Scribble In Your Files

We’ve been seeing a lot of activity from a new polymorphic mid-infecting virus, W32/Scribble-A. While this new family has quite a lot in common with members of the older Vetor and Virut families of viruses, the main code looks to have undergone a fairly major overhaul.

As well as being able to infect executable files such that the code changes each time (hence “polymorphic”), and being able to infect the host file at arbitrary locations in its executable code instead of just targeting the entry-point (hence “mid-infecting”), W32/Scribble-A can also modify htm, html, php and asp files, among others, inserting an iframe pointing to a malicious website. This is a trick we first saw used widely by the Fujacks family of viruses, and clearly the authors of W32/Scribble-A decided it was a good way to help them spread.

We detect files with these Scribble-injected iframes as Troj/Fujif-Gen, which includes disinfection. These iframes point to a page heavy with javascript obfuscation, detected as Mal/ObfJS-BP, which tries to exploit a variety of vulnerabilities (including a PDF exploit detected as Troj/PdfJS-U) to load an executable … detected as W32/Virut-Gen. So the new W32/Scribble-A is writing iframes which point to the older W32/Virut-Gen code.

It also looks like W32/Scribble-A has a bad habit we’ve seen all-too-often with viruses – it misinfects files. This is something we’ve seen in different families of virus – Sality misinfections have been breaking files for quite some time now, and Vetor has a long-established tendency to do the same. Often these viruses will break the file in a way that’s not repairable, in which case the virus will have completely blown its cover, and also wrecked any chance of restoring the original host. W32/Scribble-A is no exception, and we’ve seen a number of files that have been corrupted by its misinfection.

Unfortunately we expect to see more Scribbles over the coming weeks, and more broken infections as well.