DotNET | |
---|---|
Type | File virus |
Creator | Benny |
Date Discovered | 2001.06 |
Place of Origin | Brno, Czech Republic |
Source Language | Assembly, MSIL |
Platform | .NET on MS Windows |
File Type(s) | .exe |
Infection Length | 3,904 bytes |
DotNET, often called Donut by Antivirus companies, is the first virus for Microsoft's .NET platform. It was coded in Assembly, not C# as are most programs for the .NET platform.
Behavior
When executed, DotNET searches for 32-bit .NET executable files. It will search up to 20 subdirectories deep. The virus ignores files smaller than 2,048 bytes or larger than 4 gigabytes.
When the virus infects a .NET executable, it nullifies the data directory entry of the CLR header,
essentially making it a PE executable.
In 1 in 10 cases, the virus will display the following text:
________________________________________________
I.NET.dotNET by Benny/29A I
I_______________________________________________I
IThis cell has been infected by dotNET virus! I
I_______________________________________________I
Infected files only work in Windows 2000, failing if run in Windows XP. The virus still works on XP, just not the original program.
Origin
29A was coded in the Czech Republic by Benny of the 29A virus coding group. It was published in the 6th issue of the 29A magazine.
Benny said he coded the virus in 95% Assembly and the rest in MSIL. He said he had no intention of creating a virus with great spreading ability, but rather to simply show that viruses can be coded for .NET.
Other Facts
DotNET was mistakenly reported to have been coded in C#. The distinction of the first C# virus goes to Gigabyte's Sharp.
Sources
Péter Ször. Symantec Security Response, Tasting Donut. (PDF)
Kaspersky Lab. Securelist.com, Virus.Win32.Donut.
Benny. 29A, Issue 6, DotNet Source Code. 2002.03