First (proof-of-concept) .NET virus

Juergen Kreileder writes "Symantec says they've received W32.Donut, the first .NET virus: 'This virus targets EXE files that were created for the Microsoft .NET framework. W32.Donut is a concept virus. It does not have any significant chance to become wide spread. However it shows that virus writers are paying close attention to the new .NET architecture and attempting to learn how to exploit it before the Framework will be available on most systems.'"

Technical description

[HisMother]

Here's the writeup from Symantec:

On the 9th of January a set of AV companies have
received a new virus from its author. The virus
was named "dotNET" by its creator but we decided to
add detection of it as W32.Donut instead.

The virus targets EXE files that were created for
the Microsoft .NET framework.

Normally .NET files do not have any platform
dependent code, but a small 5 byte stub. This stub
executes the mscoree.dll _CorExeMain() function and
thus the .NET MISL (intermediate language) gets
control if the .NET framework is installed.

Thus currently a .NET application executes native
code before it will execute the platform
independent code. According to Microsoft this
native code will be removed and the operating
system itself will recognize and execute .NET
images.

The virus infects .NET executables by attacking the
5 byte jump to the _CorExeMain() function. It
replaces this jump, with another one to point into
the last section of the executable, it overwrites
its .reloc section with itself and nullifies the
relocation directory.

Thus when an infected file is executed the virus
code will get control as a 386 application. The
virus checks the platform and only infects on
Windows 2000 and above. If so it will attempt to
infect all files in the current directory with .EXE
extension and in up to 20 directories above it. It
must be noted that there are many assumptions made
about the .NET file structure which will not be the
case with most executables. Nonetheless many C#
complied files would have similar structure. The
virus author worked with the Beta 2 .NET framework
and thus checks files for the new header signature
"BSJB". The virus would therefore ignore the .NET
Beta 1 file format. The virus will inject itself
into the file by using regular virus techniques to
get access to the API addresses it needs to
call. Most API's are referenced in the code as
CRCs. It must be noted that the virus also modifies
the checksum field of PE header's to make the image
look valid. Donut also injects a small MSIL code
and metadata into the infected file. These will
execute the payload of the virus and display the
following message box with a 1:10 chance.

This cell has been infected by dotNET virus!
.NET.dotNET by Benny/29A

Infected files will look like regular
applications. The virus will first drop a file with
a fixed .NET header pointer in the data directory
as well as the jump to the _CorExeMain() function
so the application can run as a .NET file whenever
the Framework is installed. In this case the MSIL
code of the virus will get control and display the
above message box. When the host application
returns the virus create yet another copy of the
file and in this case the original MSIL code will
be executed and the file will run normal. During
this process the virus creates a temporary file
with the name of the host executable and a
space. For example,

runme.exe

will have temporary file

runme .exe

W32.Donut is a concept virus. It does not have any
significant chance to become wide spread. However
it shows that virus writers are paying close
attention to the new .NET architecture and attempt
to learn it before the Framework will be available
on most systems.

Re:Concept Virus??

[C.+Mattix]

Here, here.