Re: [DotGNU]Virus writers take an early crack at .Net

[Gopal.V]

Hi,
> Had to happen sooner or later ...
> 
> http://news.cnet.com/news/0-1003-200-8424382.html?tag=mn_hd
        Doesn't surprise me. Writing a virus in IL is much more
easier than in Java . The unmanaged support in IL helps quite
a bit.To push in support for non-type safe languages M$ has
added this which sticks out like a sore-thumb (IMHO). But the
code I got for donut is *not* a PE/COFF executable ?. It is a
standard 32 bit EXE . This is what I could decode of it. It 
uses the CLR as a COM object to execute inline IL code which 
has a secure certifcate signature (dunno how they faked it).
This in infects the mscorlib.dll in the CLR's path. This goes 
on to infect all the .NET programs run. (the signature turns
out to be *very* similar to windows-update ;-). This is what 
I infer from the code/strings in the program. Afterall I'm
not *crazy* to test it out on a w*n*o*s box !

        Rhys , you should consider you are lucky that the stuff 
happened to be a Win32 Executable. I got that especially to 
run it on Pnet inside a sandbox (VMWare GNU inside GNU). 
Since that failed, does Pnet verify code for umanaged section
of IL code ?. Also I guess that the certifcate verifcation and
stuff like that comes in the domain of SEE ?. So currently 
anyone foolish enough to run a IL virus explicitly as root
(ie ilrun imavirus.exe) is the only person really vulnerable
to the virus. Talk about curiosity killing the computer !

Gopal.V
-- 
 The difference between insanity and genius is only measured by success
 //===<=>===\\
|| GNU RULEZ ||
 \\===<=>===//