BANGALORE: The first virus on .Net’s architecture has been identified by
Network Associates’ division, McAfee. The company has also found a solution
for the "deadly" Donut virus.
In an official release, the company, has stated, "Due to the uncommon
system requirements and replicating environment, the virus is unlikely to become
widespread. The .NET architecture must be installed on Windows2000/XP in order
for the virus to function and it only infects some MSIL PE files. The virus has
Czech Republic origin with a minimum Dat of 4181 and minimum Engine of 4.0.70.
The virus, W32/Donut, is a file infector that infects other .NET executables
using the .EXE extension files in the current directory and up to 20 directories
above it and then exits. It does not stay resident in memory. When run, there is
a 10 percent chance that a dialog box will be displayed.
It is primarily written in Win32 assembly and some MSIL (Microsoft
Intermediate Language). Some of its symptoms are display of message box
entitled, ".NET.dotNET by Benny/29A" which reads, "This cell has
been infected by dotNET virus!".
The detection of the virus is included in McAfee's DAILY
DAT (beta) files and is also to be included in the next weekly DAT release.
In addition to the DAT version requirements for detection, the specified engine
version (or greater) must also be used.
Windows ME also utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected file could
be stored there as a backup file, and VirusScan will be unable to delete these
files.
The removal instructions as given by McAfee are
1. Right click the `My Computer’ icon on the Desktop, and choose
Properties.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
10. NOTE: The Restore Utility will now be disabled.
11.Restart the computer in Safe Mode.
12. Run a scan with VirusScan to delete all infected files, or browse the
file's located in the C:\_Restore folder and remove the files.
13. After removing the desired files, restart the computer normally.
To re-enable the Restore Utility, following steps 1-9 and on step 5 removing
the check mark next to "Disable System Restore" is recommended. The
infected files are removed and the System Restore is once again active.