Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 2nd, 2009

Inside Win32:AOC

Win32:AOC aka Anvil of Crom is a small file infector written by Bumblebee. It appends own code to the last section of exe and dll files. The virus body is encrypted with more than one layer.

aoc_stg0

We can see the call to the decryptor on the top of the disassembly. The rest is under the first layer of encryption. The decryption algo computes two DWORD keys and starts the decryption. The result is shown on the next picture.

aoc_stg1

You can notice the pattern in the hex interpretation. A quick look to the disassembly can discover the reason. The block next to the current position is xored with 0×74. Let’s process the second decryption.

aoc_stg2

Now it is much better (we can see the signature and the well known AV exclussion shortcuts), but there’s still something hidden under next layer of encryption. The executive block is split to three parts, which are decrypted by the function at 413DDC. The function computes a checksum of a part of loader and uses the result as a key. There’s a strange antidebug trick – the decryption key is modified with a DWORD from fs:[20], which should contain a process ID on NT based systems and probably should be zero on 9x. If the value is not zero, the decryption works with a wrong key and decrypts some garbage instead of the desired code. This fact also means, that the virus should not work on NT based systems. Anyway, the emulation goes well, when we assume the behavior of W9x.

aoc_stg3

Finally we got the decrypted blocks. The code under tries to locate kernel32.dll on some well known addresses and load some necessary functions. Then it starts to find victims and infect them. And how about the detection? Here are the results http://www.virustotal.com/en/analisis/2aadb8f15959ba1323b32f2abce03835

Comments are closed.