Hello everyone, As you can probably already tell, Today we’re taking a look at a Windows 16-bit virus, On this particular one we’re using Windows 3.1 to test out and the virus is called apparition now first we’ll take a look at it as a normal user would experience the virus and then there’s a special surprise that the virus has in store for basically the author and anyone savvy enough to disassemble it, so we’ll go and run the executable as you can see we have a “fake” I guess version of calculator pop-up don’t have the correct character set installed so we can’t read anything so we’ll go ahead and close it, well, as you can see it works, well, at least you think it works, 8 x 4, yeah, it works, so we’ll go ahead and close out of here, and now about every 10 seconds or so it will call a new routine causing it to infect files or map all available drives to the virus, now i don’t know if you can hear the drive activating but every 10 seconds or so it will access the hard drive and infect another file. now, while it does this there is a noticeable slowdown in the system’s performance. so we’ll try scrolling through here a bit, let’s play some solitaire, why not. We’ll see if we get any slowdown here… so the virus right now is activating something or infecting something. So as a normal user you wouldn’t notice anything going wrong I mean, you’re sitting here, goofing off not doing work, playing solitaire, classic game. nothing appears to be wrong your system may be a little slower but, just attribute that to you know, the hardware you have, not up to speed, some piece of software you installed, don’t know it’s the virus though, infected another file just now, so, we’ll go ahead and close out file manager and we’ll take a look at the payload you would experience so, to do that, we set the date to one month past the initial infection date. so in this case, the virus infected the PC on August 30th, we’ll set the date to September 30th. Now we will run an infected file or wait for it to infect something else, we should see it activate its payload try to access file manager… appears to be loading properly so as you can see there’s a noticeable lag trying to launch programs here and now the hard drive indicator is on full time nothing seems to be launching. computer appears to be frozen. So, you wouldn’t know this, but the virus right now is deleting every file it can find on your hard drive. Which is bad I mean you want your files so you don’t want to lose them, but one month after you accidentally pick up this virus, everything’s gone we’re going to try to restart here, well as soon as I try to restart calculator launches, oh okay Windows, although you can use Control-Alt-Delete, blah blah blah, We’ll press Control-Alt-Delete to restart. We’ll see what happens. *Computer starting up* Computer POSTs, *BEEP* *Click* It shouldn’t start up… But for some reason it does… *Typing on keyboard* Alright, let’s try this again, this time we’re going to actually get the virus to delete files Windows apppears to Boot fine… This time we’re just going to run the virus which should check the date and end up wiping everything. If it doesn’t do that already for us. Hard drive light is going crazy right now. Cannot find file or one of its components. That’s a bad sign. I don’t know if you can hear the hard drive, it’s a very quiet noise not that clicking sound that’s the um, that’s the dryer downstairs if you can hear that. But I mean, Okay it’s frozen. “Invalid TrueType font detected.” “An application used a true type font that caused an error in Windows” Oh God. Uh oh.We lost Everything. Okay. So we have like three files left on our whole hard drive. And it can’t even find those. DOS is completely empty. No application is associated, I can’t even run this. So, let’s exit Windows see what happens. “WINFILE caused segment load failure.” Alright. “Invalid COMMAND.COM” *Typing on keyboard* So if you try to restart now, Nothing’s gonna happen, it’s gonna fail to boot to MS-DOS. *Computer starting up* *BEEP* *Click* Well the computer posts, “non-system disk or disk error” which means nothing was found on the hard drive that could be booted, and so it wants you to insert a bootable diskette. So, we’ll go ahead and reinstall ms-dos and windows 3.1, and take a look at the special behind-the-scenes functions this virus offers to the user. Alright guys now it’s time to take a look at the behind the scenes material that the apparition virus has to offer. So we spend about 45 minutes reinstalling Windows here and now that we have a clean copy once again, we can check it out. so we’ll go ahead and infect the system, it runs the calculator once again. however, if we can scroll here there we go. what we gotta do, is edit win.ini let’s see here… open that up with notepad so seems like your normal win.ini however at the end, Apparition has added a new category: “The Apparition” so we’ve got our “DieDay”, “DieMonth” so October 30th, it’s got an ID for file system calls “Running NOW=Yes” that means it’s active in memory. However, There are a few debug commands that the user can add, in order to fully control the virus. So let’s see the commands you can add are: “Die” Which if you set to zero will lock the routine so it won’t be able to trigger the file deletion payload. “No Run” which makes it not infect the system. “No Infect” which makes the virus not infect files but the ones we’re going to look at are: “ShowDotsOn=1” “ShowDialog=666” of course and “Logging” as you can see it’s doing something right here “=YES” alright so with “Logging=YES” it will create a “winapp.log” file that we can see what it’s doing. So we’ll go ahead and save this so now anytime Apparition does anything, it will let us know. We’ll run it so “do you really want to run the program infected by virus” yes now it is supposed to have a command prompt type dialog where you can control every detail but I haven’t been able to get that to pop up let’s see… so every 10 seconds or so you’ll be able to visually see, here, let me put the keyboard down here it’s a little awkward… so we should see winapp.log do we see that? I don’t see, here it is so open that with notepad, where’s notepad at? there it is windows all files “infect clock.exe?” yes. Winapp.log okay. so as you can see, “instance” uh, it infects minesweeper, So it’s infected. “running application” “finished that application” “Infect sound recorder?” yeah, sure why not. now I’m trying to figure out why we’re not getting the dialogue to show up here, or the dialog box Where you control everything. let me see if there’s anything special you have to do. so “ShowDots=ON” is what’s making it ask us if we want to infect these files so we say yes, So “ShowDialog” supposed to be set to “666” and then it should activate The uh, oops, i didnt mean to where’s the window? minimize, there we go. so as you can see there’s a noticeable lag here. it’s infecting files very rapidly so it wouldn’t take very long for every executable on your hard disk to be infected. again, we miss one yeah Infect it. alright we’re just gonna try restarting, We’re gonna see I’m going to see if we can get that dialog box to show up because I haven’t seen it yet and I would like to see it. you can control the file deletion routine, you can do all sorts of crazy crap. it crashed when we tried to exit Windows I accidentally didn’t infect that file, oh well, so now we’re stuck on the grey screen of death or something so… we’ll just have to Control-Alt-Delete our way out of this. *typing on keyboard* Okay we’ll restart the system to see if we can get the Apparition virus’s control panel to show itself cuz that would be pretty neat *BEEP* *click* then I gotta get some sleep it’s about 4:00 in the morning right now *typing on keyboard* Windows Boot into Windows 3.1 here Yes, I really want to run the program infected by the virus. I would really like to see that window too yes, I do there we go. “The Apparition for Windows” “by ultra Glock all-in-one” I didn’t know it had that nice graphic with it too, that’s pretty cool So, let’s take a look at it. So we can “pause”, “resume”, so, i guess it’s infecting files, “terminate” will delete itself from memory so “infect menu” we can choose a file we want to infect. now if we choose an already infected file, we should get an error. “File is already infected, I WANNA new file to Infect!” infect you Mazda or Mazdai well it’s either calling you a car or something bad, i don’t know. So we’ll infect something that’s not infected, like calculator. “Infect CALC?” Yes. so the dialog allows us to infect whatever… Files we want. And it keeps a tally of what the last one was. and as you can see the status changes whenever we infect or do anything else. “scanning tree” Hey! Infect! Let’s see… How ’bout “card file.exe” Yes. Status changes while it infects it. “Locked” I don’t know what that means the destruct button activates the payload immediately. Let’s see what else we got. “Remove” and “Terminate” both remove the virus. “About” “Win-Apparition” “Written by Lord Asd” “Last modified Christmas Day 1996” Huh. “Beta version was tested only under windows 3.1” Alright, let’s go ahead and wipe this thing. “Are you sure you want to delete all files from you disks?” Yes. “Destroy all data on all available devices?” Yes. And it does so. Let’s see what happens if we try to do anything now. “Infection engine is busy.” because i guess it’s busy destroying everything. Well we’re totally missing a few things from here. “Cannot find Control.exe” “Cannot find Winfile.exe” Well crap. okay and it’s now idle once again. Can’t even choose to infect anything. “Are you sure you want to remove from memory?” Yeah, why not. So now the virus is gone. However so is your hard drive. So that’s about it for the Apparition WIN16 Virus, Hope you enjoyed this video, Hopefully we’ll have a few more Windows 3.1 based Malware, worms, trojans, all that stuff to review in the near future. Than – *Video clicks off*.