[ISN] Virus writers take an early crack at .Net

From: InfoSec News (isnat_private)
Date: Thu Jan 10 2002 - 05:25:32 PST

  • Next message: InfoSec News: "[ISN] More than 2,300 IRS computers missing"

    By Robert Lemos
    Staff Writer, CNET News.com 
    January 9, 2002, 5:50 p.m. PT 
    Virus writers have apparently made the early developer list for
    Microsoft's .Net initiative.
    On Wednesday, antivirus companies received a copy of the first virus
    capable of infecting files based on Microsoft's .Net Intermediate
    Language, or MSIL.
    Known as W32.Donut, the virus does little but infect other .Net files,
    but it shows that the programmers who create such code are looking
    ahead, said Motoaki Yamamura, a virus researcher with security
    software company Symantec.
    "The only interesting part is that it infects a new class of files,"  
    he said. "Traditionally, virus writers look for what is coming out
    next and look at being the first at spreading viruses and worms on
    those new platforms."
    W32.Donut is a true virus, infecting files on the computer and
    spreading only when those files are moved to a new computer by e-mail
    or copying and then opened.
    One of every 10 times a file infected with Donut starts up, the virus
    will display the message "This cell has been infected by dotNET
    virus!" and the author's name. Though the virus spreads to .Net files,
    only a small fraction of it is written in MSIL, according to both
    Symantec and the author's description of the virus.
    It's uncertain whether such a virus could spread among files when
    Microsoft's .Net framework is up and running, as the company has
    several security checks in place.
    Microsoft representatives could not immediately be reached for
    Microsoft.Net is the company's largest push yet to turn its software
    into a network over which consumer, business and financial services
    can be easily delivered. With the .Net initiative, the Redmond, Wash.,
    software giant says it is attempting to build a more secure framework.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 09:59:28 PST