Author: Daniel Jackson
Date: 04:29:07 05/27/04
http://www.symantec.com/avcenter/venc/data/w64.rugrat.3344.html W64.Rugrat.3344 is a direct-action infector (it exits memory after execution) of IA64 Windows Portable Executable (PE) files - this includes most Windows applications - excluding .dlls. It infects files that are in the same folder as the virus and in all subfolders. It is the first known virus for 64-bit Windows, and it uses the Thread Local Storage structures to execute the viral code. This is an unusual method of executing code. It does not infect 32-bit Portable Executable files, and it will not run on 32-bit Windows platforms. The virus is written in IA64 assembly code. Note: A true 64 bit machine is not required for this virus, as it can be run on a 32 bit machine using 64 bit simulation software. Type: Virus Infection Length: 3344 Systems Affected: Windows 64-bit (IA64) Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 2000, Windows 3.x, Windows 64-bit (AMD64), Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP W64.Rugrat is a fairly simple proof-of-concept virus. However, it is the first known virus to attack 64-bit Windows executables on IA64 systems intentionally, and it does so successfully. The virus uses a handful of Win64 API-s from 3 different libraries, NTDLL.DLL, SFC_OS.DLL and KERNEL32 respectively. From NTDLL.DLL the viruses uses the following 3 functions LdrGetDllHandle(), RtlAddVectoredExceptionHandler() and RtlRemoveVectoredExceptionHandler(). The virus supports vectored exception handling to avoid crashing during infections. The SfcIsFileProtected() function of SFC_OS.DLL is used to avoid infecting executables that are protected by SFC (the System File Checker). The following 16 functions are used from KERNEL32.DLL to implement a standard file infection of a IA64 Portable Executable image: CreateFileMappingA() CreateFileW() CloseHandle() FindFirstFileW() FindNextFileW FindClose() GetFullPathNameW() GetTickCount() GlobalAlloc() GlobalFree() LoadLibraryA() MapViewOfFile() SetCurrentDirectoryW() SetFileAttributesW() SetFileTime() UnmapViewOfFile() The virus carries the following string within itself which is never displayed: Shrug - roy g biv The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the last section and a random number of bytes are appended to the end of the virus body. The virus author is also the author of a number of other proof-of-concept viruses, collected under the name W32.Chiton.gen. More... http://www.symantec.com/avcenter/venc/data/w64.rugrat.3344.html
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.