Technovirology in action

As you know, I am a medical virologist.  Which means I deal with the biological type of virus, and their consequences.  But sometimes computer viruses can be interesting too, and I amuse myself at times with technovirology - computer viruses.

Jeevs' son, Reshlan, had a project for medical school on a flashdisk, and every time it was plugged into a PC with antivirus software, that file got deleted.  The file was a Word document.  The virus had inserted executable code in the beginning of the file, and renamed it with the extension SCR.  SCR files are usually screensavers.

The logical person to ask for help is ... the virologist.

The virus was W32.Rungbu, as named by Norton.

Here I describe how I chopped the virus out of the file, and got back the original Word document.

PLEASE NOTE: this is not for the faint hearted, or for anyone who, like me, doesn't really know what he's doing.  You risk your computer becoming infected, and losing data.  What I describe below is not something you should try at home.

First, I backed up my registry, and turned off System Restore, and then inactivated my antivirus software.

I copied the infected file.scr onto my hard drive.  Then I renamed the infected file so it had a TXT extension, and opened it in Notepad.  It looked like this:



Lower down, some of the text contained in the Word document was visible.  I didn't know what to do ... so I tried various things, none of which worked.  Forcing the file.scr to open in Word or Wordpad didn't work - it had non-Word header information that Word couldn't interpret.  I tried chopping off the top part of the document, including everything between the start of the document and the end of the code inserted by the virus.  I tried chopping out the part of the document that was clearly Word, and placing it into a document from which I removed that document's section from that position onwards.  For this I was using Notepad, and was probably saving it in some way I shouldn't have saved it - or maybe I shouldn't have been saving it at all in Notepad.  None of the final products opened in Word.

In the process I followed above, I discovered that all the Word documents I checked began the same way.  I already knew that this was the case with GIF, JPEG, PDF, RAR, and ZIP files, so I was expecting that.  The following three images show how three different Word files began:







I've highlighted the sequence common to all the files.

But, as I said above, deleting everything before that sequence and saving the result using Notepad produced a file that Word couldn't open.

Then I thought of using a hex editor to delete the infected section.  I used a fairly simple programme called 1Fh Binary+Hex Editor 1.07.

By searching for the specific sequence that the other Word documents began with, I found out that the first 46592 bytes of the file were something else.  This is what it looked like:

1Fh Binary+Hex Editor 1.07

The B600 is the hexadecimal version of 46592, which I could have calculated by hand, but was too lazy, so I used HexDecBin 1.0 to do it for me:

HexDecBin 1.0

I decided that using 1Fh to space over the extra 46592 bytes would simply take too long.  So I thought that maybe splitting the file into pieces, in such a way that the extra piece would be separated from the rest, might allow me to piece the file back together without that extra piece.

For this I used GSplit 2.0.  I simply split the file into pieces 46592 bytes in size - so that the first piece would be the the entirety of the extra piece, presumably the virus, and not contain any authentic piece of the original Word document.  I also set GSplit to omit headers to the pieces that it split the file into, to not create an executable file that would piece them back together again, and, in case it affected anything, deleted the code set to give the pieces a unique ID.

GSplit 2.0

Then I split the file - 35 files resulted, namely disk1.gsd, disk2.gsd, ... disk35.gsd.

I checked disk2.gsd, and, not surprisingly, it began with the sequence that started all the other Word files.



I then ran a batch file to unite all the pieces except the first.  It looked like this:

copy /b disk2.gsd+disk3.gsd cow.gsd
copy /b cow.gsd+disk4.gsd cow.gsd
copy /b cow.gsd+disk5.gsd cow.gsd
...
copy /b cow.gsd+disk35.gsd cow.gsd

The /b was simply because I expected it to be a binary file and not an ASCII file like a text document.  (Probably something to do with Notepad saving it in a way that Word couldn't interpret as a Word file.)

I then renamed cow.gsd to cow.doc ... and tried to open it in Word.  And there was the original, opening fine as a normal Word document.  (It had another error in it, and wouldn't show page 48, but that I converted to a PDF and the PDF back into Word, and recovered the text that way.)

And that is amateur technovirology in action, as performed by a clinical virologist.  Viruses are indeed fun!

Comments

Posted by stephen  
on May 12, 2007, 11:12 am
Alternatively, this SEEMS to be a programme that will do all of the above for you.

http://d.turboupload.com/de/1575938/lx6w0omq1i.html

And a much larger version, perhaps doing the same:
http://d.turboupload.com/de/1534072/bmdkicnxmz.html

Reply to this comment
Posted by  
on September 18, 2007, 3:20 pm
Hi. The files at these links that you posted have been removed. Do you have other links or the name of the program?

Reply to this comment
Posted by Dewaldt  
on May 16, 2007, 11:24 am
A very clever approach; a DIY virus removal :-)Perhaps you should publish your findings in the *Journal of Technovirology* :-p Often, antivirus programs ensure for more irritation than help. Not to mention the fact that antivirus software tend to consume a large amount of system resources.

Reply to this comment
Posted by  
on September 18, 2007, 3:18 pm
This is a very helpful DIY for this particular virus. However, suppose that you have about 1000 doc files affected. It's infeasible to attempt to clean all the files using this method. Any other suggestions would be appreciated.

Reply to this comment
Posted by MDC  
on October 6, 2007, 2:32 pm
Posted by  
on October 13, 2007, 11:51 pm
I had the same virus on my laptop and the antivirus had been deactivated. I could open the files in MS Word on the laptop, but when I moved to the Desktop PC they turn into .scr file. Since the virus hits .doc files, open them on the laptop and save as .rtf (Rich Text Format). Then I transfered them to the desktop PC and opened then in word without a problem. There you can now save it back to a .doc (Word Document). I hope this makes some sense... well, it does if you try it out. CHEERS!

Reply to this comment