In this age of botnets, rootkits, spyware and other bleeding edge security threats, file infectors are frequently thought of as a dead threat. But over the past year or so, we have seen a resurgence in classic file infecting viruses. Parasitic threats such as W32/Bacalid, W32/Detnat and W32/Polip have enjoyed a relatively high degree of success in the wild causing widespread damage to computer systems.

An upcoming new kid on the block is W32/Virut – a polymorphic entry-point obscuring virus with IRC bot functionality. Once a machine is infected, it hooks the following APIs (ZwCreateFile, ZwCreateProcess, ZwCreateProcessEx, ZwOpenFile) in ntdll.dll for all running processes, in an attempt to infect .EXE and .SCR files. It then “phones home” to a remote IRC command and control server where it can be instructed to download other malware or be used to perform DDoS attacks.

W32/Virut comes with its share of buggy code and as a result it may misinfect or reinfect a significant proportion of executable files leaving them permanently corrupted beyond repair. Some variants make the trivial mistake of not checking PE section boundaries while infecting and this causes infected executables to crash when run. Also, the virus sometimes hijacks its own function calls which leads to an infinite loop. No one ever said viruses had the best programming

The creator of W32/Virut appear to have a fancy for the works of Friedrich Nietzsche – a nineteenth century German philosopher. Embedded in the virus body is an excerpt from a poem by Nietzsche.

O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It’s late!

Virus code is usually known to contain personal taunts directed towards the antivirus community or flames against rival malware authors. But quoting Friedrich Nietzsche – that’s deep! (Credits to Naveen Gooty for analysis but Dave Marcus still doubts the translation used in the virus code!!).