Parasitic malware has been always a headache. Valid files on the host computer are transformed using different techniques into malware by adding malicious code to them. Most of the time, the users affected by this kind of malware continue using their applications without realizing they are infected. The malware authors take care to transfer control back to the legit application after executing the malicious code. However, if the file infector was not programmed to return control, then critical applications will not start and only the malware code will run.
McAfee Labs has identified a new version of the file infector Gate.Worm, which infects in a way that never returns control to the legitimate code. This version is similar to a variant of the parasitic virus from 2013 “Obfuscated-FBU!hb” (with MD5: 081d2b9088a3ba03c44b7fb113d05906). It appears that this malware code has been reworked and that the author is not the same than in the previous version. The new code is very similar but has far fewer features.
The malware appears to have been created by the SecurityGate.ru group as a test sample. As we shall see, the malware shows a window that displays a message to the user mentioning this domain. In the past, this group has tested antivirus software against custom samples they created. Today the site and its forum are no longer accessible. It is also possible that this malware was created by others and they have left the message as camouflage.
When running, the malware executes the following actions:
- It checks if the process is being debugged by calling the IsDebuggerPresent Windows API. Malware authors often use this function to prevent the analysis of malicious binaries by debugging. If this check is true, then the malware is terminated. This check was not present in the previous version of the malware:
- The malware then opens a console window with the following message: “SAFEMODE: This WORM is designed only to test…with respect SafetyGate.ru.” This window was not displayed by the previous version. The window is shown below:
- In the meantime, the malware gets the current directory by using GetCurrentDirectoryA and it then enumerates all the files present in the current folder. To do this, the malware creates an array with the filenames by using FindFirstFileA and FindNextFileA.
- After all the files in the current folder are added to the array, the malware starts infecting them by calculating the file size of the malware file and inserting the entire malware sample at the beginning of the clean file. Thus the clean file will not run again after it is infected, given that the MZ structure is replaced with the malware body and the original file is present only as overlay data. The following image shows some of the infection routine:
- The malware also adds a signature to the end of the infected file with the following format:
0x00<10-digit filename plus .exe>0x0d 0x0a 0x02<size of sample in decimal>0x01.
This malware signature is different in both versions, as we can see in the following:
New signature example:
Old signature example:
- The infection routine is executed over all the samples in the current folder. After this process finishes, the malware pause its execution 10 seconds by calling the Sleep API; then it closes the console window and terminates the malware process.
- After that, all the infected samples have the following icon:
We have seen infected samples that carry more than one original sample at the overlay. This happens because the infected files carry the file that was previously infected. If that sample infects a new clean file, then the newly infected file will carry the previously infected file(s) plus the malware code and a new signature.
The following diagram describes the infection chain:
This malware infects all kind of files, not only portable executables. Thus the virus can infect most files in the current folder of the host computer. Usually, a user will download files to the Downloads, Documents, or Desktop folders; the impact will vary depending on which folder is affected.
In the previous version, the malware author hardcoded the targeted file extensions. The list follows:
Even though the sample we examined is probably not a final version, this malware still has the potential to make a system or critical application unusable.
Fortunately, this malware has no network capabilities nor infects external drives. The only option to spread this malware is for victims to directly download and execute it or to manually copy an infected sample to an external drive and execute it on another system.
Intel Security detects the new version of this file infector worm as W32/Gate.worm from DAT Version 7959.