The researchers have dubbed these hybrids "frankenmalware", and out of some 10 million detected and analyzed malicious files, they identified over 40,000 of these "malware sandwiches".
How does it happen, you ask?
"A virus infects executable files; and a worm is an executable file," explains Loredana Botezatu. "If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended."
To explain how the symbiosis works, she shares the example of the Virtob virus/ Rimecud worm "collaboration".
The Rimecud worm spreads via file-sharing apps, USB devices, Microsoft MSN Messenger and locally mapped network drives. Besides that, it also steals passwords by injecting itself into the explorer.exe process, opens a backdoor that will allow it to download additional malware from a C&C server and - if the computer has remote control software installed - allows cyber criminals to access it and control it.
As it turns out, Bitdefender has recently begun spotting the Virtob virus attached to the aforementioned worm. The virus - which also opens a backdoor, contacts IRC C&C servers, modifies a host of files - infects executable files and, as the worm itself is an executable, it is also likely to be infected.
Now, apart from the unfortunate fact that a computer hosting this piece of "frankenmalware" is now contacting two C&C servers, has two backdoors open, two attack techniques active and various spreading methods at its disposal, there is also the problem of whether AV solutions will be able to detect and remove both - or either one.
"Imagine that a worm is infected by a file infector (virus)," posits Botezatu. "And an AV detects the file infector first and tries to disinfect the files, which include the worm. In some rare cases disinfecting compromised files leaves behind clean files that are at the same time altered (not identical to the original anymore). They maintain their functionality but are slightly different in form. As most files are detected according to signatures and not based on their behavior (heuristically), an altered worm (disinfected along with other files that have been compromised by a file infector and disinfected by an antivirus) may not be caught anymore by the signature applied to the original file (that had been modified after disinfection). Disinfection might this way lead to a mutation that can actually help the worm."