W64.Shruggle.1318

W64.Shruggle.1318 is a direct-action file infector, similar to W64.Rugrat.3344, which infects AMD64 Windows Portable Executable (PE) files. It is a fairly simple proof-of-concept virus; however, it is the first known virus to attack 64-bit Windows executables on AMD64 systems.

The virus is written in AMD64 assembly code.



The virus uses a small number of Win64 APIs from the following three libraries:

• Ntdll.dll
• Sfc_os.dll
• Kernel32.dll

From Ntdll.dll, the virus uses the following functions:

• LdrGetDllHandle()
• RtlAddVectoredExceptionHandler()
• RtlRemoveVectoredExceptionHandler()

The virus supports vectored exception handling to avoid crashing during infections.

The SfcIsFileProtected() function of Sfc_os.dll is used to avoid infecting executables that are protected by the System File Checker (SFC).

The following sixteen functions are used from Kernel32.dll to implement a standard file infection of a AMD64 Portable Executable image:

• CreateFileMappingA()
• CreateFileW()
• CloseHandle()
• FindFirstFileW()
• FindNextFileW
• FindClose()
• GetFullPathNameW()
• GetTickCount()
• GlobalAlloc()
• GlobalFree()
• LoadLibraryA()
• MapViewOfFile()
• SetCurrentDirectoryW()
• SetFileAttributesW()
• SetFileTime()
• UnmapViewOfFile()

The virus carries the following string, which is never displayed, within itself:

Shrug - roy g biv

The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the last section, and a random number of bytes are appended to the end of the virus body.

The virus author is also the author of a number of other proof-of-concept viruses. These are collected under the name W32.Chiton.gen.