W32/Rugrat.3344
Analysis
Specifics
This virus is designed for 64-bit Windows XP or Windows
2003 operating systems on Intel Architecture 64-bit
processors [aka IA64]. It is specifically coded to implement
features not available to 32-bit systems. This virus
inserts itself into the last section of a host file,
within 240 bytes of the end of the last section. The
viral body is 3344 bytes in size and was coded in Assembler
language.
Systems which have a 32-bit processor chip but run 64-bit emulation are susceptible to this virus. Due to the 64-bit processor platform dependency, the threat of this proof-of-concept virus is quite limited at this time.
Last Section Infector
If virus is run, it will attempt to infect files in
the current folder and files accessed or executed soon
after. The virus will insert itself into the last section
of PE files, but will avoid attempting to infect files
which may be protected by SFC [aka System File Checker].
Miscellaneous
This virus contains some strings in the virus body which
are never displayed -
06/05/04
Shrug - roy g biv
*4U2NV*
The first string could be the date of creation by the author, as May 6, 2004. The second string is a 'signature' which can also be found in the virus author's other creations. The last string is presumed to be the phrase "for you to envy".
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option