Yesterday, we added detection for Virus.Win64.Abul.a to our antivirus databases.
In addition to being the third Win64 virus we’ve seen (following on from Virus.Win64.Rugrat.a and Virus.Win64.Shruggle.a) Abul has got some neat points. It’s written in C, is a very compact 3700 bytes in size, and uses operating system functions to compress part of infected files, so that the file size doesn’t change.
Apart from this, however, there’s nothing really outstanding about Abul. It uses classic file infection methods which have been widely used to infect Win32 platforms.
It injects itself into the CSRSS.EXE and Winlogon.exe processes, and attempts to recursively infect all executable files on the hard disk. If it can’t compress a section of a file so that there’s space to add its code, the file will remain uninfected.
So this latest creation shows that virus writers are still using tried and trusted methods to infect new platforms, with only minor modifications. It’ll probably be a while before we start to see anything truly new for Win64, but then again, in the world of viruses, you never quite know what’s round the next corner.