Virus Q&A – W32/W64.Bounds
I have posted this blog in order to outline a recent Q&A session that provides more information about my previous blog regarding a new virus affecting the AMD64 platform.
Q. How does the virus function occur (infection, propagation, etc.)?
When an infected file is executed it functions normally; however, when the application wants to terminate (e.g., the user closes it), the virus code is then called. At that time, the virus will seek other files in the directory that contain the currently infected file and all subdirectories below it. Any Windows executable file, regardless of the file extension (i.e., not just .exe files), will be infected if it passes a strict set of criteria that the virus carries.
Q. Is it easily detected and, for that matter, avoided?
No, the detection is not easy. The virus hides and encrypts itself using a new type of algorithm and also uses a new method to gain control of the execution flow. It is easily avoided by not running files from untrusted sources. Additionally, since it is a proof-of-concept, it infects very few files. It does not spread over the network on its own and does not attempt to leave the infected computer using any method (e.g., by e-mail, etc).
Q. Is this flaw on both AMD and Intel processors? How far back does this flaw date in terms of affected processors?
The virus exploits no flaws in the CPUs. It is using a designed-in feature of the operating system in a slightly unusual way; however, it completely conforms to the specification. In addition, it should be noted that W64.Bounds is specific only to the AMD64 style of CPU (which includes the Intel EM64T), as opposed to Intel's Itanium, on which it won’t run.
Q. Although targeted at the chip level, it seems to only function due to a flaw in the execution process in the operating system, particularly as only Windows is listed as affected. Might it also potentially be seen on other operating systems, for example, Linux, or even Mac OS considering its move to an Intel platform?
It's an operating-system feature that is being used as designed, but in a slightly unusual way. The feature is specific to the Windows operating system and exists as a performance enhancement. So, while it is possible that something similar exists in other operating systems, the method that the virus uses is not directly applicable.
Q. Is this an issue that the CPU designers need to look at fixing or is this more of an operating system issue?
It’s more of an operating system issue, but it’s not a vulnerability or defect. The author has simply found an unusual means of leveraging an existing function.