Threat Research

Inside Win32:AOC

Michal Krejdl, 2 August 2009

Inside Win32:AOC

Win32:AOC aka Anvil of Crom is a small file infector written by Bumblebee. It appends own code to the last section of exe and dll files. The virus body is encrypted with more than one layer.


We can see the call to the decryptor on the top of the disassembly. The rest is under the first layer of encryption. The decryption algo computes two DWORD keys and starts the decryption. The result is shown on the next picture.


You can notice the pattern in the hex interpretation. A quick look to the disassembly can discover the reason. The block next to the current position is xored with 0x74. Let's process the second decryption.


Now it is much better (we can see the signature and the well known AV exclussion shortcuts), but there's still something hidden under next layer of encryption. The executive block is split to three parts, which are decrypted by the function at 413DDC. The function computes a checksum of a part of loader and uses the result as a key. There's a strange antidebug trick - the decryption key is modified with a DWORD from fs:[20], which should contain a process ID on NT based systems and probably should be zero on 9x. If the value is not zero, the decryption works with a wrong key and decrypts some garbage instead of the desired code. This fact also means, that the virus should not work on NT based systems. Anyway, the emulation goes well, when we assume the behavior of W9x.


Finally we got the decrypted blocks. The code under tries to locate kernel32.dll on some well known addresses and load some necessary functions. Then it starts to find victims and infect them. And how about the detection? Here are the results