This is a memory resident multipartite virus. It affects many types of executable object, but the main target of the virus is Windows95 system - the virus main code stays memory resident under Windows95 as a VxD driver, hooks file opening procedure and writes to the end of accessed PE executable files. The virus also hooks INT 13h protected mode chain and affects boot sector of 1.4Mb floppy disks. The virus also writes infected COM droppers directly into the archives of several types (ZIP, LHA, ARJ and RAR); creates its VxD dropper on the disk; creates a trojan COM file; and ever drops a mIRC worm that seems to pass the virus code through IRC channels.
Disinfection & Removal
The virus has polymorphic ability: the virus code is encrypted by polymorphic loop in infected PE files, COM droppers and ever in boot sectors.
The virus has the text inside its code: "El Inca virus", but was named "Fono" after the name of its dropper files (see below).
While installing memory resident the virus VxD code hooks IFS (Installable File System) API calls and INT 13h V86 chain, as a result the virus intercepts both file and disk access calls.
The virus IFS hook intercepts file opening calls, gets file name and depending on the file type runs one of its infection routines. The virus affects the EXE and SCR (screen savers) files as well as LHA, LZH, PAK, ZIP, ARJ, RAR archives. The virus also pays attention to the MIRC32.EXE file and runs its "worm" routine when this file is accessed.
When PE executable files are accessed, the virus checks their internal formats, writes its code to the end of the file and modifies the file PE header to get the control when infected files are executed. While infecting the virus creates new file section with random selected name and writes its code to that section.
If the MIRC32.EXE file is opened, the virus creates the REVENGE.COM file in the current directory and writes the trojan code to there (when run this trojan corrupts the CMOS and halts the computer). The virus then accesses the MIRC.INI file and writes to its end the instruction that disables the MIRC security setting:
The virus then creates the SCRIPT.OLD, SCRIPT.INI and INCA.EXE file. The INCA.EXE contains the virus dropper, the SCRIPT.INI file contains a code that sends this dropper to the IRC channel, the SCRIPT.OLD file stays empty.
When archives are accessed, the virus parses their formats and adds the droppers to them. These droppers have COM file format, four random letter in name and randomly selected COM or EXE extension.
The infected PE files and COM droppers both are encrypted by polymorphic engine. They have similar structure: installation routine and main virus VxD code. The installation routine when receives control just searches for Windows directory and drops the main virus code in VxD form to there. The installation routine then registers this VxD dropper in the SYSTEM.INI file. That is necessary to note that the main virus VxD code in infected files is packed by silly compression method.By hooking INT 13h the virus infects boot sectors on the 1.4Mb floppy disks. While infecting the virus writes to the disk its code divided into three blocks: boot code, dropper and main virus code. The virus boot code is polymorphic one, it is written to the boot sector of the disk. This code just reads the dropper code and passes control to it. The dropper reads the main virus code, converts (unpacks) it to VxD and drops it to the Windows system directory.
When Windows is loading with infected VxD registered in the system, the virus takes control, disables logging to the BOOTLOG.TXT file, locates and deletes the WINDOWS\SYSTEM\IOSUBSYS\HSFLOP.PDR file, locates its own file on the disk, reads and compresses it for further use while infecting PE files and creating COM droppers.
The virus then allocates necessary amount of memory that uses as a storage for data to infect files and runs its polymorphic routines. The virus runs its polymorphic engine three times: to generate decryption loops that will be written to boot sectors, COM droppers and PE files. The virus stores these codes up to rebooting. As a result all objects of the same type (boot sectors, COM and PE files) will be infected by the same polymorphic loops during the seance - the virus is "slow polymorphic" one, i.e. it does not changes its polymorphic code each time it infects a file or sector.
The virus installation routine has a bug. As a result of this bug the virus installs itself into the memory not in all of cases.
COM Dropper Run
The virus COM droppers contain pure virus code encrypted with polymorphic engine. When such files are executed, the virus decrypts itself, locates Windows directory by "windir=" pointer in the system environment area, creates in the SYSTEM subdirectory the VxD dropper with the \SYSTEM\FONO98.VXD name. The virus then registerst it in the SYSTEM.INI file in the [386Enh] section: writes the "device=fono98.vxd" instruction to there.
The main (VxD) virus code in compressed in the COM dropper, so the virus unpacks it before writing to the disk.
Infected PE Files Run
The virus code in the infected PE files has the same target as in COM droppers: to create and register the virus VxD file in the system. This code when takes the control decrypts the rest of the virus, scans Kernel32 export table for necessary functions (GetProcAddress, GetModuleHandleA, CreateFileA, WriteFile, CloseHandle, WinExec, DeleteFileA, Sleep), creates the C:\W95INCA.COM file, runs and deletes it. This COM file is exactly the virus COM dropper described above.
Loading From Infected Boot Sector
This routine as well as COM and PE virus routines installs the virus VxD file into the Windows system directory and operates similar to COM dropper. The virus polymorphic entry routine placed in infected boot sector reads from disk sectors the main virus body and runs it. The main virus routine then hooks INT 1Ch, waits for DOS loading process, hooks INT 21h and on first execution of any program drops the infected VxD file with the same name FONO98.VXD and registers it in the SYSTEM.INI file.
The only difference here is the fact that boot instance of virus is able to infect Windows only in case it is placed on C: drive in the C:\WINDOWS directory. The COM instance of virus is able to infect Windows if it is installed in any directory on any drive.
The virus installation routine seems to have a bug here preventing to infect the system under most common environments.
Technical Details: Eugene Kaspersky