Virus alert from CA

Virus alert from CA

Post by Arup » Sun, 10 Sep 2000 10:52:39



Win2000/Stream.3628 also known as W2K.Stream,

WNT/Stream, and Win2K.Stream.

Win2000/Stream.3628 is a companion virus that

infects executable files under Windows 2000.

The virus is also a direct-infector so will

infect all the executable files in the

directory from which it was run.

Win2000/Stream.3628 is considered a "proof of

concept" virus as it is the first virus to

exploit NTFS' Alternative Data Streams (ADS).

When the virus infects an executable file (for

example, Notepad.exe), the file is compressed

using NTFS' built-in compression mechanism.

This compressed version of the file is then

moved to a temporary holding location. The

virus overwrites the original file with its

own code and moves the original file from its

temporary holding location into an Alternative

Data Stream named :STR, producing (in this

example) Notepad.exe:STR.

Once the contents of the original file have been

moved into an ADS, the file is effectively hidden

and is difficult to detect using standard NT

utilities. If the size of the file is viewed

using Windows Explorer or the command prompt,

only the size of the viral code will be shown;

the additional size of the clean original file

stored in the ADS will not be shown. However,

if Notepad.exe was deleted from the system, the

actual size of the file, in bytes, and including

streams, would become available to the system.

Once the infected Notepad.exe:STR has been

created, it can then be run by the user (in an

apparently normal manner). What actually happens

though is the virus uses Windows 2000's

CreateProcess() to launch the original

Notepad.exe.