Orez is not a dangerous polymorphic Windows virus. The known virus version "pure" code is 5780 bytes in length, but while infecting files it increases their length by 6279 bytes. The virus has bugs and in some cases corrupt files while infecting them - when run they are terminated with standard Windows error message.
When the virus code is activated, it looks for PE EXE files (Windows executable files) and writes itself to the end of the file. Depending on the file structure the virus either increases the size of last file section and writes its code to there, or overwrites data in the last section (see infection routine description below). To infect files the virus searches for them in the Windows directory. The virus then gets names of files that are listed in the Windows Start Menu, and infects them too. The virus gets their names by parsing LNK files in directory that is pointed in the system registry key:
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu
The virus counts files while infecting them and does not infect more than ten files on one run.
The virus has a payload routine that is activated depending on the system date. On Friday that falls on 13th of month the virus displays the MessageBox:
VirusInfo - Ready for infection The Axelle Bailey/iKx/ Virus - OreZRatS [Ikx] (C) 1999 Greets to: Reptile and SSR for the ideas Bozo for the motivations In honor of Axelle Bailey and
On October 9 the virus runs several threads that in endless loop display the messages:
A kiss to! A kiss to Axelle Bailey !
The virus also contains the text strings:
Dedicated to Federrico ;) CCALLBACK Infection
The virus has three interesting features in its infection engine. The first of them looks similar to the "Win95.SK" virus - it writes its code to the Relocation (Fix-up) section by overwriting its data, and zeroes the reference to relocation info in the PE header. Usually Windows applications do not use data from this section, and programs affected in this way do work with no side effect.
If the last section in victim file is relocation section, the virus overwrites relocation data with virus code. In case the last section is not relocation, the virus increases its size for its code. It seems that the virus intends to keep the file length with no changes in case its code fill in relocation section, but file length is increased anyway because of a bug.
The second feature of the virus also looks similar to the mentioned about "Win95.SK" virus - this is Entry Point Obscuring technology used to make virus detection and disinfection procedure more complex. Using this way of infection the virus does not modify the program's entry address to get control when an infected file is executed, but locates a place to patch victim's code with Jump_Virus instruction. In this way the virus code gets control not at the moment the infected program starts, but only in case the patched program's branch takes control.
To locate the code to patch the virus scans the Import data and looks to "ExitProcess" function imported by the victim file from the KERNEL32.DLL, then scans victim's code section for "CALL ExitProcess" instruction, and then writes Jump_Virus code to the place the victim calls ExitProcess. In case such function is not found, the virus looks for the "exit" function imported from MSVCRT.DLL (Microsoft Visual C++ run-time library) and patches corresponding instruction in victim file. If no such imports found, the virus scans 500 bytes of file's entry routine, looks for CALL or JMP routine, and replace it with its Jump_Virus patch.
So, the virus code usually is activated when patched program's "Exit" routine is executed, and the control is passed to the Jump_Virus instruction. This instruction passes control to virus polymorphic decryptor.
The polymorphic decryptor is the third virus feature it is necessary to pay attention. The code of the decryptor may be found in infected files not as a one block of code, but as a set of instructions at different addresses in the file, linked with "Jump_Next" opcodes. To sparse its decryption loop instructions the virus gets program's code section and scans it for standard C/C++ routines footer followed with a nonused bytes to align next routine by paragraph (16 bytes alignment). The virus detects such "caves" in code segment, makes a "map" of them and then, when its polymorphic engine starts, fills them with polymorphic decryptor code.
In case the virus cannot locate enough "caves" in code section, it writes the decryption loop to the end of its encrypted code.
It is also necessary to note that the polymorphic engine uses a randomizer that is initialized by PE header TimeStamp field. As a result while infecting the same file the virus will create the same decryption loop.