In its attempt to append malicious code to them

Feb 11, 2009 13:23 GMT  ·  By

Malware researchers from antivirus vendor Sophos warn of a new polymorphic virus called Scribble. Unfortunately, it doesn't only infect legitimate files on the system, but also corrupts many of them in such a way that it cannot be undone.

The virus, which Sophos identifies as W32/Scribble-A, is related to other families of worms, such as Vetor or Virut, the analysts explain. However, Scribble is not a simple variant of these malicious applications, but more like a complete rewrite. In addition, it also features many enhancements, like the ability to infect files written in several web scripting languages.

Scribble is a polymorphic virus, because every time it infects a legit executable file it does so by altering the appended malicious code, in order to avoid antivirus detection. It is also able to append its code at random locations inside the legit executable, a technique called mid-infecting.

The worm injects a malicious iframe into the web scripting files found on the system. The iframes redirect to a page with obfuscated JavaScript code, which in turn launches several exploits against the system. One of these exploits consists of a maliciously-crafter PDF file, which targets a vulnerability in Adobe Reader.

If the exploitation attempt is successful, an executable file identified as W32/Virut-Gen will be loaded. "So the new W32/Scribble-A is writing iframes which point to the older W32/Virut-Gen code," Richard Cohen, malware analyst at SophosLabs Canada, notes, suggesting a connection between the two viruses.

As the researcher points out, one of the major issues with this worm are its misinfections. A misinfection occurs when it fails to properly infect an executable file, most of the times damaging it beyond repair, thus alerting users of its presence. "This is something we’ve seen in different families of virus[es] – Sality misinfections have been breaking files for quite some time now, and Vetor has a long-established tendency to do the same," Mr. Cohen adds.

According to the expert, this is just the beginning, and the virus propagation will intensify during the next months, with more variants likely to be released into the wild. "Unfortunately, we expect to see more Scribbles over the coming weeks, and more broken infections as well," Cohen concludes.