Kaspersky Lab announces the discovery of W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the "Stream Companion" method for self-embedding into the NTFS file system.
The virus originates from the Czech Republic and was created at the end of August by the hackers going by the pseudonyms of Benny and Ratter. To date, Kaspersky Lab has not registered any infections resulting from this virus; however, its working capacity and ability for existence "in-the-wild" are unchallenged.
"Certainly, this virus begins a new era in computer virus creation," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The 'Stream Companion' technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete."
Unlike previously known methods of file infection (adding the virus body at beginning, ending or any other part of a host file), the "Stream" virus exploits the NTFS file system (Windows NT/2000) feature, which allows multiple data streams. For instance, in Windows 95/98 (FAT) files, there is only one data stream - the program code itself. Windows NT/2000 (NTFS) enables users to create any number of data streams within the file:
independent executable program modules, as well as various service streams (file access rights, encryption data, processing time etc.). This makes NTFS files very flexible, allowing for the creation of user-defined data streams aimed at completing specific tasks.
"Stream" is the first known virus that uses the feature of creating multiple data streams for infecting files of the NTFS file system (see picture 1). To complete this, the virus creates an additional data stream named "STR" and moves the original content of the host program there. Then, it replaces the main data stream with the virus code. As a result, when the infected program is run, the virus takes control, completes the replicating procedure and then passes control to the host program.
"By default, anti-virus programs check only the main data stream. There will be no problems protecting users from this particular virus," Eugene Kaspersky continues. "However, the viruses can move to additional data streams. In this case, many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines."
Protection against the "Stream" virus has already been added to the daily update of AntiViral Toolkit Pro (AVP). Please, update your anti-virus.
Technical Details
This is the first known Windows virus using the "Stream Companion" infection method. This method is based on an NTFS feature that allows for the creation of multiple data streams associated with a file.
NTFS Streams
Each file contains at least one default data stream that is accessed just by file name. Each file may also contain additional stream(s) that can be accessed by their personal names (filename: streamname).
The default file stream is the file body itself (in pre-NTFS terms). For instance, when an EXE file is executed, the program is read from the default file stream; when a document is opened, its contents are also read from the default stream.
Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When the file is deleted, its streams are deleted as well; if the file is renamed, the streams follow its new name.
In the Windows package, there are no standard tools to view/edit file streams. To "manually" view file streams, you need to use special utilities, for instance, an FAR utility with a file steams support plug-in (Ctrl-PgDn displays the file streams for a selected file).
Virus Operation
The virus itself is a Windows application (PE EXE file) compressed by a Petite PE EXE file compressor and is about 4K in size. When run, it infects all EXE files in current the directory and then returns control to the host file. If any error occurs, the virus displays the message:
While infecting a file, the virus creates a new stream associated with the victim file. This stream has "STR" as its name; i.e., the complete stream name is "FileName:STR". The virus then moves the victim file body to the STR stream (default stream, see above), and then overwrites the victim file body (default stream) with its (virus) code.
As a result, when an infected file is executed, Windows reads the default stream (that is overwritten by the virus code) and executes it. Also, Windows reports the same file size for all infected files that is the virus length.
To release control to the host program, the virus simply creates a new process by accessing the original file program with the "FileName:STR" name.
This infection method should work on any NTFS system, but the virus checks the system version and runs only under Win2000.
In general, the virus is capable of working on any operating system that uses the NTFS file system (for example Windows NT/2000). However, the virus checks the installed Windows version and allows operation only from PCs that have Windows 2000 installed.
Share
