64-Bit Virus for Windows Uses Odd Method

The Rugrat virus doesn't require a true 64-bit machine, as it runs successfully on 32-bit computers with 64-bit emulators.

Symantec has identified the first virus that successfully infects 64-bit Windows executables, posing the first threat to an operating system that industry observers say is often left without antivirus protection.

W64.Rugrat.3344 is a proof-of-concept virus that infects 64-bit executable files on Windows 64-Bit Edition running on Itanium processors, Symantec Corp. said Thursday. It doesnt require a true 64-bit machine, as it runs successfully on 32-bit computers with 64-bit emulators.

Rugrat is currently not a major threat, largely because 64-bit computers are not in widespread use, and it is not currently spreading in the wild. But it demonstrates that virus writers are keeping up with the latest technology, Symantec said.

/zimages/1/28571.gifClick here to read more about Rugrat.

Symantec noted that many businesses dont bother to protect their 64-bit Windows installations because they do not believe the systems are vulnerable to viruses. This is no longer the case, the company said.

Itanium is an Intel Corp. server chip designed to exclusively run 64-bit software. Other 64-bit processors include Advanced Micro Devices Inc.s Opteron and Athlon 64, for which Microsoft is developing a 64-bit version of Windows.

The IBM-made G5 processor in newer Macs is also 64-bit capable, though Mac OS X is a 32-bit operating system.

64-bit chips allow software to be processed in larger chunks, theoretically increasing performance for some types of tasks and allowing the processor to address more memory.

/zimages/1/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

"Currently, there isnt a broad penetration of 64-bit systems," Symantec Security Response senior director Vincent Weafer said in a statement. "Most home and business systems deployed today are running on 32-bit platforms and are not affected by this threat." Symantec has given the virus a Level 1 rating, with Level 5 being the most serious.

Rugrat is a direct-action infector, exiting memory after execution; it infects any file in the same folder as the virus—including all subfolders—and affects all Windows 64-bit executables apart from .DLL files.

The virus has two unusual characteristics, Symantec said. For one, it is written in IA64 assembly code, which requires advanced technical knowledge and makes it unlikely there will be copycat viruses. It also executes using the Thread Local Storage structures.

"This is an unusual method of executing code," Symantecs Peter Ferrie and Peter Szor wrote in the companys bulletin on the virus.

The Rugrat author also has written several other proof-of-concept viruses, according to the company. Symantec recommends that Windows 64-bit users update their virus definitions to protect against the virus.

/zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.


Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page