This is a memory resident multipartite virus. It affects many types of
executable object, but the main target of the virus is Windows95
system - the virus main code stays memory resident under Windows95 as
a VxD driver, hooks file opening procedure and writes to the end of
accessed PE executable files. The virus also hooks INT 13h protected
mode chain and affects boot sector of 1.4Mb floppy disks. The virus
also writes infected COM droppers directly into the archives of
several types (ZIP, LHA, ARJ and RAR); creates its VxD dropper on the
disk; creates a trojan COM file; and ever drops a mIRC worm that seems
to pass the virus code through IRC channels.
The virus has polymorphic ability: the virus code is encrypted by
polymorphic loop in infected PE files, COM droppers and ever in boot
The virus has the text inside its code: "El Inca virus", but was named
"Fono" after the name of its dropper files (see below).
While installing memory resident the virus VxD code hooks IFS
(Installable File System) API calls and INT 13h V86 chain, as a result
the virus intercepts both file and disk access calls.
The virus IFS hook intercepts file opening calls, gets file name and
depending on the file type runs one of its infection routines. The
virus affects the EXE and SCR (screen savers) files as well as LHA,
LZH, PAK, ZIP, ARJ, RAR archives. The virus also pays attention to the
MIRC32.EXE file and runs its "worm" routine when this file is
When PE executable files are accessed, the virus checks their internal
formats, writes its code to the end of the file and modifies the file
PE header to get the control when infected files are executed. While
infecting the virus creates new file section with random selected name
and writes its code to that section.
If the MIRC32.EXE file is opened, the virus creates the REVENGE.COM
file in the current directory and writes the trojan code to there
(when run this trojan corrupts the CMOS and halts the computer). The
virus then accesses the MIRC.INI file and writes to its end the
instruction that disables the MIRC security setting:
The virus then creates the SCRIPT.OLD, SCRIPT.INI and INCA.EXE file.
The INCA.EXE contains the virus dropper, the SCRIPT.INI file contains
a code that sends this dropper to the IRC channel, the SCRIPT.OLD file
When archives are accessed, the virus parses their formats and adds
the droppers to them. These droppers have COM file format, four random
letter in name and randomly selected COM or EXE extension.
The infected PE files and COM droppers both are encrypted by
polymorphic engine. They have similar structure: installation routine
and main virus VxD code. The installation routine when receives
control just searches for Windows directory and drops the main virus
code in VxD form to there. The installation routine then registers
this VxD dropper in the SYSTEM.INI file. That is necessary to note
that the main virus VxD code in infected files is packed by silly
By hooking INT 13h the virus infects boot sectors on the 1.4Mb floppy
disks. While infecting the virus writes to the disk its code divided
into three blocks: boot code, dropper and main virus code. The virus
boot code is polymorphic one, it is written to the boot sector of the
disk. This code just reads the dropper code and passes control to it.
The dropper reads the main virus code, converts (unpacks) it to VxD
and drops it to the Windows system directory.
When Windows is loading with infected VxD registered in the system,
the virus takes control, disables logging to the BOOTLOG.TXT file,
locates and deletes the WINDOWS\SYSTEM\IOSUBSYS\HSFLOP.PDR file,
locates its own file on the disk, reads and compresses it for further
use while infecting PE files and creating COM droppers.
The virus then allocates necessary amount of memory that uses as a
storage for data to infect files and runs its polymorphic routines.
The virus runs its polymorphic engine three times: to generate
decryption loops that will be written to boot sectors, COM droppers
and PE files. The virus stores these codes up to rebooting. As a
result all objects of the same type (boot sectors, COM and PE files)
will be infected by the same polymorphic loops during the seance - the
virus is "slow polymorphic" one, i.e. it does not changes its
polymorphic code each time it infects a file or sector.
The virus installation routine has a bug. As a result of this bug the
virus installs itself into the memory not in all of cases.
COM Dropper Run
The virus COM droppers contain pure virus code encrypted with
polymorphic engine. When such files are executed, the virus decrypts
itself, locates Windows directory by "windir=" pointer in the system
environment area, creates in the SYSTEM subdirectory the VxD dropper
with the \SYSTEM\FONO98.VXD name. The virus then registerst it in the
SYSTEM.INI file in the [386Enh] section: writes the
"device=fono98.vxd" instruction to there.
The main (VxD) virus code in compressed in the COM dropper, so the
virus unpacks it before writing to the disk.
Infected PE Files Run
The virus code in the infected PE files has the same target as in COM
droppers: to create and register the virus VxD file in the system.
This code when takes the control decrypts the rest of the virus, scans
Kernel32 export table for necessary functions (GetProcAddress,
GetModuleHandleA, CreateFileA, WriteFile, CloseHandle, WinExec,
DeleteFileA, Sleep), creates the C:\W95INCA.COM file, runs and deletes
it. This COM file is exactly the virus COM dropper described above.
Loading From Infected Boot Sector
This routine as well as COM and PE virus routines installs the virus
VxD file into the Windows system directory and operates similar to COM
dropper. The virus polymorphic entry routine placed in infected boot
sector reads from disk sectors the main virus body and runs it. The
main virus routine then hooks INT 1Ch, waits for DOS loading process,
hooks INT 21h and on first execution of any program drops the infected
VxD file with the same name FONO98.VXD and registers it in the
The only difference here is the fact that boot instance of virus is
able to infect Windows only in case it is placed on C: drive in the
C:\WINDOWS directory. The COM instance of virus is able to infect
Windows if it is installed in any directory on any drive.
The virus installation routine seems to have a bug here preventing to
infect the system under most common environments.
[Analysis: Eugene Kaspersky]