Fat viruses

Viruses – true viruses that is – seem to have been making a belated comeback recently, though in most cases they follow a simple and well known structure which often involves modifying the original file in such a way that when it is executed the viral code is executed instead. When the viral code has finished running, it will hand control back to the original file that was infected. This can happen in a blink of an eye giving the user the illusion that the program is running normally, when it is in fact infected and probably infecting other files.

For many computer users this is a scary prospect, fortunately for them most of the simple viruses we see these days are just that: simple. The rules they follow make it possible for us to provide a way to “disinfect” an infected file, returning it to its original state, before the virus had its way.

Most infectors are written by skilled (in some cases!) programmers, in low-level languages such as assembler and C. However, a few are written in high-level languages such as C++. W32/Saburex-A, for example, is clearly produced in C++. This has the advantage of being far simpler to code but often produces much larger files (in the case of Saburex it is over 500kB in size, which is very large for a file infecting virus). Larger files are traditionally harder to spread unnoticed. In the case of Saburex, the author used Microsoft’s own CAB compression functions to compress the bulk of the code and unpack it on-the-fly.

Fortunately, W32/Saburex-A only spreads to fixed local drives, limiting its capability to spread which may be why it is not very prevalent in the wild (at the time of writing).