McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update August 24, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Virus%2Btargets%2B64%2Dbit%2BWindows/2100%2D1002_3%2D5320803.html
--

This is a detection for a 64bit PE file infector. After running an infected file, the virus will infect files in the current directory and subdirectories. Target files are 64bit PE (Portable Executable) files, such as .EXE.

The W64/Shruggle seems to be the first virus for Windows XP 64-Bit Edition running on AMD64 systems. It is related to W64/Rugrat .

Viral code is appended to the original file, containing the following text :

"Shrug - roy g biv"

It is not encrypted or polymorphic.

This virus does not infect 32bit PE files and does not function under common 32bit OS's like Windows 9x, NT, 2K or XP as long as no additional software is installed which adds support for 64bit applications.

Symptoms

64 bit PE type files (.EXE) have appended viral code.

Method of Infection

Manually running an infected file activates the virus.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update August 24, 2004 --
This threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Virus%2Btargets%2B64%2Dbit%2BWindows/2100%2D1002_3%2D5320803.html
--

This is a detection for a 64bit PE file infector. After running an infected file, the virus will infect files in the current directory and subdirectories. Target files are 64bit PE (Portable Executable) files, such as .EXE.

The W64/Shruggle seems to be the first virus for Windows XP 64-Bit Edition running on AMD64 systems. It is related to W64/Rugrat .

Viral code is appended to the original file, containing the following text :

"Shrug - roy g biv"

It is not encrypted or polymorphic.

This virus does not infect 32bit PE files and does not function under common 32bit OS's like Windows 9x, NT, 2K or XP as long as no additional software is installed which adds support for 64bit applications.

Symptoms

Symptoms -

64 bit PE type files (.EXE) have appended viral code.

Method of Infection

Method of Infection -

Manually running an infected file activates the virus.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A