Windows 2000 virus hides from scanners

The discovery of the first virus to exploit the file stream feature of Windows 2000 to infect PCs has provoked a fierce debate about the adequacy of antivirus software in combating such infection.

The W2K/Streams virus, an executable file virus that only affects Windows 2000 systems, has been described by antivirus vendors as more of interest as a 'proof of concept' than a threat. Antivirus vendors have, however, updated their software to detect the virus.

While it is not spreading, the virus is the first to take advantage of the NT File System alternative data streams (ADS) feature, which allows the division of a file into several sub-files or streams.

The virus uses alternative data streams to hide part of its code, and some security experts, such as the respected Sans Institute, have said that antivirus software does not adequately check this area of the file system.

"This deficiency [of virus scanners] can be leveraged in order to hide malicious code or even cause the virus scanner itself to destroy critical system files," said the Sans Institute in a security alert.

Antivirus vendors said the criticism is misplaced because viruses such as W2K/Streams still have a portion of their code within the default area, and this will be found by any good access scanner.

Graham Cluley, senior technology consultant at Sophos, said: "W2K/Streams uses ADS to hide the real binary data and place itself before it in the execution chain. The virus per se makes no use of ADS, and that some people have chosen to hype the ADS angle is somewhat unfortunate.

"To execute code in an ADS you have to call the code from a non-ADS stream. So far we have not seen evidence that the code can be executed directly."

Neil Barrett, technical director at Information Risk Management, said that up until now virus engines had no reason to look inside ADS, and that swap files are not scanned during normal operation.

Eric Chien, chief researcher at Symantec's Antivirus Research Centre, said: "Antivirus packages offer protection from this kind of infection. But if virus writers make more use of stream technologies we will have to develop new parsing engines to specifically look in alternative data streams."

According to Panda Software, the virus is in itself a Windows application, 3.628 bytes in size and compressed by Petite PE EXE files compressor.

When run, the virus infects all EXE file or programs present in the current directory, tries to copy the original file in a hidden stream and then by default, overwrites its own code in the original stream.

In this way, each time the user tries to open this file he or she is actually executing the virus.

Jack Clark, European antivirus product manager at Network Associates, said the possibility of virus writers using the file stream feature within Windows 2000 has been known about for some time.

"Virus writers are not standing still. This is another example of them using the methods made available by modern operating systems," he said.