W64.Shruggle.1318 is a direct-action file infector, similar to W64.Rugrat.3344
, which infects AMD64 Windows Portable Executable (PE) files. It is a fairly simple proof-of-concept virus; however, it is the first known virus to attack 64-bit Windows executables on AMD64 systems.
The virus is written in AMD64 assembly code.
The virus uses a small number of Win64 APIs from the following three libraries:
From Ntdll.dll, the virus uses the following functions:
The virus supports vectored exception handling to avoid crashing during infections.
The SfcIsFileProtected() function of Sfc_os.dll is used to avoid infecting executables that are protected by the System File Checker (SFC).
The following sixteen functions are used from Kernel32.dll to implement a standard file infection of a AMD64 Portable Executable image:
The virus carries the following string, which is never displayed, within itself:
Shrug - roy g biv
The file infection routine is standard. The last section of the executable is marked as executable, the virus body is inserted into the last section, and a random number of bytes are appended to the end of the virus body.
The virus author is also the author of a number of other proof-of-concept viruses. These are collected under the name W32.Chiton.gen
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.