Visual Basic worm (re)discovers old trick

The simplest type of hash-buster in malware typically consists of a few (or many) appended random bytes, changing the files checksum while not altering its functionality. More advanced hash-busters incorporate patching of inconsequential bytes within the files code or data sections but these are harder to implement because an understanding of the binary format is required.

Just like hash-busters in spam, they aim to make basic signature/checksum matching useless for all but the sample at hand, allowing replicants to go undetected. What the malware authors fail to realize is that not only are the established anti-virus and security vendors all too familiar with such simple tricks, but their scanning engines utilize much more powerful technologies than just purely byte-matching.

Although self-patching has been deployed in assember and C/C++ compiled malware, it has not really been the realm of VisualBasic files, mainly due to the different binary structure (and possibly the lack of skill) – until recently.

So it looks like VB malware authors have discovered the boring art of string-patching; where the various textual fields within a compiled VB binary (like FormNames) are modified when the worm spreads causing each replicant to be slightly different yet functionally equivalent.