1. /
  2. Security Response/
  3. W64.Shruggle.1318

W64.Shruggle.1318

Risk Level 1: Very Low

Discovered:
August 20, 2004
Updated:
February 13, 2007 12:26:41 PM
Type:
Virus
Systems Affected:
Windows 64-bit (AMD64)

W64.Shruggle.1318 is a direct-action file infector, similar to W64.Rugrat.3344, which infects AMD64 Windows Portable Executable (PE) files. It is a fairly simple proof-of-concept virus; however, it is the first known virus to attack 64-bit Windows executables on AMD64 systems.

The virus is written in AMD64 assembly code.



The virus uses a small number of Win64 APIs from the following three libraries:
  • Ntdll.dll
  • Sfc_os.dll
  • Kernel32.dll

From Ntdll.dll, the virus uses the following functions:
  • LdrGetDllHandle()
  • RtlAddVectoredExceptionHandler()
  • RtlRemoveVectoredExceptionHandler()

The virus supports vectored exception handling to avoid crashing during infections.

The SfcIsFileProtected() function of Sfc_os.dll is used to avoid infecting executables that are protected by the System File Checker (SFC).

The following sixteen functions are used from Kernel32.dll to implement a standard file infection of a AMD64 Portable Executable image:
  • CreateFileMappingA()
  • CreateFileW()
  • CloseHandle()
  • FindFirstFileW()
  • FindNextFileW
  • FindClose()
  • GetFullPathNameW()
  • GetTickCount()
  • GlobalAlloc()
  • GlobalFree()
  • LoadLibraryA()
  • MapViewOfFile()
  • SetCurrentDirectoryW()
  • SetFileAttributesW()
  • SetFileTime()
  • UnmapViewOfFile()

The virus carries the following string, which is never displayed, within itself:

Shrug - roy g biv

The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the last section, and a random number of bytes are appended to the end of the virus body.

The virus author is also the author of a number of other proof-of-concept viruses. These are collected under the name W32.Chiton.gen.

Antivirus Protection Dates

  • Initial Rapid Release version August 21, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version August 21, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date August 25, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver