Russian-based anti-virus vendor Kaspersky Lab has discovered a new generation Windows 2000 virus that, although not in the wild yet, has been tagged as extremely dangerous if it gets out.
The first iteration of this new "Stream Companion" generation of virus, called W2K.Stream, takes advantage of the Windows 2000 NTFS file system, which allows multiple simultaneous data streams to execute.
Some of the potential streams that could be used for malicious purposes include independent executable program modules, as well as various service streams to manipulate file access rights, encryption data, processing time, and more.
The virus - and others like it - is expected to be difficult to detect as anti-virus programs only check the main data stream. "Many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines," says Eugene Kaspersky, head of anti-virus research at Kaspersky Lab.
"This virus begins a new era in computer virus creation," says Kaspersky. "The 'Stream Companion' technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete."
Hackers "Benny" and "Ratter" created the W2K.Stream virus in the Czech Republic at the end of August.
The W2K.Stream virus is a Windows application compressed by a Petite PE EXE file compressor and is about 4kb in size. When it runs, it infects all EXE files in the current directory and then returns control to the host file. While infecting a file, the virus creates a new stream associated with the victim file. This stream has "STR" as its name. The virus then moves the victim file body to the STR stream and then overwrites the victim file body with its own virus code.
As a result, when an infected file is executed, Windows reads the default stream and executes it. Windows also reports the same file size - the virus length - for all infected files.
Kaspersky Lab has added protection against the "Stream" virus to its daily update of AntiViral Toolkit Pro.
Share
