A PoC Epoch

It's not often that we get a proof-of-concept (PoC) virus, but toreceive four in two weeks is completely unprecedented. The first one,which we call MEL.Odorousis a virus for the Maya 3D scripting language. It searches in thecurrent directory for uninfected files, and prepends itself to them.After infecting files, it runs the host as usual.

The second virus, which we call WHS.Vred isa virus for the WinHex scripting language. Like MEL.Odorous, Vredsearches in the current directory for uninfected files, and prependsitself to them. Unlike MEL.Odorous, however, Vred does not run the hostcode after infecting files.

The third and fourth viruses, which we named W32.Piffle and W32.Weaklingrespectively, are viruses for Windows. They are so named because thevirus author likes to play with the language—he called them W32.Spiffyand W32.WeakLNK (that is, "weak link")—so we did, too.

W32.Piffle searches in the current directory for uninfected files,and randomly chooses a single one of them. Once a file is selected, thevirus creates a PIF (program information file) to replace the hostfile, but this PIF has an unusual characteristic: it is a kind ofarchive, that holds the virus code and the host file.

When the PIF is executed, the command-line inside executes thecommand-processor, and passes "debug.exe" and the name of the PIF asparameters. The command-processor then runs debug.exe, and the PIF isused as a script to drive it. The script constructs a Windowsexecutable in memory, writes it to disk, and then executes it. Thecreated file then opens the PIF, extracts and runs the host file, thensearches for another file to infect.

W32.Weakling is functionally identical to W32.Piffle, with thedifference that the LNK (aka shortcut) format is used instead of thePIF format.

These viruses present no danger to users, they are just something tooccupy the time of virus writers. There are, of course, more worthypursuits.