W32.Bolzano

W32.Bolzano is a new virus that replicates under Windows 95 and Windows NT infecting Portable Executable applications with EXE or SCR extensions. W32.Bolzano does not infect if the size of the host program is less than 16K. We have received 17 different variants of the virus so far as of Sept 16, 1999. Bolzano is currently the biggest W32 virus family.

Type:	Virus
Infection Length:	varies
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected:	DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x

Virus Definitions (LiveUpdate™ Weekly) August 31, 1999 Virus Definitions (Intelligent Updater) August 31, 1999

Wild Number of infections: 0 - 49 Number of sites: 0 - 2 Geographical distribution: Low Threat containment: Easy Removal: Easy

Threat Metrics Wild: Low Damage: Low Distribution: Low

From the replication point of view, there is nothing much remarkable about the first few versions of Bolzano viruses. It is a simple, direct action appending type. It adds its code to the end of the last file section and modifies the entry-point of the program to point to the virus body (A, B and C variants). The D variant does not modify the entry point of PE files; instead, it searches for 12 possible CALL instructions inside the code section of the host and hooks the randomly selected CALLs to the entry point of the virus. The virus creates a thread in the infected process for itself and replicates in the background while it executes the host program (main thread). Therefore the user will not easily notice any delays. Several variants of Bolzano use inserting/polymorphic technique (infection without entry-point modification) and also polymorphic at the same time. This makes the detection of the virus more complicated. Bolzano was reported "in the wild" in France. Most likely the virus writer is from France.

Several variants of the Bolzano virus do not only replicate, but also attack the Windows NT file security system. It uses a new strategy that may be used by NT viruses in the future. This attack will work on any version of Windows NT (Version 3.50 up to 4.0) with each all the service packs. The attack does not work on any betas of Windows 2000, but it remains feasible.

In order for the virus to attempt the attack, it needs administrative rights on a Windows NT Server or Windows NT Workstation during the initial infiltration. Therefore it is not a major security risk, but still is a potential threat. Viruses can always wait until the Administrator or someone with the equivalent rights logs on. In such a case, W32.Bolzano has the chance to patch ntoskrnl.exe, the Windows NT kernel, located in the WINNT\SYSTEM32 directory. The virus modifies only 2 bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to give full access to all users to each file regardless of its protection, whenever the machine is booted with the modified kernel. This means that a Guest -having the lowest possible rights on the system- will be able to read and modify all files including files that are normally accessible only by the Administrator. This is a potential problem since the virus can spread everywhere it wants to regardless of the actual access restrictions on the particular machine. Furthermore after the attack, no data can be considered protected from any user. The latest variants of Bolzano also patch MSV1_0.dll in the System32 directory in order to remove password checks from there.

Unfortunately the consistency of ntoskrnl.exe is checked in only one place. The loader, ntldr, is supposed to check it when it loads ntoskrnl.exe into physical memory during machine boot-up. If the kernel gets corrupted ntldr is supposed to stop loading ntoskrnl.exe and display an error message even before a "blue screen" appears. In order to avoid this particular problem W32.Bolzano also patches the ntldr so that no error message will be displayed and Windows NT will boot just fine even if its checksum does not match with the original. Since no code checks the consistency of ntldr itself, the patched kernel will be loaded without notification to the user. Since ntldr is a hidden, system, read-only file W32.Bolzano changes the attributes of it to "archive" before it tries to patch it. The virus does not change the attribute of the ntldr back to its original value after the patch.

Several variants of W32.Bolzano delete the contents of the \WINDOWS\Cookies and \WINNT\Cookies directories. Probably the virus writer wants to introduce the virus onto a machine he was using to cover where he was web-surfing.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan. Be sure that NAV is configured to scan all files.
3. If any files are detected as infected by W32.Bolzano, choose Repair.

Write-up by: Peter Szor