Apocalypse not yet

Filed Under: SophosLabs

The USB worm W32/Zaap-A successfully spreads itself to removable disks, and in some cases to data CDs burned on the infected computer. The writer also intended for it to display the following message if it is run on a specific date:

Doomsday Has Come... YOU ARE iNFECTED BY RAVO_5002

Once this message is dismissed, it will immediately pop up again. To find the date on which this will happen, we must look at the disassembly of the worm:

...
mov dword ptr [esp], offset aDate ; "DATE"
call getenv
mov [ebp+today], eax
cmp [ebp+today], offset a10072007 ; "10/07/2007"
jz short payload
cmp [ebp+today], offset a07102007 ; "07/10/2007"
jz short payload
cmp [ebp+today], offset a7102007 ; "7/10/2007"
jz short payload
...

So the intention was to activate the payload on either the 10th of July, or the 7th of October (depending on how the locale formats the date). But the worm was written in C, and the relevant part of the source code will have looked something like this:

today = getenv("DATE");
if ( (today == "10/07/2007")
||(today == "07/10/2007")
||(today == "7/10/2007") )
{ payload(); }

This shows two mistakes on the part of the author, suggesting that he's not tested his creation. Firstly, "DATE" isn't a real environment variable - although command.com will expand "%DATE%", it's not available to other processes through the "getenv()" API.

A bigger mistake is the (attempted) string comparison. The worm is only comparing the pointers to the date strings, and not the contents of the strings themselves. The pointer returned by "getenv()" will never be the same as a pointer to a fixed string inside the worm's executable, so the payload will never be executed. This is a common misunderstanding for someone who is just beginning with C, suggesting that the author isn't just unfamiliar with viruses, but with the tools he uses to create them.

You might like