Virus targets Interactive Disassembler (IDA) Pro!

Virus authors are continuously trying to make life difficult for the antivirus community.

Early worms fired the first warning shot by disabling on access scanning or even deleting antivirus and security related processes on infection, thereby rendering the machine defenseless. Stand alone cleaning tools had to released by antivirus vendors until even these got targeted. Classic case is that of W32/Sober@MM vs. McAfee Stinger.

To prevent researchers from reverse engineering binaries, malwares started using
anti-debugging techniques and would quit execution in presence of a debugger like SoftIce. This made malware analysis more difficult.

For some time we have also seen malwares that are VM (virtual machine) aware. These malwares will not execute on virtual operating environments like VmWare and Microsoft Virtual PC. Researchers were forced to tweak virtual machines at the cost of performance or resort to executing these worm families on real machines. Both methods take up valuable research time when one has to replicate malware dynamically.

The latest salvo is a virus that directly targets the very tools that security researchers use.
Interactive Disassembler Pro (IDA Pro) is a popular disassembler that is used to reverse engineer and decompose binaries. Custom IDC scripts can be written to automate tasks like unpacking a file or running an algorithm.

W32/Gatt is a polymorphic entry point obfuscation virus that infects only scripts associated with IDA Pro. It infects IDC script files found on a machine and replicates when an infected IDC script is executed.

By targeting tools used by antivirus researchers, the author makes an attempt to embarrass the security community.

Researchers are a paranoid lot when dealing with malware and are very careful about the way files are exchanged and executed. What could actually end up happening is a couple of curious wanna be virus writers fooling around with it and getting infected!