McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W64.Rugrat (Symantec)

Characteristics

-- Update May 28, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.vnunet.com/news/1155467

________________

This is a detection for a 64bit PE file infector. After running an infected file, the virus will infect files in the current directory and subdirectories. Target files are 64bit PE (Portable Executable) files, such as .EXE.

The W64/Rugrat seems to be the first virus for Windows XP 64-Bit Edition. It is related to some variants of the W32/Chiton virus family. Like for the .b, .m, .o and .q variants, it infects .EXE files via a Thread Local Storage call without changing the code at the entry point of the program.

The viral code is appended to the original file. It contains the following text :

"Shrug - roy g biv"

It is not encrypted or polymorphic.

This virus does not infect 32bit PE files and does not function under common 32bit OS's like Windows 9x, NT, 2K or XP as long as no additonal software is installed which adds support for 64bit applications.

Symptoms

64 bit PE type files (.EXE) have appended viral code.

Method of Infection

Manually running an infected file activates the virus.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W64.Rugrat (Symantec)

Characteristics

Characteristics -

-- Update May 28, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.vnunet.com/news/1155467

________________

This is a detection for a 64bit PE file infector. After running an infected file, the virus will infect files in the current directory and subdirectories. Target files are 64bit PE (Portable Executable) files, such as .EXE.

The W64/Rugrat seems to be the first virus for Windows XP 64-Bit Edition. It is related to some variants of the W32/Chiton virus family. Like for the .b, .m, .o and .q variants, it infects .EXE files via a Thread Local Storage call without changing the code at the entry point of the program.

The viral code is appended to the original file. It contains the following text :

"Shrug - roy g biv"

It is not encrypted or polymorphic.

This virus does not infect 32bit PE files and does not function under common 32bit OS's like Windows 9x, NT, 2K or XP as long as no additonal software is installed which adds support for 64bit applications.

Symptoms

Symptoms -

64 bit PE type files (.EXE) have appended viral code.

Method of Infection

Method of Infection -

Manually running an infected file activates the virus.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A