Discovered: May 26, 2004
Updated: February 13, 2007 12:23:42 PM
Also Known As: W64/Rugrat [McAfee]
Type: Virus
Systems Affected: Windows 64-bit (IA64)
W64.Rugrat.3344 is a direct-action infector--it exits memory after execution--of IA64 Windows Portable Executable (PE) files. These PE files include most 64-bit Windows programs other than .dlls.
The virus infects files that are in the same folder as the virus and in all subfolders. It is the first known virus for 64-bit Windows, and it uses the Thread Local Storage structures to execute the viral code. This is an unusual method of executing code.
It does not infect 32-bit Portable Executable files, and it will not run on 32-bit Windows platforms. The virus is written in IA64 assembly code.
Note: A true 64-bit computer is not required for this virus, as it can be run on a 32-bit computer that is using 64-bit simulation software.
A minor variant was discovered which is capable of infecting DLL files in addition to EXE files. This sample is the same size as the original and was already detected by the existing W64.Rugrat.3344 and no signature update was necessary.
Protection
-
Initial Rapid Release version May 27, 2004
-
Latest Rapid Release version July 12, 2008 revision 018
-
Initial Daily Certified version May 27, 2004
-
Latest Daily Certified version July 12, 2008 revision 019
-
Initial Weekly Certified release date May 28, 2004
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: 0 - 49
-
Number of Sites: 0 - 2
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Easy
Damage
Distribution
Writeup By: Peter Ferrie
