DotNET
DotNET
Type File virus
Creator Benny
Date Discovered 2001.06
Place of Origin Brno, Czech Republic
Source Language Assembly, MSIL
Platform .NET on MS Windows
File Type(s) .exe
Infection Length 3,904 bytes

DotNET, often called Donut by Antivirus companies, is the first virus for Microsoft's .NET platform. It was coded in Assembly, not C# as are most programs for the .NET platform.

Behavior

When executed, DotNET searches for 32-bit .NET executable files. It will search up to 20 subdirectories deep. The virus ignores files smaller than 2,048 bytes or larger than 4 gigabytes.

When the virus infects a .NET executable, it nullifies the data directory entry of the CLR header,
essentially making it a PE executable.

In 1 in 10 cases, the virus will display the following text:

 ________________________________________________
 I.NET.dotNET by Benny/29A                       I
 I_______________________________________________I
 IThis cell has been infected by dotNET virus!   I
 I_______________________________________________I

Infected files only work in Windows 2000, failing if run in Windows XP. The virus still works on XP, just not the original program.

Origin

29A was coded in the Czech Republic by Benny of the 29A virus coding group. It was published in the 6th issue of the 29A magazine.

Benny said he coded the virus in 95% Assembly and the rest in MSIL. He said he had no intention of creating a virus with great spreading ability, but rather to simply show that viruses can be coded for .NET.

Other Facts

DotNET was mistakenly reported to have been coded in C#. The distinction of the first C# virus goes to Gigabyte's Sharp.

Sources

Péter Ször. Symantec Security Response, Tasting Donut. (PDF)

Kaspersky Lab. Securelist.com, Virus.Win32.Donut.

Benny. 29A, Issue 6, DotNet Source Code. 2002.03

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License