|Place of Origin||Brno, Czech Republic|
|Source Language||Assembly, MSIL|
|Platform||.NET on MS Windows|
|Infection Length||3,904 bytes|
DotNET, often called Donut by Antivirus companies, is the first virus for Microsoft's .NET platform. It was coded in Assembly, not C# as are most programs for the .NET platform.
When executed, DotNET searches for 32-bit .NET executable files. It will search up to 20 subdirectories deep. The virus ignores files smaller than 2,048 bytes or larger than 4 gigabytes.
When the virus infects a .NET executable, it nullifies the data directory entry of the CLR header,
essentially making it a PE executable.
In 1 in 10 cases, the virus will display the following text:
________________________________________________ I.NET.dotNET by Benny/29A I I_______________________________________________I IThis cell has been infected by dotNET virus! I I_______________________________________________I
Infected files only work in Windows 2000, failing if run in Windows XP. The virus still works on XP, just not the original program.
Benny said he coded the virus in 95% Assembly and the rest in MSIL. He said he had no intention of creating a virus with great spreading ability, but rather to simply show that viruses can be coded for .NET.
Péter Ször. Symantec Security Response, Tasting Donut. (PDF)
Kaspersky Lab. Securelist.com, Virus.Win32.Donut.
Benny. 29A, Issue 6, DotNet Source Code. 2002.03