'Donut' virus caught in .Net

A proof of concept virus has been discovered which is capable of infecting and spreading via Microsoft's .Net architecture. It is the first virus of its kind capable of infecting executables written for the platform.

Created by 19 year-old Czech virus author Benny, the Donut virus infects executables containing .Net code.

Once an infected file is executed it searches the current and parent directories for other executables containing .Net code.

These files are modified so that Windows will treat them as standard executables and they then become infected with the virus.

The infected file also has a one in 10 chance of displaying a message when executed which reads: "This cell has been infected by dotNET virus!"

Benny is part of the 29A virus writing group which hit the headlines last March with the first Linux/Windows cross platform virus, Winux.

On his homepage, Benny proudly proclaims that Donut is: "My first virus for .NET architecture! It appendz to last section, overwritez CLR (Common Language Runtime) dispatcher with jmp _virus_ (EPO) and replacez metadata (whole CLR descriptor) with its own - 95% of win32asm, 5% of MSIL (MS Intermedial Language)."

All of which means that the virus is mostly written in Assembly, but also contains some MSIL code.

Experts said that the virus is of little concern for end users, as .Net is still in the development stages, but it should be noted for technical interest and as a warning that the virus writers are already waiting in anticipation for .Net to go live.