Sapvir, also known as Rivpas or Willie is a virus written in the ABAP language for SAP platforms. It was a proof of concept used to demonstrate ABAP viruses on SAP. Its author deliberately left key parts of the code commented, so it would not be easily spread, which some antivirus vendors described as "bugs" preventing it from replicating.

Behavior

When a report or function infected with Sapvir is executed, it searches for other reports and functions to infect. It checks if the target was last modified by a user named "Virii", that it is a regular report or function. If the last user to modify the target file or report was not "Virii", it will change this in TRDIR (an SAP view that stores details about the database). It then reads the target along with its code and looks for an insertion point by searching for the words REPORT or FUNCTION. Sapvir then searches forward from the header to find the first line containing an "@" character it uses as a marker and sets the position for where to inject the virus.

It checks for the the presence of the string "SAPVirii", and if it finds it three times, it halts the infection. Otherwise, it proceeds to inject its code into the target function or report. The virus then saves the modified file with the copy of itself.

There is no destructive payload, however the author left a commented line that hinted where any destructive code could potentially go.

Variants

There are four variants of the Sapvir virus. They are functionally quite similar, though some were released with no key parts commented out.

Effects

Sapvir was never released in the wild and the author deliberately crippled its ability to spread by commenting out key parts of the code.

Origin

Little remains about the origin of Sapvir. Comments indicate the author may have come from Spain, as comments are mostly in Spanish and use terms only used in Castilian Spanish.

Sources

Original Research

VS Antivirus, ABAP/Sapvir.A. Una nueva plataforma víctima de virus. 14-APR-2002