As above, sobelow

Peter Ferrie
Virus Bulletin, December 2011, pp. 9-11
ISSN 0956-9979
December 2011

In June 2009, an interesting article describing ‘Heaven’s Gate’ appeared on a popular VX website. This is an undocumented feature used by the 32-bit Windows environment when running on 64-bit versions of Windows, which allows for the transition between 32-bit and 64-bit code. In August 2011, we saw the first virus to make use of it: W32/W64.Sobelow.

