Name: Wogo Category: Viruses Description: Details Wogob This is multipartite virus that infects MS Word documents and Windows95/98 VxD drivers. The virus does several steps to spread itself. When an infected document is edited by Word, the virus Word macro-program creates and executes the PE dropper (Portable Executable - the format of Win32 executable files). The PE dropper looks for VxD drivers installed in the system, and affects them. While loading the infected VxD drivers hooks file access system calls, and when Word documents are opened, infect them with virus copy. So the virus does three steps to return back to its original state: Word document -> PE dropper -> VxD driver -> Word document. This infection mechanism looks similar to "Navrhar" multipartite virus, but realization of these viruses are different. The virus contains the "copyright" text: WG05 Copyright(C) 1995-1998 by WoodGoblin. With thanks to Jacky Qwerty. From Word document to Windows memory The infected documents have the auto-macro AutoClose that gets control when affected document is closed. First of all, the virus detects its presence in the system by the C:FUCK.YOU file. If this file presents there, the virus macro releases control. Otherwise the virus infection routine takes control. It builds the code of PE dropper (it is stored in constant strings in the virus code), writes it to a random named file with the .WG5 extension, and executes it. The PE dropper is executed as Windows application and has the access to all necessary Windows function. It looks for VxD files that are registered in the system and infects them. The virus looks for VxD files in the System Registry in the LOCAL_MACHINESystemCurrentControlSetServicesVxD, and infect those of them, that are pointed as StaticVxD. The virus then looks for VxD references in the SYSTEM.INI file, in the [386Enh] section, in the "Device=", "Mouse=", "Display=" lines, and infects them. While infecting the virus parses the internal VxD file formats, looks for "cave" between file sections ("objects" in terms of LE file structure), and writes its code to the cave, if it is found. As a result the virus does not increase VxD files' size while infecting them. The virus then makes necessary changes in VxD file header: increases the length of affected section and modifies relocation tables to force loader to pass control to virus entry, when infected VxD is loaded to Windows memory. From VxD file to Word documents While infecting VxD drivers the virus writes to there a small piece of its code - just about 100 bytes of code followed with PE dropper file name. When this code received control, it allocates a block of memory, reads from PE dropper the complete virus code to this memory, and jumps to there. The virus then hooks IFS API (file accessing calls), and stays in the Windows memory as a VxD driver. The virus IFS API handler intercepts several functions: file opening, closing, searching and attributes get/set function. When a .DOC file is opened, the virus stores its name and infects it on file closing. The virus does not affect .DOC files on local drives, but on remote and floppy drives only. While infecting the virus parses internal Word document binary file format, creates a macro stream and writes its macro code to there. The virus also carries the code of "Word.CAP" macro virus and in some cases infects documents with this macro virus. Depending on the random data the virus corrupts .WAD files when they are opened. Get/Set file attributes call is used by the virus to detect its copy already loaded into the memory. The virus just terminates attribute access calls to the FUCK.YOU file, and that means that the system is already infected. File searching calls are used by the virus to hide infected files in the system: it skips the .WG5 files (virus PE dropper), and the system does not report them. The virus also "decreases" to the original state the infected DOC files length.