Virus Profile: W32/Donut

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/9/2002
Date Added: 1/9/2002
Origin: Czech Republic
Length: N/A
Type: Virus
Subtype: File Infector
DAT Required: 4181
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Display of message box entitled, ".NET.dotNET by Benny/29A" which reads, "This cell has been infected by dotNET virus!".

Methods of Infection

This is a file infecting virus which spreads to certain other .NET executables on the local system.

Aliases

Donut (F-Secure), W32.Donut (NAV)
   

Virus Characteristics

This is the first virus to make use of Microsoft's .NET architecture. Due to the uncommon system requirements and replicating environment, the virus is unlikely to become widespread. The .NET architecture must be installed on Windows2000/XP in order for the virus to function and it only infects some MSIL PE files.

W32/Donut is a file infector that infects certain other .NET executables using the .EXE extension. Files in the current directory and up to 20 directories above it are infected. Then the virus exits. It does not stay resident in memory. When run, there is a 10 percent chance that a dialog box will be displayed.

It is primarily written in Win32 assembly and some MSIL (Microsoft Intermediate Language)
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations