Crimea Virus Hacks the Windows Operating System

W32/Crimea is a virus that reinvents hacking the Windows File Protection via an undocumented feature of the mitigation Microsoft set up in order to protect critical Windows system files. McAfee Avert Labs revealed that Crimea does not take the traditional approach to circumventing the Windows File Protection but that instead, the malware makes use of one of Microsoft's own application programming interfaces in order to compromise the operating system. Under normal conditions, only Microsoft can alter, edit, replace or delete critical system files from the Windows Operating System via Windows Service Pack (Update.exe); hotfixes installed using Hotfix.exe; operating system upgrades using Winnt32.exe and Windows Update. Traditional approaches to taking down the Windows File Protection involved patching SFC.dll and SFC_OS.dll.

"Malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself. The SetSfcFileException function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days," revealed McAfee Avert Labs describing the method implemented by Crimea to compromise system file imm32.dll and to infect the whole computer.

McAfee claims that the malware authors have turned Microsoft's own tools against the Windows platform. Through the SFC_OS.dll function, Crimea will infect Windows system DLL file imm32.dll and make it load additional malicious content by altering the import routine.

"One might start thinking, why in the world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily. Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs," McAfee Avert Labs added.