File Patcher W32/Tobin

antivir_okWhile refining and improving our detection of the W32/Tobin file patcher malware we analysed its “infection” algorithm closer. Upon execution, it drops a DLL (usually “nikitob.dll”) and modifies executable files on the system so that they load the dropped DLL once they get started. So far nothing new or unusual.

Fig. 1: The import table

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 1: Original data directory address

Fig. 2: Original data directory address

Fig. 2: Patched data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: Upon calling the exported function, W32/Tobin just shows a message

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:NIKITASoftblack_soft29anikitobReleasenikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor