Sophos discovers PoC virus targeting research tool

A new proof-of-concept (PoC) virus that targets an analysis tool used widely by security researchers has been discovered.

Named W32/Gattman-A by Sophos, the virus spreads through the Interactive Disassembler Pro (IDA) program, a popular tool for converting raw programming code inside program files into human-readable source code, according to Sophos' Sydney branch.

Once the virus infects a PC, it creates a Microsoft Windows .exe file, which searches out similar scripting files to begin the infection process again.

The virus is believed to have been written by members of the Ready Rangers Liberation Front and the Knight Templars virus-writing gangs, according to the anti-virus firm.

Secunia and the French Security Incident Response Team (FrSIRT) also posted warnings about the PoC virus.

The .exe files created by the virus also alters the malware's form as it spreads.

The virus is not likely to affect average users since they rarely have the same utilities that security researchers use to crack malicious code.

The virus' creators were likely trying to show up researchers, said Paul Ducklin, SophosLabs head of technology for the Asia and Pacific region.

"Although just proof-of-concept, and unlikely to spread except amongst researchers (or malware authors) who are both curious and careless, Gattman proves once again that malware authors are often willing to look for brand new avenues of infection," said Ducklin. "In this case, the virus' creators appear to be doing it for kicks rather than financial reward."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.