Threat Research

Inside Win32:Alma

Michal Krejdl, 8 June 2009

Inside Win32:Alma

Sometimes I really wonder, how complex the mythology about viruses and antiviruses is. Five minutes spent on a random community server, where people are talking about malware (except few special forums), can give you a hint what I mean. It is not a purpose of this post to refutate the widespread gossip, that AV vendors are writing malware just to be the first to detect it etc. What I want to show you is the relation between a formal description of a virus and its raw characteristics. I'm trying to choose the right samples for you (actually the samples, which are used to test an internal emulator), which contain a lot of nicely visible ASCII strings. Hopefully, you'll catch the point of the "Inside" series - malware analysis is not a sci-fi :-). Let's look at Alma.

Win32:Alma is a little file infector created by LiteSys in 2001 (the source code is available). It uses a simple encryption of the virus body, which is attached to the last section.

alma_stg0The hexadecimal interpretation shows us the virus body, which seems to be encrypted with some plain bitwise conservative method. Let's look to the disassembly and we can see a simple byte xor. Ok, it's time to look what's under the cover.

alma_stg1The virus loads some necessary functions (FindFirstFile, FindNextFile, WriteFile etc.) and begins the replication. Alma infects only .exe and .scr files, as shown on the picture above.

alma_stg2The algo is well understandable. After finding a candidate to infect, Alma checks if it was not infected before and skips these files. Otherwise it continues to the injection and encryption of its own code in the infected binary. It also increases the size of last section and changes its flags. LiteSys dropped its signature to the virus body, we can see it at the end of injected code.

alma_stg3Win32:Alma is well covered by AV engines, refer to the virustotal analysis