Threat Description

Rugrat

Details

Aliases: Rugrat, W64/Rugrat, Win64.Rugrat.a, W64.Rugrat.3344
Category: Malware
Type: Virus
Platform: W32

Summary


Rugrat is a simple direct-action file infector that targets 64-bit Windows executables, 32-bit applications are not affected. This virus only infects files in the current directory of the infected executable and all of its subdirectories.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


Rugrat is the first known virus that targets the 64-bit Windows platform. The size of the virus suggests that it was hand-written in IA64 assembly.

Rugrat uses the Thread Local Storage feature of Windows executables to gain execution. It adds a TLS entry to the executable which contains a callback pointer to the virus code. This has the unusual side effect that often the virus will run only after the host has exited, which is exactly opposite to the way parasitic infectors are normally activated.

The virus code is a minimal direct-action infector routine. It first imports a number of Windows API functions using checksums.

From NTDLL.DLL:

LdrGetDllHandle  RtlAddVectoredExceptionHandler  RtlRemoveVectoredExceptionHandler   

which are used to install a Vectored Exception Handler to catch all exceptions during the infection process.

From KERNEL32.DLL the usual functions are imported:

CloseHandle  CreateFileMappingA  CreateFileW  FindClose  FindFirstFileW  FindNextFileW  GetFullPathNameW  GetTickCount  GlobalAlloc  GlobalFree  LoadLibraryA  MapViewOfFile  SetCurrentDirectoryW  SetFileAttributesW  SetFileTime  UnmapViewOfFile   

From SFC_OS.DLL Rugrat imports the function

SfcIsFileProtected   

which it uses to check whether the executable it tries to infect is protected by the System File Checker (SFC) service of Windows. The virus does not try to infect SFC-protected executables.

Rugrat uses a simple method of infection. It sets the last section (which is often the resources section) executable and copies itself there. A random number of zero bytes are also appended to the end of the virus body.

Rugrat contains two strings that are never displayed:

Reference to the author: 'Shrug - roy g biv'

Possibly the creation date: '06/05/04'



Detection


Detection for this malware was published on May 27th, 2004 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2004-05-27_02



Technical Details:Gergely Erdelyi, July 1st, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More