Peter Ferrie
Virus Bulletin, September 2011, page 4-6
ISSN 0956-9979
September 2011
Some might think that all of the entrypoints in Portable Executable (PE) files are known – but they would be wrong. As we saw with the W32/Deelae family [1], a table that has been overlooked for more than a decade can be redirected to run code in an unexpected manner. Now, a table that was used in Windows on the Itanium platform also exists on the x64 platform, and (surprise!) it can be misused too. The W64/Holey virus shows us how.