Aliases: Virus.Win64.Abul.a , W64/Abul.a
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W64
Discovered: 14 Nov 2006
Damage: Low

Characteristics: The W64.Abul program is a parasitic worm that does direct-action infections on executable files found in all subfolders on the infected computer’s C: drive. It is a proof of concept virus to exhibit compression of hosts on the 64-bit platform.

More details about W64.Abul

W64.Abul is a file infector virus that mainly targets 64-bit systems. It attacks and infects 64-bit executable files in C: drive, including its subfolders. To do this, it injects its main routine into a system process called “CSRSS.EXE.” This virus tends to delete legitimate system file named sfcfiles.dll, located in Windows system folder, once activated. The W64.Abul virus is capable of disabling the system’s file protection mechanism. This allows the virus to infect protected files, and is done by injecting its code into windows processes. Unlike other viruses, a file infected by W64.Abul virus executes itself without having an increase in file size. This is done by compressing a part of the host code to make room for the virus code. However, if the compression of any section in the host file fails, this file infector does not execute its infection routine.

When W64.Abul virus is executed, it tends to infect all executable files in the compromised machine’s c: drive. To avoid compromising the infected system further, it is necessary to immediately remove the infection. To clean the system from this virus’s infection, System Restore should be temporarily disabled in the system. Reboot the computer in safe mode. Afterwards, run a full system scan using the system’s security software in its latest update, then clean and delete all infected files. To ensure that W64.Abul virus is completely removed and eliminated from the computer, carry out another full system scan of the computer.