A New Generation of Windows 2000 Viruses

[InfoSec News <isn () C4I ORG>]

Forwarded By: "Berislav Kucan BHZ" <bhz () net-security org>

http://www.net-security.org/text/articles/viruses/generation.shtml

[BTW Help Net Security in association with Kaspersky Lab, created a
little knowledge survey about viruses and 10 lucky contestants, that
will be randomly chosen from a list of everyone who filled the survey
could win a 2 year licenced copy of AVP Gold (chose: Windows
95/98/2000/NT, Linux, OS/2 and MS Office 2000). Url of the 10 question
survey is: http://www.net-security.org/survey/kaspersky )


A New Generation of Windows 2000 Viruses is Streaming Towards PC Users

Kaspersky Lab, an international anti-virus software development
company, announces the discovery of W2K.Stream virus, which represents
a new generation of malicious programs for Windows 2000. This virus
uses a new breakthrough technology based on the "Stream Companion"
method for self-embedding into the NTFS file system.

The virus originates from the Czech Republic and was created at the
end of August by the hackers going by the pseudonyms of Benny and
Ratter. To date, Kaspersky Lab has not registered any infections
resulting from this virus; however, its working capacity and ability
for existence "in-the-wild"  are unchallenged.

"Certainly, this virus begins a new era in computer virus creation,"
said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.
"The 'Stream Companion' technology the virus uses to plant itself into
files makes its detection and disinfection extremely difficult to
complete."

Unlike previously known methods of file infection (adding the virus
body at beginning, ending or any other part of a host file), the
"Stream" virus exploits the NTFS file system (Windows NT/2000)
feature, which allows multiple data streams. For instance, in Windows
95/98 (FAT) files, there is only one data stream - the program code
itself. Windows NT/2000 (NTFS) enables users to create any number of
data streams within the file: independent executable program modules,
as well as various service streams (file access rights, encryption
data, processing time etc.). This makes NTFS files very flexible,
allowing for the creation of user-defined data streams aimed at
completing specific tasks.

"Stream" is the first known virus that uses the feature of creating
multiple data streams for infecting files of the NTFS file system (see
picture 1). To complete this, the virus creates an additional data
stream named "STR"  and moves the original content of the host program
there. Then, it replaces the main data stream with the virus code. As
a result, when the infected program is run, the virus takes control,
completes the replicating procedure and then passes control to the
host program.

By default, anti-virus programs check only the main data stream. There
will be no problems protecting users from this particular virus,"
Eugene Kaspersky continues.  "However, the viruses can move to
additional data streams. In this case, many anti-virus products will
become obsolete, and their vendors will be forced to urgently redesign
their anti-virus engines."

Protection against the "Stream" virus has already been added to the
daily update of AntiViral Toolkit Pro (AVP). Please, update your
anti-virus.

Technical Background

The virus itself is a Windows application (PE EXE file) compressed by
a Petite PE EXE file compressor and is about 4K in size. When run, it
infects all EXE files in current the directory and then returns
control to the host file.  If any error occurs, the virus displays the
message:

Win2k.Stream by Benny/29A & Ratter
This cell has been infected by [Win2k.Stream] virus!

In general, the virus is capable of working on any operating system
that uses the NTFS file system (for example Windows NT/2000). However,
the virus checks the installed Windows version and allows operation
only from PCs that have Windows 2000 installed.


Berislav Kucan aka BHZ
bhz () net-security org
http://net-security.org

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".