RealTime IT News

Killer Virus Streaming Near You

From Moscow, breeding ground of both deadly computer viruses and ace virus-slayers, comes news that Kaspersky Lab, an international anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa), has announced the discovery of the W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the "Stream Companion" method for self-embedding into the NTFS file system.

The virus originates from the Czech Republic and was created at the end of August by the hackers going by the pseudonyms of Benny and Ratter. To date, Kaspersky Lab has not registered any infections resulting from this virus; however, its working capacity and ability for existence "in-the-wild" are unchallenged and unique.

"Certainly, this virus begins a new era in computer virus creation," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The 'Stream Companion' technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete."

Unlike previously known methods of file infection (adding the virus body at beginning, ending or any other part of a host file), the "Stream" virus exploits the NTFS file system (Windows NT/2000) feature, which allows multiple data streams. For instance, in Windows 95/98 (FAT) files, there is only one data stream - the program code itself. Windows NT/2000 (NTFS) enables users to create any number of data streams within the file: independent executable program modules, as well as various service streams (file access rights, encryption data, processing time etc.). This makes NTFS files very flexible, allowing for the creation of user-defined data streams aimed at completing specific tasks. "Stream" is the first known virus that uses the feature of creating multiple data streams for infecting files of the NTFS file system (see picture 1). To complete this, the virus creates an additional data stream named "STR" and moves the original content of the host program there. Then, it replaces the main data stream with the virus code. As a result, when the infected program is run, the virus takes control, completes the replicating procedure and then passes control to the host program.

"By default, anti-virus programs check only the main data stream. There will be no problems protecting users from this particular virus," Eugene Kaspersky continues. "However, the viruses can move to additional data streams. In this case, many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines."

Protection against the "Stream" virus has already been added to the daily update of AntiViral Toolkit Pro (AVP). Please, update your anti-virus.

The virus itself is a Windows application (PE EXE file) compressed by a Petite PE EXE file compressor and is about 4K in size. When run, it infects all EXE files in current the directory and then returns control to the host file. If any error occurs, the virus displays the message:

Win2k.Stream by Benny/29A & Ratter This cell has been infected by [Win2k.Stream] virus!

In general, the virus is capable of working on any operating system that uses the NTFS file system (for example Windows NT/2000). However, the virus checks the installed Windows version and allows operation only from PCs that have Windows 2000 installed.

For more technical details please, visit Kaspersky Lab Virus Encyclopedia.