W32/Rugrat.3344

Analysis

Specifics
This virus is designed for 64-bit Windows XP or Windows 2003 operating systems on Intel Architecture 64-bit processors [aka IA64]. It is specifically coded to implement features not available to 32-bit systems. This virus inserts itself into the last section of a host file, within 240 bytes of the end of the last section. The viral body is 3344 bytes in size and was coded in Assembler language.

Systems which have a 32-bit processor chip but run 64-bit emulation are susceptible to this virus. Due to the 64-bit processor platform dependency, the threat of this proof-of-concept virus is quite limited at this time.

Last Section Infector
If virus is run, it will attempt to infect files in the current folder and files accessed or executed soon after. The virus will insert itself into the last section of PE files, but will avoid attempting to infect files which may be protected by SFC [aka System File Checker].

Miscellaneous
This virus contains some strings in the virus body which are never displayed -

06/05/04
Shrug - roy g biv
*4U2NV*

The first string could be the date of creation by the author, as May 6, 2004. The second string is a 'signature' which can also be found in the virus author's other creations. The last string is presumed to be the phrase "for you to envy".

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option