This virus is another fine creation by Vecna. What's good on this one?
It is one of few multipartite viruses, infecting both PE files and Word
Virus is per process resident, with full win32 compatability, even manipulation with PE header under NT works fine (this is in couple of viruses handled incorrectly). Another good feature is lz/rle compression to reduce its size, well it couple of years ago when first virus with compresion, Cruncher hitted the world, and still its worthy idea. Polymorphism application in the virus is based on the initial code islands strategy (as used on Commander Bomber or in OneHalf), followed by several poly loops in the PE code, here are called poly subroutines with local variables. To make the virus even better, macro stuph is polymorphic too. Identification of the virus is harder for the AVerz due the anti-emulation code usage, some parts are encrypted in memory, virus runs in multiple threads.
There are several ways of spreading the virus - it acts as direct action
infector, hooks MAPI calls and attached infected documents or files to emails
sended from the affected computer, sends emails to visited webpages. Clever
on the email spreading strategy is storing of the crc32 of the email to which
infected messages have been already sent.
No virus is perfect without some retro stuph - in this case AVP monitor is forced to say goodbye and very possitive effect - by deleting AV checksums this virus increases free disk space :)
Of course, it has also more advanced features, but to discover them you will have to check the virus yourselves :P
Virus has payload - a message box, which is displayed 8 months after infection. Without this feature could virus live forever on the comp, it is not necessary to give the user a hit on virus infection....
Download source code of WM/W32.Cocaine here