus entry point.
When the .EXE or .scr file had been assumed as Windows Executable, Memorial checks for the .PE signature first, it pays attention to the read only attribute, then it reads the last section from the Image Header structure and calculates the check byte on the section name. If the check sum matches Memorial, it does not infect. If it modifies the .PE header by adding the new virus section into it. Since Memorial is an oligomorphic virus, it first mutates a 46 bytes long decryption (see: Oligomorphic engine) for the beginning of its body. Then it encrypts the VxD dropper's .PE version which is 1360 bytes long. The encryption is based an a 8 bit XOR. Then adds the decryption's code and the VxD dropper code to the end of the victim's computer (1406 bytes). Finally it encrypts the packed VxD image and adds it to the end of the file (7508 bytes). It will then restore the attribute of the victim and close it, as the .PE infection is ready, and the size of the virus code is 8914 bytes. Note however that this might change because the virus has to increase the file size up to a section alignment.