A sandwich virus

Filed Under: Malware, SophosLabs

One of the simplest methods of file infection is to put the virus at the start of the file, leaving the host at the end.  A less common way is to put the host first and save the virus at the end.  W32/Kies-A does both.

A Kies-infected file starts with a virus executable, followed by the stored host, and finally another virus executable.

  • The first part of the virus extracts the host and other component to the current folder in order to run both. It also deals with connecting to the internet, in order to ring home and download more files.
  • The host gets run, but without any command line arguments, so it may not always work as the user intended.
  • The second part of the virus performs the infection routine, searching for executables on the local drive and network shares.

The layout of W32/Kies-A

As a result, infected files have a layout like a sandwich, or a popular design of biscuit.

You might like