McAfee claims to be able to remove this virus and all variants.
Gorillas in the Mist
During VB 2000 Dave Chess and Steve White demonstrated their research result on Undetectable Viruses. Early this year the Russian virus writer Zombie released his "Total Zombification" magazine with a set of articles and viruses of his own. One of the articles in the magazine was titled "Undetectable Virus Technology".
Zombie has demonstrated already his set of polymorphic and metamorphic virus writing skills. His viruses have been distributed for years in source format and other virus writers have modified them to create new variants. Certainly this will be the case with Zombie's latest creation W95.Zmist.
Many of us have not seen for a few years a virus approaching this complexity. We could easily call Zmist one of the most complex binary viruses ever written. W95.SK, One_Half, ACG, and a few other virus names popped to our mind for comparison. Zmist is a little bit of everything: it is an entry point obscuring virus that is metamorphic. Moreover the virus randomly uses an additional polymorphic decryptor.
The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB! of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. This is something which was never seen in any previous viruses.
Zmist occasionally inserts jump instructions after every single instruction of the code section, each of which will point to the next instruction. Amazingly these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie. Although it is not foolproof it seems to be good enough for a virus. It takes some time for a human to find the virus in infected files. Because of this extreme camouflage Zmist is easily the perfect anti-heuristics virus.
A few years ago several anti virus researchers claimed that algorithmic detection has no future. We would like to turn that around, claiming that virus scanners will have no future if they do not support algorithmic detection at the database level. It is amazing to see how polymorphic viruses become more and more advanced over the years. Such metamorphic creations will come very close to the concept of an undetectable virus.
The computing environment did change. Modern viruses completely support this new environment. In the next couple of years we will see how complex DOS viruses would be today if the environment had not changed during the last few years.
[Editors Note:The complete article includes a detailed technical description of W95.Zmist and will be published in the March Edition of Virus Bulletin, and the SARC web site at
http://www.sarc.com/].
By Peter Ferrie and Peter Szor
SARC, APAC & USA.