1. Symantec/
  2. Security Response/
  3. W64.Rugrat.3344


Risk Level 1: Very Low

May 26, 2004
February 13, 2007 12:23:42 PM
Also Known As:
W64/Rugrat [McAfee]
Systems Affected:

W64.Rugrat.3344 is a direct-action infector--it exits memory after execution--of IA64 Windows Portable Executable (PE) files. These PE files include most 64-bit Windows programs other than .dlls.

The virus infects files that are in the same folder as the virus and in all subfolders. It is the first known virus for 64-bit Windows, and it uses the Thread Local Storage structures to execute the viral code. This is an unusual method of executing code.

It does not infect 32-bit Portable Executable files, and it will not run on 32-bit Windows platforms. The virus is written in IA64 assembly code.

Note: A true 64-bit computer is not required for this virus, as it can be run on a 32-bit computer that is using 64-bit simulation software.

A minor variant was discovered which is capable of infecting DLL files in addition to EXE files. This sample is the same size as the original and was already detected by the existing W64.Rugrat.3344 and no signature update was necessary.

Antivirus Protection Dates

  • Initial Rapid Release version May 27, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version May 27, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date May 28, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Peter Ferrie

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube