Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 14th, 2009

Buggy file infectors

File infectors are not on the top of their popularity nowadays (there’s not a wide variety of them ITW, but the few active – such as Sality or Virut – are difficult to defeat). One reason is the frequency of their updates and the complexity of their polymorphism, another reason is the fact, that these viruses are not perfectly tuned. If the file infector should be successful (and transparent to the normal system behavior), it simply should not produce corrupted files (the process crashes will quickly point out what’s going on). I will show you some examples of bugs in file infectors (below in this article). The problem is that these bugs often make the infected binaries uncurable.

Which file infector is the buggiest? It’s hard to say, but my favourite one is Win32:BluWin with 4/10 corrupted files. Here are some screenshots to illustrate the way of making the victims unable to run properly:

bluw01

bluw02

bluw03

These bugs are randomly repeated in the infected samples. BluWin was never much widespread, but we can take a look at the big player – Virut. Virut infects 64bit binaries. First time I thought it is a feature, but – it’s bug! Even this mighty creepy piece of malware has this weak point. The following picture can describe it:

vitr01

What can we see? We’re in the 64bit binary, but Virut used its 32bit body. Since pusha instruction (60h) is not present on 64bit, there’s always a problem when Virut tries to execute it. And what about inc/dec (their short forms are reserved for REX prefixes on 64bit). Is there at least one working 64bit Virut sample?

Categories: Virus Lab Tags:
  1. Karl-Heinz Bonacker
    July 23rd, 2009 at 02:12 | #1

    Question re “Boot-time Scan”:
    Which option is less dangerous – “put infected file into container” or “restore (i.e in my understanding “repair infected file”)?
    Thanks for any help on this issue!
    Bonacker

  2. July 23rd, 2009 at 02:48 | #2

    Ha, that’s great. I’d never thought I’d get near any form of familiarity with hard working people like this. That’s great to hear even virus authors have their bad days. And for the virus you’ve covered in this blog, I really like your approach (first that I’ve heard!). IMHO, those authors are merely nothing than those who believe in their skill to the point they neglect how hard they work (makes my believe these bugs were intentional to further obfuscate, just think why not). I found this article interesting because I too know much about intel’s rather odd ISA. I haven’t looked much into their software developers manual but thanks to this article, I can probably get back to some reading. Just saying thanks for reminding me of what I love!

  3. July 23rd, 2009 at 02:58 | #3

    when i saw that i thought it was mind when my when I doze off while writing or researching my injur commpression disk injuries to when i m in pain and cant sleep multble letters and pages full of one letter plus when my keys cstuck or not realizing my figers on the keys

  4. July 23rd, 2009 at 03:01 | #4

    when you find that out carl let me know?

  5. mustafa öztürk
    July 23rd, 2009 at 07:47 | #5

    fayn

  6. atmosphere3
    July 23rd, 2009 at 09:02 | #6

    merci j’utilise avast depuis longtemps le site est en anglais j’ai pas pu convertir en français
    mes salutations

  7. July 23rd, 2009 at 09:29 | #7

    @Karl-Heinz Bonacker
    There are some file infectors, which can be cured with a high probability of success (Win32:Parite etc.). Then it’s a good choice to repair them. Feel free to visit our forums, where you can get more informations.

  8. July 23rd, 2009 at 09:57 | #8

    @Chaz
    Thanks, I’m glad that this article found its readers.

  9. sarvy
    July 23rd, 2009 at 13:07 | #9

    Hi….
    Am using Windows XP SP2, Mozilla firefox as browser. While surfing internet i get some Win32 error most of the times. When i close it my internet gets disconnected. Is it due to any Virus??
    Plz help…

  10. zormaster
    July 26th, 2009 at 19:27 | #10

    I feel very sorry for saying that avast wasn’t good enough to remove a virus/bug/worm (whatever)from my pc which made its impact on firewall making it impossible to browse any website (even google !), it made me so helpless that finally I was forced to format the whole system(now my pc is working normally). But its very disappointing that even avast’s boot time scaning wasn’t helpfull !!

    I hope you may reply to this…

  11. Ricky White
    July 28th, 2009 at 02:29 | #11

    I love this Avast anti virus and I have used it for a very long time and wouldn’t install anyother protection other than the pro Avast if I changed products.

Comments are closed.