Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 14th, 2009

Buggy file infectors

File infectors are not on the top of their popularity nowadays (there’s not a wide variety of them ITW, but the few active – such as Sality or Virut – are difficult to defeat). One reason is the frequency of their updates and the complexity of their polymorphism, another reason is the fact, that these viruses are not perfectly tuned. If the file infector should be successful (and transparent to the normal system behavior), it simply should not produce corrupted files (the process crashes will quickly point out what’s going on). I will show you some examples of bugs in file infectors (below in this article). The problem is that these bugs often make the infected binaries uncurable.

Which file infector is the buggiest? It’s hard to say, but my favourite one is Win32:BluWin with 4/10 corrupted files. Here are some screenshots to illustrate the way of making the victims unable to run properly:

bluw01

bluw02

bluw03

These bugs are randomly repeated in the infected samples. BluWin was never much widespread, but we can take a look at the big player – Virut. Virut infects 64bit binaries. First time I thought it is a feature, but – it’s bug! Even this mighty creepy piece of malware has this weak point. The following picture can describe it:

vitr01

What can we see? We’re in the 64bit binary, but Virut used its 32bit body. Since pusha instruction (60h) is not present on 64bit, there’s always a problem when Virut tries to execute it. And what about inc/dec (their short forms are reserved for REX prefixes on 64bit). Is there at least one working 64bit Virut sample?

Categories: Virus Lab Tags:
  • Karl-Heinz Bonacker

    Question re “Boot-time Scan”:
    Which option is less dangerous – “put infected file into container” or “restore (i.e in my understanding “repair infected file”)?
    Thanks for any help on this issue!
    Bonacker

  • http://chazzeromus.blogdns.net Chaz

    Ha, that’s great. I’d never thought I’d get near any form of familiarity with hard working people like this. That’s great to hear even virus authors have their bad days. And for the virus you’ve covered in this blog, I really like your approach (first that I’ve heard!). IMHO, those authors are merely nothing than those who believe in their skill to the point they neglect how hard they work (makes my believe these bugs were intentional to further obfuscate, just think why not). I found this article interesting because I too know much about intel’s rather odd ISA. I haven’t looked much into their software developers manual but thanks to this article, I can probably get back to some reading. Just saying thanks for reminding me of what I love!

  • http://windstream.net RALPH jammen

    when i saw that i thought it was mind when my when I doze off while writing or researching my injur commpression disk injuries to when i m in pain and cant sleep multble letters and pages full of one letter plus when my keys cstuck or not realizing my figers on the keys

  • http://windstream.net RALPH jammen

    when you find that out carl let me know?

  • mustafa öztürk

    fayn

  • atmosphere3

    merci j’utilise avast depuis longtemps le site est en anglais j’ai pas pu convertir en français
    mes salutations

  • http://www.avast.com Michal Krejdl

    @Karl-Heinz Bonacker
    There are some file infectors, which can be cured with a high probability of success (Win32:Parite etc.). Then it’s a good choice to repair them. Feel free to visit our forums, where you can get more informations.

  • http://www.avast.com Michal Krejdl

    @Chaz
    Thanks, I’m glad that this article found its readers.

  • sarvy

    Hi….
    Am using Windows XP SP2, Mozilla firefox as browser. While surfing internet i get some Win32 error most of the times. When i close it my internet gets disconnected. Is it due to any Virus??
    Plz help…

  • zormaster

    I feel very sorry for saying that avast wasn’t good enough to remove a virus/bug/worm (whatever)from my pc which made its impact on firewall making it impossible to browse any website (even google !), it made me so helpless that finally I was forced to format the whole system(now my pc is working normally). But its very disappointing that even avast’s boot time scaning wasn’t helpfull !!

    I hope you may reply to this…

  • Ricky White

    I love this Avast anti virus and I have used it for a very long time and wouldn’t install anyother protection other than the pro Avast if I changed products.