COMMENT# 

* Win2k.Stream

---------------------------
* by Benny/29A and Ratter 
---------------------------


Let us introduce very small and simple infector presenting how to use features 
of NTFS in viruses. This virus loox like standard Petite-compressed PE file. 
However, it presents the newest way of PE file infecting method. 

How the virus worx? It uses streamz, the newest feature of NTFS filesystem 
and file compression, already implemented in old NTFS fs. 


------------------------------------- 
* Basic principles of NTFS streamz 
-------------------------------------

How the file loox? Ya know that the file contains exactly the same what you can 
see when you will open it (e.g. in WinCommander). NTFS, implemented by 
Windows 2000, has new feature - the file can be divided to streamz. The content 
what you can see when you will open the file is called Primary stream - usually 
files haven't more than one stream. However, you can create NEW stream ( = new 
content) in already existing file without overwritting the content. 

Example: 

addressing of primary stream -> <filename> e.g. "calc.exe" 
addressing of other streamz -> <filename>:<stream name> e.g. "calc.exe:stream" 

If you have NTFS, you can test it. Copy to NTFS for instance "calc.exe", and 
then create new file "calc.exe:stream" and write there "blahblah". Open 
"calc.exe". Whats there? Calculator ofcoz. Now open "calc.exe:stream". Whats 
there? "blahblah", the new file in the old one :) 

Can you imagine how useful r streamz for virus coding? 

The virus infects file by moving the old content to the new stream and replacing 
the primary stream with virus code. 

File (calc.exe) before infection: 

-Calc.exe----------------------------
rimary stream (visible part) 
Calculator 
-------------------------------------

File (calc.exe) after infection: 

-Calc.exe----------------------------
rimary stream (calc.exe)
Next stream (calc.exe:STR) 
Virus  Calculator 
-------------------------------------

Simple and efficent, ain't it? 

---------------------
* Details of virus  
---------------------

* The virus infects all EXE files in actual directory. 

* The virus uses as already-infected mark file compression. All infected 
 files are compressed by NTFS and virus then does not infect already 
 compressed files. Well, almost all files after infection r smaller than 
 before, so user won't recognize virus by checking free disk space :) 

* If user will copy the infected file to non-NTFS partition (in this case 
 only primary stream is copied), the host program will be destroyed and 
 instead of running host program virus will show message box. That can 
 be also called as payload :P 

* The virus is very small, exactly 3628 bytes, becoz it's compressed by 
 Petite 2.1 PE compression utility (http://www.icl.ndirect.co.uk/petite/). 

* The disinfection is very easy - just copy the content of <file>:STR to 
 <file> and delete <file>:STR. If you want to create sample of infected 
 file, then just copy the virus to some file and copy any program (host 
 program) to <file>:STR. Thats all! However, AVerz have to rebuild their 
 search engine to remove this virus, becoz until now, they had no fucking 
 idea what are streamz :) 

* This virus was coded in Czech Republic by Benny/29A and Ratter, on our 
 common VX meeting at Ratter's city... we just coded it to show that 
 Windows 2000 is just another OS designed for viruses... it really is :) 

* We would like to thank GriYo for pointing us to NTFS new features. 
 The fame is also yourz, friend! 


----------------
* In the media   
---------------- 


AVP's description: 


This is the first known Windows virus using the "stream companion" infection 
method. That method is based on an NTFS feature that allows to create multiple 
data streams associated with a file. 

*NTFS Streams* 

Each file contains at least one default data stream that is accessed just by 
the file name. Each file may also contain additional stream(s) that can be 
accessed by their personal names (filename:streamname). 

The default file stream is the file body itself (in pre-NTFS terms). For 
instance, when an EXE file is executed the program is read from the default 
file stream; when a document is opened, its content is also read from the 
default stream. 

Additional file streams may contain any data. The streams cannot be accessed or 
modified without reference to the file. When the file is deleted, its streams 
are deleted as well; if the file is renamed, the streams follow its new name. 

In the Windows package there is no standard tool to view/edit file streams. To 
"manually" view file streams you need to use special utilities, for instance 
the FAR utility with the file steams support plug-in (Ctrl-PgDn displays file 
streams for selected file). 

*Virus Details* 
         

The virus itself is a Windows application (PE EXE file) compressed using the 
Petite PE EXE file compressor and is about 4K in size. When run it infects all 
EXE files in the current directory and then returns control to the host file. 
If any error occurs, the virus displays the message: 

Win2k.Stream by Benny/29A & Ratter 
This cell has been infected by [Win2k.Stream] virus! 

While infecting a file the virus creates a new stream associated with the victim 
file. That stream has the name "STR", i.e. the complete stream name is 
"FileName:STR". The virus then moves the victim file body to the STR stream 
(default stream, see above) and then overwrites the victim file body (default 
stream) with its (virus) code. 

As a result, when an infected file is executed Windows reads the default stream 
(which is overwritten by virus code) and executes it. Also, Windows reports the 
same file size for all infected files - that is the virus length. 

To release control to the host program the virus just creates a new process by 
accessing the original file program using the name "FileName:STR". 

That infection method should work on any NTFS system, but the virus checks the 
system version and runs only under Win2000. 


AVP's press release: 


*A New Generation of Windows 2000 Viruses is Streaming Towards PC Users* 
                                     

Moscow, Russia, September 4, 2000 ?Kaspersky Lab announces the discovery of 
W2K.Stream virus, which represents a new generation of malicious programs for 
Windows 2000. This virus uses a new breakthrough technology based on the 
"Stream Companion" method for self-embedding into the NTFS file system. 

The virus originates from the Czech Republic and was created at the end of 
August by the hackers going by the pseudonyms of Benny and Ratter. To date, 
Kaspersky Lab has not registered any infections resulting from this virus; 
however, its working capacity and ability for existence "in-the-wild" are 
unchallenged. 

"Certainly, this virus begins a new era in computer virus creation," said 
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The stream 
Companion technology the virus uses to plant itself into files makes its 
detection and disinfection extremely difficult to complete. 

Unlike previously known methods of file infection (adding the virus body at 
beginning, ending or any other part of a host file), the "Stream" virus 
exploits the NTFS file system (Windows NT/2000) feature, which allows multiple 
data streams. For instance, in Windows 95/98 (FAT) files, there is only one 
data stream the program code itself. Windows NT/2000 (NTFS) enables users 
to create any number of data streams within the file: independent executable 
program modules, as well as various service streams (file access rights, 
encryption data, processing time etc.). This makes NTFS files very flexible, 
allowing for the creation of user-defined data streams aimed at completing 
specific tasks. 

"Stream" is the first known virus that uses the feature of creating multiple 
data streams for infecting files of the NTFS file system (see picture 1). To 
complete this, the virus creates an additional data stream named "STR" and 
moves the original content of the host program there. Then, it replaces the 
main data stream with the virus code. As a result, when the infected program 
is run, the virus takes control, completes the replicating procedure and then 
passes control to the host program. 

*"Stream" file infection procedure* 
                   

File before infection File after infection 


"By default, anti-virus programs check only the main data stream. There will be 
no problems protecting users from this particular virus," Eugene Kaspersky 
continues. "However, the viruses can move to additional data streams. In this 
case, many anti-virus products will become obsolete, and their vendors will be 
forced to urgently redesign their anti-virus engines." 


In MSNBC's news: 


*New trick can hide computer viruses* 
*But experts question danger posed by stream technology* 

Sept. 6 A new kind of computer virus has been released, but security experts 
are in disagreement over just how menacing it is. The virus demonstrates a 
technique that future writers can use to hide their malicious software from 
most current antivirus scanners. But some antivirus companies are playing down 
the threat. 

THE VIRUS, CALLED W2K.STREAM, poses little threat it was written as a 
relatively benign roof of concept.But, according to a source who requested 
anonymity, it was posted on several virus writer Web sites over Labor Day 
weekend ?making copycats possible. 

The virus takes advantage of a little-used feature included in Windows 2000 and 
older Windows NT systems that allows programs to be split into pieces called 
streams. Generally, the body of a program resides in the main stream. But other 
streams can be created to store information related to what in the main 
stream. Joel Scambray, author of acking Exposed,described these additional 
streams as lost-it notes attached to the main file. 

The problem is that antivirus programs only examine the main stream. W2K.Stream 
demonstrates a programmer ability to create an additional stream and hide 
malicious code there. 

ertainly, this virus begins a new era in computer virus creation,said 
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, in a press 
release. he stream Companion technology the virus uses to plant itself into 
files makes its detection and disinfection extremely difficult to complete. 

*THIS BUG ISN DANGEROUS* 


No W2K.stream infections have been reported, and experts done believe the 
virus is in the wild  circulating on the Internet yet. At any rate, this 
virus actually makes things easy for antivirus companies. If a user is 
infected, the program creates an alternate stream and places the legitimate 
file in this alternate location; the virus replaces it as the main stream. That 
makes detection by current antivirus products easy. But future viruses could 
do just the opposite, evading current antivirus products. 

One antivirus researcher who requested anonymity called release of the bug 
omewhat akin to the first macro virus.He added that reengineering antivirus 
software to scan for multiple streams would be a complicated effort. 
this case, many anti-virus products will become obsolete, and their vendors 
will be forced to urgently redesign their anti-virus engines, Kaspersky said. 

*AN OLD ISSUE* 
       - 

There is nothing new about the potential of exploiting the multiple stream 
issue; Scambray hints at the problem in the book acking Exposed,and 
described it even more explicitly in a 1998 Infoworld.com article. 

The SANS Institute, a group of security researchers, issued an lert 
criticizing antivirus companies for not updating their products to scan the 
contents of any file stream earlier. 

found that the scanners were incapable of identifying viruses stored within 
an alternate data stream,the report said. or example if you create the file 
MyResume.doc:ILOVEYOU.vbs and store the contents of the I Love You virus within 
the alternate data stream file, none of the tested virus scanners were capable 
of finding the virus during a complete disk scan. 

But some antivirus companies described the threat as minimal because the 
alternate stream trick only hides the bug while it stored on a victim 
computer. Pirkka Palomaki, Director of Product Marketing for F-Secure Corp., 
said for the virus to actually run, it has to come out of hiding and load into 
main memory. 

it would be detected as it tried to activate, Palomaki said. but this 
signifies importance of real-time protection. He added the virus would still 
have to find its way onto a victim computer; and that victim would have to 
be tricked into installing the virus using one of the traditional methods, 
such as clicking on an infected e-mail attachment. 

it could increase the ability to for scanners to miss something, said Pat 
Nolan, virus researcher at McAfee Corp. but we are on top of it. If there is 
a vulnerability, it will be short-lived.


-----------------------
* How to compile it?  
-----------------------

Use Petite version 2.1 (http://www.icl.ndirect.co.uk/petite/). 

tasm32 /ml /m9 /q stream 
tlink32 -Tpe -c -x -aa stream,,,import32 
pewrsec stream.exe 
petite -9 -e2 -v1 -p1 -y -b0 -r* stream.exe 



And here comes the virus source... /#