Brian McWilliams
Newsbytes
April 2002
SAPvir, the first virus to infect programs and reports used by the high-end SAP R/3 business information system, was posted to an online virus library this week.
Experts said the proof-of-concept code, which does not appear to be present in the wild, is the latest effort by virus writers to target "exotic" computing platforms.
The 24-line program, written in SAP's Advanced Business Application Programming (ABAP) language, is designed to spread to other programs on the local SAP system but does not appear to be destructive or network-aware, according to a preliminary analysis of the code by Jochen Hein, an independent SAP consultant based in Germany.
SAP R/3 is an integrated system used by many large corporations for functions such as supply-chain management, business intelligence, and financials, according to its developer, Germany-based SAP AG.
Bill Wall, a spokesman for SAP in the U.S., said the company does not believe any customers have been infected by the code.
"What protects our customers is very deep security and very limited access to these mission-critical systems. ABAP also requires a skill set that goes beyond that of most hackers," said Wall.
According to its Web site, SAP is the third-largest software company in the world.
The program was posted to VX Heavens, a large online library of viruses, on Tuesday. According to the virus site's operator, he received an email this week with a link to a Web page containing the source code to SAPvir.
The page, which appears to be operated by Alex Bergonzini of Barcelona, Spain, was last modified in October 2001, according to the page's header. Bergonzini did not respond to interview requests.
A copyright notice in the code does not identify its author but suggests SAPvir may have been written in 2000.
While SAPvir may contain bugs that prevent it from working on all SAP platforms, according to Hein, the source code could easily be modified by programmers who know ABAP to perform more malicious acts.
"An ABAP program can do anything in the SAP system, including modifying data and leaving no trace," said Hein, who noted that a line of programming comments in SAPvir states in Spanish, "Here the code of destruction or effects of the virus goes."
While most computer viruses are written for Microsoft's Windows and Word applications, in recent months, virus writers have created programs that target Microsoft's new .NET platform, Macromedia's Flash format, and Adobe's Acrobat software.
According to Patrick Hinojosa, chief technology officer for anti-virus firm Panda Software, SAPvir is "academic" since an attacker would need special authorization to plant the code on an SAP system.
"It looks like it would have to be an inside job," said Hinojosa, who added that a person with such rights would already have the ability to modify or destroy data without the need for a virus.