Rugrat is the first known virus that targets the 64-bit Windows
platform. The size of the virus suggests that it was hand-written
in IA64 assembly.
Rugrat uses the Thread Local Storage feature of Windows executables
to gain execution. It adds a TLS entry to the executable which
contains a callback pointer to the virus code. This has the unusual
side effect that often the virus will run only after the host has
exited, which is exactly opposite to the way parasitic infectors are
The virus code is a minimal direct-action infector routine. It first
imports a number of Windows API functions using checksums.
which are used to install a Vectored Exception Handler to catch all
exceptions during the infection process.
From KERNEL32.DLL the usual functions are imported:
From SFC_OS.DLL Rugrat imports the function
which it uses to check whether the executable it tries to infect
is protected by the System File Checker (SFC) service of Windows.
The virus does not try to infect SFC-protected executables.
Rugrat uses a simple method of infection. It sets the last section
(which is often the resources section) executable and copies itself
there. A random number of zero bytes are also appended to the end
of the virus body.
Rugrat contains two strings that are never displayed:
Reference to the author: 'Shrug - roy g biv'
Possibly the creation date: '06/05/04'
Detection for this malware was published on May 27th, 2004
in the following F-Secure Anti-Virus updates:
Gergely Erdelyi, July 1st, 2004;