SK-TECH

The virus code is encrypted with polymorphic routines in both DOS droppers and Windows PE files. In case of Windows files the virus also uses "Entry Point Obscuring" ({EPO:File_viruses}) technology: the virus code does not get control immediately when an infected file is executed. The JMP_Virus instruction in most of cases is places somewhere in infected file body, not in file header and not at file startup address, and is executed only when corresponding program's branch takes control.

The virus is "slow infector": before infecting it checks many conditions and as a result affects very few files on the computer - only just about ten EXE files in standard Windows95/98 installation. The same for HLP files and archives - very few of them may be infected. The virus also delays its infection routine for one minute before first infection, and infects HLP files and archives only in case there was no access to these files during two minutes.

The virus is very dangerous. When disk files are accessed, it checks their names and in case of several anti-virus program (ADINF, AVPI, AVP, VBA, DRWEB) the virus deletes all files in all directories on all disks from C: till Z: that the virus is able to delete, and then halts the system by the Fatal_Error_Handler VMM call.

There is one more victim file that is deleted by virus each time it installs itself into the system. It is COMMAND.PIF file in the Windows directory.

The virus has bugs which are lethal under some Windows95/98 configurations - on infecting the virus causes "blue screen" with standard "General protection fault" message.

While installing into the system the virus depending on its random counter (in one case from 48) displays the message:

Going Memory Resident

The virus "resident" copy does work on VxD (Ring0 - Windows kernel) level. DOS programs and Windows applications cannot access this area by standard methods, so the virus uses several tricks to install its code to there.

When DOS dropper is executed, the virus checks is Windows installed and returns to DOS, if it is not. Otherwise the virus by using DMPI calls gets access to Local Description Tables (processor's protect mode memory allocation tables), patches them and switches its DOS 16-bit code to protect mode 32-bit. The virus code then works as a part of Windows kernel and can access all necessary Windows functions.

When infected PE file is run, the virus also patches system memory allocation tables and switches its code from application level (Ring3) to kernel level (Ring0). The virus then passes control to the same installation routine as infected DOS droppers do.

The installation routine, when takes control, allocates a block of system memory, copies the virus to there, hooks Windows functions and releases control. The original virus copy then either returns to DOS (in case of DOS dropper), or restores host PE file data and code and returns.

Hooking Functions

The virus hooks three Windows functions. The first one is callback procedure for I/O port trapping. The virus hooks port 534Bh and uses it in its "Are you here?" calls. Reading from this port under infected system conditions returns 21h ("!" character) in the AL register. Both DOS and Windows virus installation routines try it before installing memory resident. The number of this port was used to name the virus - 534Bh is "SK" in ASCII.

The second hook is "standard" for resident Windows infectors - it is File System API hook. It intercepts file opening, renaming and file attribute get/set functions. On these calls the virus runs its infection routines.

The third hook intercepts the "Install FileSystemApiHook" function itself (the one that is used to install previous hook). This call is used by virus to hide its hooker: when a new hook is installed, Windows calls this function. At this moment the virus intercepts that, removes its own IFS API hook, installs new one (that is requested), and then re-installs its virus' hook. As a result the virus hooker is always on the top in the list of hooks, and it is the first one to receive control when disk files are accessed.

There is another trick in virus IFS API hooker: to access file system drivers (the destination of FileSystem calls) the virus uses address of "native" system handler. The virus gets this address from purely documented field in the caller's stack, and by using this address performs direct calls to necessary file functions.

Infecting Files

When the IFS API hooker gets control and the infection routine is activated for the first time, it infects the Windows shell application (usually - EXPLORER.EXE). To locate it the virus opens the SYSTEM.INI file in the Windows directory, scans it for the "shell=" instruction and infects it.

This file is always run, so the virus cannot modify it. To fix this problem the virus uses "upgrading" trick. The virus copies this file with another name (adds one to the last letter in file name: EXPLORER.EXE -> EXPLORER.EXF, for instance), infects new file and forces Windows to "upgrade" original file with infected one. To do that the virus uses standard way: it creates the WININIT.INI file in the Windows directory and write necessary "Rename" instructions to there.

If Windows shell is already infected, the virus infects the file that is accessed. First of all it checks file name extension. In case of .EXE, .SCR and .DLL files the virus jumps to PE file infecting routine; in case of .HLP file the virus patches it with its dropping code; in case of .RAR, .ZIP, .ARJ and .HA archives the virus inserts into their contents its own executable dropper.

Continued in "SK-TECH2"