01 Jun 2+2=89?
10 Nov New file infector for Win64
02 Jun GpCode: update
01 Jun New GpCode spreading
26 Jan New GPCode
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
We recently added detection for a file infector to our databases, for something we call Virus.Win32.Induc.a. Since then, we've had a load of questions about it. It doesn't currently have a malicious payload, and it doesn't directly infect .exe files. Instead, it checks if Delphi is installed on the victim machine, looking for versions 4.0, 5.0, 6.0 and 7.0.
If the malware does find one of these Delphi versions, it copies SysConst.pas to \Lib and writes its code to it. It then makes a backup of SysConst.dcu, calling it SysConst.bak (dcu files are kept in \Lib). It then compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu. The modified .pas file gets deleted.
var sc:array[1..24] of string=('uses windows; var sc:array[1..24] of string=(', 'function x(s:string):string;var i:integer;begin for i:=1 to length(s) do if s[i]',
'=#36 then s[i]:=#39;result:=s;end;procedure re(s,d,e:string);var f1,f2:textfile;', 'h:cardinal;f:STARTUPINFO;p:PROCESS_INFORMATION;b:boolean;t1,t2,t3:FILETIME;begin',
'h:=CreateFile(pchar(d+$bak$),0,0,0,3,0,0);if h<>DWORD(-1) then begin CloseHandle', "
The result – any Delphi program compiled on the computer gets infected. (We've already had a company contacting us to complain about something they thought was a false positive.) Maybe this particular virus isn't that much of a threat: it's not the first time we've seen this propagation method, the code itself is primitive, there's no other payload, and there are far easier ways to infect machines. But in the past we've seen new infection routines get picked up, tweaked, and taken further. We'll be keeping an eye on this one, just in case.
This week we added another unusual detection – detection for a calculator virus.
Virus.TI.Tigraa.a is a memory resident virus, and in the best tradition of DOS viruses, it's a mere 492 bytes in size. It works on Texas Instruments TI-89 graphing calculators (the TI-89, TI-89 Titanium, and the Voyage 200 which will run most programs for the TI-89) with the Motorola 68000 processor. The virus is designed to clear the screen and then display a message saying 't89.GAARA'.
Of course, Tigraa.a is classic proof of concept code. It'll only work on individual calculators, and can't spread. But nevertheless, it's created another entry in the roll call of potentially infectable devices.
Yesterday, we added detection for Virus.Win64.Abul.a to our antivirus databases.
In addition to being the third Win64 virus we've seen (following on from Virus.Win64.Rugrat.a and Virus.Win64.Shruggle.a) Abul has got some neat points. It's written in C, is a very compact 3700 bytes in size, and uses operating system functions to compress part of infected files, so that the file size doesn’t change.
Apart from this, however, there's nothing really outstanding about Abul. It uses classic file infection methods which have been widely used to infect Win32 platforms.
It injects itself into the CSRSS.EXE and Winlogon.exe processes, and attempts to recursively infect all executable files on the hard disk. If it can't compress a section of a file so that there's space to add its code, the file will remain uninfected.
So this latest creation shows that virus writers are still using tried and trusted methods to infect new platforms, with only minor modifications. It’ll probably be a while before we start to see anything truly new for Win64, but then again, in the world of viruses, you never quite know what's round the next corner.
We're continuing to get requests from users with files which have been encrypted by GpCode.
The good news is that we've sorted the encryption algorithm, and added a decryption routine to the latest antivirus database updates.
If you have files which have been encrypted by GpCode, update your antivirus databases, and scan your machine.Your files will be automatically decrypted.
If you've updated your antivirus databases, and your files are still encrypted, please send them to firstname.lastname@example.org
Two hours ago we started receiving multiple emails from users with encrypted documents.
Virus.Win32.GpCode.ae is responsible for this outbreak - this is a new variant of something we’ve reported on before. It’s currently affecting Russian Internet users and doesn’t seem to be spreading in the West.
This encryptor is detected with detection for the previous version of this program - Virus.Win32.GpCode.ad.
In comparison to the previous version, one of the main differences is that the encryption algorithm used is stronger - the previous version used RSA 67 bit, but this one uses RSA 260 bit. We're working on the decryption algorithm.
We’ll update you as we get more information.
We've got another version of GPCode. We're currently looking at the encryption algorithms, and we'll get back to you with the full story in the near future.
Here in Russia we are getting letters from users who have been hit by Virus.Win32.JuNy.b. This virus is very similar to Virus.Win32.GPCode. It encrypts files on the local system. The sender then attempts to blackmail the victim. Currently the price for having your files de-encrypted is 20 dollars in web money.
We have been detecting JuNy.b since September 29. Everybody should make sure they have updated their antivirus databases. However, if you do get hit please contact us at email@example.com ASAP. You'll know if you've been hit if you suddenly can't access a large number of files and you have a text file (the name is in Russian and roughly translates as "C****_has come to visit") either on your desktop or in the temp folder.
Note: At the time of writing, Virus.Win32.JuNy.b is spreading only in Russia. If we get reports from other countries we will post an update on the blog.