high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W2K/Stream is an executable file virus which only infects Windows 2000 systems.
W2K/Stream is an executable file virus which only infects Windows 2000 systems.W2K/Stream is the first virus that takes advantage of NTFS Alternative Data
Streams (ADS). As such it is more of a 'Proof of Concept' than a threat.
The virus, on infecting a file, creates a copy of itself as <temp>.exe. It then
copies the original file as <temp>.exe:STR, where the :STR tells NT to store
the data in an ADS. Then it remames <temp>.exe to that of the original file.
During execution the virus checks to see if it is running on Windows 2000 and
refuses to run if it is not.
In an Explorer window or via a DOS prompt the infected files are shown as 3628
bytes in length. The original executable is completely hidden from view via
normal NT utilities.
When an infected file is run it infects new files then runs the <name>.exe:STR
stream to run the original file.
If an infected file is copied to or accessed from a non-NTFS drive the original
file information will be lost.
To recover the original, you can use a POSIX utility from the NT Resource Kit
called CAT.EXE. To restore the original file type the following:
CAT <name>.exe:STR > <newname>.exe
COPY /B <newname.exe> <name>.exe
|
