Technically Speaking

Symantec Corp. has isolated W64.Rugrat.3344, a proof-of-concept virus that has been found able to infect 64-bit executable files on Windows 64-Bit Edition running on Itanium processors. The coding of the virus is quite crafty in that it doesn’t care if the 64-bit machine is real or a 32-bit machine emulating 64-bits, it likes them both.

Symantec has rated Rugrat as a Level 1 threat, Level 5 being the worst. The main reason for such a low rating is that 64-bit computing is not as widespread as 32-bit computing, less damage can be made. Unfortunately, many businesses don’t bother to protect their 64-bit Windows installations because they do not believe the systems are vulnerable to viruses. This virus should definitely stand as proof to the contrary. One bit of good news is that the new Rugrat may not be easily duplicated for it was crafted with Intel Corp’s 64-bit assembly language. The creator is believed to be very technically savvy. The average script kiddie just won’t be able to whip this up.

Rugrat is a direct-action infector, exiting memory after execution; it infects any file in the same folder as the virus—including all subfolders—and affects all Windows 64-bit executables apart from .DLL files.

The virus has two unusual characteristics, Symantec said. For one, it is written in IA64 assembly code, which requires advanced technical knowledge and makes it unlikely there will be copycat viruses. It also executes using the Thread Local Storage structures.

“This is an unusual method of executing code,” Symantec’s Peter Ferrie and Peter Szor wrote in the company’s bulletin on the virus.

The Rugrat author also has written several other proof-of-concept viruses, according to the company. Symantec recommends that Windows 64-bit users update their virus definitions to protect against the virus.

Quote Source

The virus is described as a proof-of-concept virus because it has no real payload. The virus was written just to prove that it could be done.

This entry was posted on Friday, May 28th, 2004 at 6:36 am and is filed under Digital Underground. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.