A New Generation of Windows 2000 Viruses is Streaming Towards PC Users

03 Sep 2000
Virus News

Cambridge, UK, September 4, 2000 - Kaspersky Lab Int., an international anti-virus software development company, announces the discovery of W2K.Stream virus, which represents a new generation of malicious programs for Windows 2000. This virus uses a new breakthrough technology based on the "Stream Companion" method for self-embedding into the NTFS file system.

The virus originates from the Czech Republic and was created at the end of August by the hackers going by the pseudonyms of Benny and Ratter. To date, Kaspersky Lab has not registered any infections resulting from this virus; however, its working capacity and ability for existence "in-the-wild" are unchallenged.

"Certainly, this virus begins a new era in computer virus creation," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The 'Stream Companion' technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete."

Unlike previously known methods of file infection (adding the virus body at beginning, ending or any other part of a host file), the "Stream" virus exploits the NTFS file system (Windows NT/2000) feature, which allows multiple data streams. For instance, in Windows 95/98 (FAT) files, there is only one data stream - the program code itself. Windows NT/2000 (NTFS) enables users to create any number of data streams within the file: independent executable program modules, as well as various service streams (file access rights, encryption data, processing time etc.). This makes NTFS files very flexible, allowing for the creation of user-defined data streams aimed at completing specific tasks.

"Stream" is the first known virus that uses the feature of creating multiple data streams for infecting files of the NTFS file system (see picture 1). To complete this, the virus creates an additional data stream named "STR" and moves the original content of the host program there. Then, it replaces the main data stream with the virus code. As a result, when the infected program is run, the virus takes control, completes the replicating procedure and then passes control to the host program.

"Stream" file infection procedure

File before infection File after infection

main stream

program body

service streams
main stream
virus body

additional stream
program body

service streams

"By default, anti-virus programs check only the main data stream. There will be no problems protecting users from this particular virus," Eugene Kaspersky continues. "However, the viruses can move to additional data streams. In this case, many anti-virus products will become obsolete, and their vendors will be forced to urgently redesign their anti-virus engines."

Protection against the "Stream" virus has already been added to the daily update of AntiViral Toolkit Pro (AVP). Please, update your anti-virus.

AntiViral Toolkit Pro can be purchased in Kaspersky Lab online store at the following address: http://www.digitalriver.com/dr/v2/ec_Main.Entry?SP=10007&SID=25571&CID=0.

Technical Details