Viral Versioning

We've seen increased numbers of viruses this year, not least from the Sality family, and that's included a fair amount of battling with corrupt infections (1, 2). But while analysing the code, I was reminded of an unusual quirk of this set of viruses - they contain code versions.

I actually worked on the first Sality samples as a more junior analyst back in 2003, when the viruses were relatively simple prependers. This is the string I saw:

As you can see, the virus actually calls itself "KUKU", which apparently means "hide and seek" or "peek-a-boo" in Russian, and HLLP means it's a High Level Language Parasitic (or sometimes Prepender) virus. Along with an antagonistic message to the poor infected user, the author's even had time to sign his work - this is by someone who calls themselves "Sector".

A few months and a few variants later, we saw this:

Fast forward 5 years, and Sality has become a much more complicated beast. It can infect in a variety of different ways, from adding itself to a new final section to storing some of its code in existing slackspace, from changing the host's entry location to mid-infecting the host's code. The more recent variants have added varying new tricks into the equation, including dummy API calls to try to throw off emulators. Here's an example of a recent version string:

Gone is the message, gone is the HLLP, gone is the reference to "Sector". What we have here is clearly an alpha version of the new wave of viruses.

A few more variants down the line, we saw this:

So it's still in the 5 series, but moved from alpha to exp (probably for "experimental"). Perhaps Sector isn't in charge of producing these any more, though my guess is that he probably is - while the code has got more complicated in 5 years, the general style seems much the same. It's a shame he hasn't found anything more productive to do with his time.