A Week of Firsts (and Seconds)
Things have been pretty interesting here lately. The first virus for Sun Microsystems’ StarOffice appeared, although it wasn't a real virus because it didn't actually work. We also received reports of the first parasitic virus for the .chm (compiled HTML help file) file format, and reports of the first virus that is an IDA plug-in. I say "reports" because we have been told these two viruses exist but we have not received any samples to prove it.
The StarOffice virus just goes to show that virus writers don't test their code. Despite four attempts (represented by the samples that we received; who knows how many others we didn't receive) the virus author still couldn’t seem to work out why his code wasn’t infecting anything. However, hot on the heels of these initial samples was the first working StarOffice virus. Discovered on June 7th, 2006, it is capable of infecting all StarOffice applications (Writer, Calc, Draw, and Impress).
The .chm file format virus is an interesting development. The existence of this virus would indicate that there are still some platforms out there that haven't been attacked before and that some virus writers are interested in changing that situation. It would also have the potential to show which antivirus engines can decompose .chm files and which ones cannot.
The IDA plug-in virus is the most troubling though, and it has been rumored to exist since last year. Perhaps it was intended to be released as part of the cancelled 29A #9 virus e-zine and is now intended for the release of the rRLF #7 e-zine instead. If the tools that we use become the subject of attacks, it could make virus analysis that much harder.