Next-Generation Virus Streams To Win2K
Russia-based anti-virus vendor Kaspersky Lab has discovered a new
generation Windows 2000 virus that, although not in the wild yet, has
been tagged as extremely dangerous if it gets out.
The first iteration of this new "Stream Companion" generation of virus,
called W2K.Stream, takes advantage of the Windows 2000 NTFS file
system, which allows multiple simultaneous data streams to execute.
Some of the potential streams that could be used for malicious purposes
include independent executable program modules, as well as various
service streams to manipulate file access rights, encryption data,
processing time, and more.
The virus - and others like it - is expected to be difficult to detect as
anti-virus programs only check the main data stream.
"Many anti-virus products will become obsolete, and their vendors will
be forced to urgently redesign their anti-virus engines," says Eugene
Kaspersky, head of anti-virus research at Kaspersky Lab.
"This virus begins a new era in computer virus creation," says
Kaspersky. "The 'Stream Companion' technology the virus uses to plant
itself into files makes its detection and disinfection extremely
difficult to complete."
Hackers "Benny" and "Ratter" created the W2K.Stream virus in the Czech
Republic at the end of August.
The W2K.Stream virus is a Windows application compressed by a Petite
PE EXE file compressor and is about four kilobytes in size. When it runs,
infects all EXE files in the current directory and then returns control to
host file. While infecting a file, the virus creates a new stream
with the victim file. This stream has "STR" as its name. The virus then
moves the victim file body to the STR stream and then overwrites the
victim file body with its own virus code.
As a result, when an infected file is executed, Windows reads the
default stream and executes it. Windows also reports the same file size
- the virus length - for all infected files.
Kaspersky Lab has added protection against the "Stream" virus to its
daily update of AntiViral Toolkit Pro.
Reported by ITWeb.co.za, http://www.itweb.co.za