.NET Technology is Still in Development, but a Virus Already Exists

14 Jan 2002
Virus News

Kaspersky Lab, an international data-security software developer, reports the detection of the "Donut" virus, which is the first malicious program to infect .NET files.

"Donut" has been developed by the notorious Czech hacker going by the pseudonym "Benny", who is a part of the "29A" virus-writers group. "Benny" is known to be the author of many proof-of-concept viruses among which are "Stream" (the first NTFS alternate data streams infector), "Inta" (the first Windows 2000 virus), "HIV", "Champ", "Eva", "Begemot", etc.

The most intriguing aspect about this virus is that the .NET technology, which Microsoft presents as the future substitute for Java, has not yet been officially released and intrinsically is still under development.

"It is well-known that virus writers are primarily interested in the most popular and wide-spread software products, which nowadays are undoubtedly the Microsoft technologies. The appearance of 'Donut' confirms the opinion that the company's products are guaranteed to be popular not only among users but also among virus-writers," commented Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "This time the computer underground decided not to wait for the official release of the promising technology and to start developing the .NET-specific malicious programs beforehand, anticipating the technology's future commercial success."

When the virus-carrying file is executed, "Donut" loads itself into the system memory and starts searching for the .NET-files on the target computer. If such files are found, the virus infects them by modifying the files' entry point. Thus, when the infected file is launched, the virus code is executed, which then passes control to the .NET-files processor in order to execute the original .NET-file:

It is important to note that "Donut" is not a pure .NET-virus. It simply infects .NET-files, but is virtually an ordinary Windows-executable code written in Assembler.

Except for infecting other .NET-files, the virus has no additional dangerous side-effects and no destructive payload.

Kaspersky Lab believes that "Donut" poses no real danger to computer users because of the low prevalence of .NET technology. Therefore, even if a user accidentally starts an infected file, the virus will not do any harm to the computer due to the absence of the .NET-files processor and other .NET-files necessary for infection.

Defense procedures against "Donut" have already been added to the Kaspersky Lab daily anti-virus database update as of January 10, 2002.

More detailed information about this malicious program is available in the Kaspersky Virus Encyclopedia.