Everybody knows that making money using malware has become a theme of cybercriminals, including organised criminal groups in the last few years. Parasitic viruses have become almost extinct, although we are going through a mini-revival with several new samples of W32/Virut received every day. Still, completely new variants are relatively rare. This weekend we received a sample of W32/Divvi-A, which was interesting for its (intended) payload.
The sample was probably submitted by the old-fashioned type of virus writer (i.e. not financially motivated), claiming to come from Iraq. Several anti-debugging tricks and encryption are used but they are all relatively simple and easily circumventable. Once the virus has been decrypted in memory there are some interesting strings to observe. For example, if we reverse the string “doG saW madaS” we get “Sadam Was God”. Politically motivated messages are another characteristic of viruses from the old days of virus writing.
The main virus payload is an attempt to launch Denial of Service attack against F-Secure’s website on 28th of the month. However, this payload will not execute due to a mistake in the date comparison code of the virus. If the virus was successful it would display this message box addressed to our F-Secure colleague Mikko.
Further mistakes in the code cause the virus to corrupt infected files. Luckily, our disinfection routine is able to restore original host functionality, although it is unlikely we will ever see this curiosity in the wild.