It seems that the first virus which can infect 64 bit Windows systems has been spotted in the wild. The code, which is proof of concept uses the Thread Local Storage structures to execute the viral code.
The virus is written in IA64 assembly language, it will not run on 32 bit systems but will run on 32 bit systems running 64 bit emulation.
It uses a small number of Win64 API's from the following libraries:
NTDLL.DLL
SFC_OS.DLL
KERNEL32
From NTDLL.DLL, it uses these functions:
LdrGetDllHandle()
RtlAddVectoredExceptionHandler()
RtlRemoveVectoredExceptionHandler()
To aviod crashing during infection, vectored exception handling is used.
The SfcIsFileProtected() function of SFC_OS.DLL is used to avoid infecting executables that are protected by the System File Checker (SFC).
The following 16 functions are used from KERNEL32.DLL to implement a standard file infection of a IA64 portable executable image:
CreateFileMappingA()
CreateFileW()
CloseHandle()
FindFirstFileW()
FindNextFileW
FindClose()
GetFullPathNameW()
GetTickCount()
GlobalAlloc()
GlobalFree()
LoadLibraryA()
MapViewOfFile()
SetCurrentDirectoryW()
SetFileAttributesW()
SetFileTime()
UnmapViewOfFile()
For the full details, see the Symantec bulletin.
Post ID: 393, posted by jase at 12:27 AMThanks for signing in, . Now you can comment. (sign out)
(If you haven't left a comment here before, you may need to be approved before your comment will appear.)