10 February 2009
We?ve been seeing a lot of activity from a new polymorphic mid-infecting virus, W32/Scribble-A. While this new family has quite a lot in common with members of the older Vetor and Virut families of viruses, the main code looks to have undergone a fairly major overhaul.
As well as being able to infect executable files such that the code changes each time (hence ?polymorphic?), and being able to infect the host file at arbitrary locations in its executable code instead of just targeting the entry-point (hence ?mid-infecting?), W32/Scribble-A can also modify htm, html, php and asp files, among others, inserting an iframe pointing to a malicious website. This is a trick we first saw used widely by the Fujacks family of viruses, and clearly the authors of W32/Scribble-A decided it was a good way to help them spread.