In this section

• Home
• Security
• SophosLabs blog
• 2007
• 08

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

16 August 2007 11:05 GMT

A sandwich virus

One of the simplest methods of file infection is to put the virus at the start of the file, leaving the host at the end. A less common way is to put the host first and save the virus at the end. W32/Kies-A does both.

A Kies-infected file starts with a virus executable, followed by the stored host, and finally another virus executable.

• The first part of the virus extracts the host and other component to the current folder in order to run both. It also deals with connecting to the internet, in order to ring home and download more files.
• The host gets run, but without any command line arguments, so it may not always work as the user intended.
• The second part of the virus performs the infection routine, searching for executables on the local drive and network shares.

As a result, infected files have a layout like a sandwich, or a popular design of biscuit.

Glyn, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot