Sircam, Nimda, Klez Comparative Study By Koms Bomb
These three viruses can be said to be the most striking three viruses in the whole year in July last year, and their common feature is 1, which is the Internet WORM2, the speed and breadth amazing 3, which is mainly used. Language is written to say that Internet Worm is the main development direction of the future virus, so let us compare the three viruses or more meaningful.
1. The main propagation methods SIRCAM and KLEZ are mainly transmitted in Email, and NIMDA is mainly transmitted by IIS vulnerability. NIMDA will also spread email to spread, but its Email communication capability and SIRCAM and KLEZ are N orders of magnitude, not worth mentioning. The feature of SIRCAM propagation is mainly the main body of Mail relatively fixed, although it will also select the subject and body, but its choice is extremely limited, only such a few kinds, and the general is similar to "I will give you I have sent this file, I hope you will like it, but it is more easily identified. But its theme "How are you", it is very affordable. Try thinking, a man sent Mail to tell you "Buddy, how are you, you may be excited to have a" friend "to send you a fun file. It is worth noting that Sircam does not use many WORM use of IFRAME vulnerabilities (at that time, this vulnerability has been discovered), which is deceived with Social Engineering (social engineering) to deceive users, and achieve so much success, it is not easy. It is said that Sircam has used a Mexican SMTP Server, I have not verified. The main characteristics of KLEZ have a large number of MAIL subjects and subjects, which are said to be up to 120 combinations, and there are many great deceptive, such as they actually posing as Klez's own immune tools. Oh, when the world users panic in Klez, suddenly received a KLZ immune tool from friends, who did not have a heart? NIMDA is mainly using IIS's Unicode vulnerability. Once this vulnerability is added, it cannot be widely spread. It will also use Mail to spread, which is also a lot of AVER touted, but its MAIL communication skill is too weak, and it is impossible to compare with Sircam and Klez. It should be said that SIRCAM and KLEZ are mainly propagated in mail, so they pay attention to the ability of Mail propagation, and NIMDA is mainly transmitted by IIS, so Mail spread is not its strength, which is no wonder it. The theme of NIMDA is a string extracted from the text files on the infected machine machine, so many of them are meaningless, and there is no mail body, which is probably one reason why it failed. However, it uses the IFRAME vulnerability.
2. Writing language SIRCAM is written in Delphi, which can be said that it is the best virus written in history. Others also have a lot of Delphi written worms, but many of the VCL libraries, three or four hundred k, very awkward. SiCcam did not use VCL, which can be seen from its size, only more than 100 K, but it still looks great. Klez.e and Klez.h have only 80 k, while Nimda smaller, only 56K. Klez and Nimda are written by VC, and some assembly instructions are inserted inside Nimda because it will launch a viral thread in the Explorer process. Very interesting is NIMDA initially compiled into a DLL. This is because it is in the form of a DLL in the form of a DLL when replacing the Riched20.dll, and the DLL is returned to Kernel32 after initialization, and the DLLMAIN parameters are also cleared, so compiling into a DLL is appropriate. Compiling into EXE, not, because the number of parameters of WinMain is different from DLLMain, and the stack is cleared when the stack is cleared when the stack is cleared. The various versions of Klez carry a PE virus written, where elkern.c (FOROUX.A) is even fierce. 3, the communication mode SIRCAM mainly spreads through Email, it seems to share communication through the network, but its approach is to make your Copy to remote trash can, generally difficult to achieve. NIMDA will transmit networks via IIS vulnerability, email, shared networks, and infect local files. It is a very weak way to use when infecting the local machine. It will create a .eml or .nws file in each folder in the local, expect users to click to repeat infections. But in general, one user has almost no such document, and once the user discovers many of this file, it will inevitably produce doubts. However, it is relatively smart to generate only one .EML or .nws file in each folder, better than KLEZ. NIMDA also infects the local executable, the method is to put the original file into its own resources, use the Win2000 Updateresource series function, these functions only support, 98 is not, this is one of them. It is more intimate that it does not check if the original file is infected, so it will repeat infection. As a result, a few hundred k programs finally become a few m, the user's hard disk space is also eroded, NIMDA is also discovered like this . A good virus, no matter how it can't be repeatedly infected, this is a big taboo. If NIMDA can get rid of two shortcomings, it can be said that it is a fairly perfect virus. KLEZ is primarily propagated primarily through email, shared networks and local files. It generates .exe or .rar files when infected with a shared network, it is not as good as Nimda, and each infection will generate these files, and will infect local shared folders, which causes a lot of inexplicably on the hard disk. It is easy to find. EXE and .RAR files. Klez's infection of local documents is accompanied by infection. The method is that it will first change the original file with a random name, and then encrypt, then use it to replace the original file, and put the file size camouflage. Because it encrypts the original file, many times the poisoned users will lose a lot of software, but almost all famous anti-virus companies (including domestic) have launched the repair tool.
4, resident mode SIRCAM is more interesting, it will reside in the user's trash can, generally not suddenly a file in the intuitive garbage bucket. However, in order to save the hard disk space, many users often remove the trash can, and the SIRCAM is also treated as garbage :-). In fact, this is a joke, usually SIRCAM is always running, so it will not be deleted. Nimda and Klez are all resident in the system directory, which is a lot of viruses. NIMDA generated file name is fixed in the same virus version, KLEZ is high, will randomly generate a file name, which gives the user to identify viruses very difficult. 5. Version Continuation SIRCAM seems to have only one version, there is no improvement. Nimda has five versions, of which Nimda.a and Nimda.e are most famous and have been circulated very widely. KLEZ has a large and small and small version, of which Klez.a is also prototype. According to AVER, it will take a lot of memory, which is easy to discover, so it cannot be widely spread. The most famous is Klez.e and Klez.h, and it is still widely spread for a few months. It should be said that it is very successful. It is worth noting that NIMDA and KLEZ don't seem to have modified by others. Nimda has a Code World version, which seems to be changed by the Code World worm with a 16-binding editor, has a lot of bugs. And Klez also has a UPX compressed version. As far as I know, KLEZ will encrypt itself, so the original author will definitely not compress it with UPX, otherwise it is difficult to encrypt. After a high VXER wrote a successful virus, other small "vxer" because they didn't have the ability to write the virus and the opposite, so that those successful viruses were modified to meet their desire to "manufacturing" viruses. It is normal. However, it seems that the source code of these three viruses has not been announced, so it is only modified with a 16-year editor, it is difficult to change the version. I don't know when Nimda and Klez announce the source code, will it be chaotic in the world? Looking forward to @ _ @ Of course, if you use some Reverse Engineering, you can restore their code, but I have no strength to do, who makes remember to tell me :-). It seems that someone wrote Nimda's code, but I didn't study his authenticity.
6. Sircam is the first large-scale persistent virus after Loveletter. Although Lovelette was very happy, it was only a big outbreak, and there was no follow-up. Sircam is different. Sircam is not dramatic when it is just born, but it has a very "persistent" character, continuously spread. It is important to note that the worm is easily discovered, unlike the file virus, so many worms are all blooming, but Sircam is an evergreen tree. But now it is also nearly destroyed, and it has been very much for more than eight months. The big outbreak of NIMDA set off an unprecedented storm. The speed of communication is broken. It is not even harder than the later Klez.H, but it is now significantly slowed down, and it seems to be only circulating in China. . Various versions of SIRCAM and NIMDA have no significant destructive. If NIMDA has a destruction such as a user file, then IT is certainly a disaster. Klez.h can be said to be the most Mail virus, or even exceeded NIMDA's large outbreak. And it has such a good continuity, so that today's two months will still spread its own spread record today, and even repeatedly break the record. No wonder some AVER thinks it is the most evil virus in history. Interesting is Klez.e, it has just no movements at all, but it is in tenaciously, after five months, now it has been more than Klez.h. But Klez.e previous versions, including Klez.e, with vicious destructive episodes, some of which are uncomfortable. However, the most famous Klez.h is not destructive, it can be said that it is a great gospel. Conclusion: In fact, I didn't have a detailed technical study on these three worms. First, there is no environment to do experiments. Second, dozens of things should take care of the anti-assessment code will spend too much energy and time. I have said above, mainly from the analysis report seen from the AVER website, plus the understanding of the techniques used thereto. This is a very rough article, if there is a fallacy, I hope to forgive.
At 10 June 21, 2002, Koms Bomb welcomed reproduced, please retain "by koms bomb"
