Peter Ferrie
Virus Bulletin, Dec 2009, pp. 4-7
ISSN 0956-9979
December 2009
Download PDF (59.55Kb) (You need to be registered on forum)Sometimes a virus gets it completely wrong (see VB, October 2008, p.4). Sometimes a virus gets it mostly ‘right’, but sometimes that’s only because the virus in question is a collection of routines taken from other viruses which got it mostly right. That is exactly what we have here, in W32/Satevis.
The virus begins by determining its location in memory. This makes it compatible with Address Space Layout Randomization (ASLR), though the technique has existed for far longer than ASLR. However, instead of using the common call-pop technique to determine the location, the virus uses a call, but then uses an indirect read from the stack via a string instruction. In the past, this kind of alternative method would have avoided some heuristic detections, but these days the call-pop method is so common in non-malicious code that this obfuscated method might be considered suspicious. In any case, there are few anti-malware engines now that would rely on such a weak detection method.