if a virus is successful at changing the transaction like that, it would make more sense to change the input address (to the hacker) instead of leaving the funds as fee to a random miner.. probably a buggy low-level script and some dev is really f***ed up right now..