The virus has a dangerous payload routine that is activated on
July 14th - the virus overwrites the C:\IO.SYS file with a trojan
code and displays the following message:
Your computer has been infected by virus.
Virus name is 'SMASH', project D version 0x0A.
Created and compiled by Domitor.
Seems like your bad dream comes true...
The virus then reboots a computer. While rebooting the affected
IO.SYS file is loaded and executed, the trojan code takes
control, displays the text "Formating hard disk..." and then
erases data on the first hard drive.
To make the detection and disinfection of infected files more
difficult, the virus uses a polymorphic engine that hides the
virus code by using a mutating decryption loop. The virus also
uses a "blocks-mixing" structure (similar method was used in DOS
virus 'Badboy'). The virus code and data are divided into 60
blocks (installation, infection, payload routines, etc.). When
the virus infects the next file, it mixes these blocks in random
order and links them with a special table. As a result the virus
structure is different in each infected file.
When the virus code is prepared for writing to a victim file
(blocks are mixed, encrypted and 'covered' by a polymorphic
'envelope'), the virus creates a new section at the end of the
file, to which it writes its code and changes necessary fields in
the PE header (including program's startup address field - to get
control at the moment infected file is executed). The name of
virus section in the file is randomly generated.
When run from an infected file, the virus installs itself into
Windows memory and stays resident until the Windows session ends. To
do that, the virus uses a programming tricks to switch its process
from application to kernel mode (Ring3 -> Ring0). Then it
allocates a block of kernel memory, hooks into the file search,
accesses Windows kernel functions (IFS API) and stays in the Windows
memory as a VxD driver.
When disk files are being searched or opened, the hooker of the virus
takes control and runs its infection and stealth routines. The
stealth routines make the virus very difficult to detect when it
[Analysis: Eugene Kaspersky, KL]