Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W64/Rugrat, W64.Rugrat.3344
Type:Virus 
Size:3,344 Bytes 
Origin:unknown 
Date:05-26-2004 
Damage:Infects WIN PE 64-bit files. 
VDF Version:6.25.00.81 
Danger:Medium 
Distribution:Low 

Technical DetailsW64/Rugrat.3344 is a file infector, attacking only 64-bit Windows platforms. It is the first infector that infects 64-bit Windows executable files.

The virus uses Win64 APIs on 3 different libraries:
- NTDLL.DLL
- SFC_OS.DLL
- KERNEL32

From NTDLL.DLL file, it uses the following functions:
- LdrGetDllHandle()
- RtlAddVectoredExceptionHandler()
- RtlRemoveVectoredExceptionHandler()

SfcIsFileProtected() Function from SFC_OS.DLL file is used to hide the infection action on executables, protected by System File Checker (SFC).

The following 16 functions are used from KERNEL32.DLL, to enable a standard infection of IA64 Portable Image:
- CreateFileMappingA()
- CreateFileW()
- CloseHandle()
- FindFirstFileW()
- FindNextFileW
- FindClose()
- GetFullPathNameW()
- GetTickCount()
- GlobalAlloc()
- GlobalFree()
- LoadLibraryA()
- MapViewOfFile()
- SetCurrentDirectoryW()
- SetFileAttributesW()
- SetFileTime()
- UnmapViewOfFile()

The virus contain the following strings, which are never displayed:
Shrug - roy g biv

The file infection is a standard routine. But it can run only on clean 64-bit files.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .