Viral Versioning

Filed Under: SophosLabs

We've seen increased numbers of viruses this year, not least from the Sality family, and that's included a fair amount of battling with corrupt infections (1, 2). But while analysing the code, I was reminded of an unusual quirk of this set of viruses - they contain code versions.

I actually worked on the first Sality samples as a more junior analyst back in 2003, when the viruses were relatively simple prependers. This is the string I saw:

Sality - KUKU 1.09

As you can see, the virus actually calls itself "KUKU", which apparently means "hide and seek" or "peek-a-boo" in Russian, and HLLP means it's a High Level Language Parasitic (or sometimes Prepender) virus. Along with an antagonistic message to the poor infected user, the author's even had time to sign his work - this is by someone who calls themselves "Sector".

A few months and a few variants later, we saw this:

Sality - KUKU 2.04

Fast forward 5 years, and Sality has become a much more complicated beast. It can infect in a variety of different ways, from adding itself to a new final section to storing some of its code in existing slackspace, from changing the host's entry location to mid-infecting the host's code. The more recent variants have added varying new tricks into the equation, including dummy API calls to try to throw off emulators. Here's an example of a recent version string:

Sality - KUKU 5.00

Gone is the message, gone is the HLLP, gone is the reference to "Sector". What we have here is clearly an alpha version of the new wave of viruses.

A few more variants down the line, we saw this:

Sality - KUKU 5.04

So it's still in the 5 series, but moved from alpha to exp (probably for "experimental"). Perhaps Sector isn't in charge of producing these any more, though my guess is that he probably is - while the code has got more complicated in 5 years, the general style seems much the same. It's a shame he hasn't found anything more productive to do with his time.

You might like