It's not loose in the wild, and wouldn't be able to cause much trouble even if it were. But it is proof virus writers are capable of attacking 64-bit Windows files.
Researchers at network security company Symantec reached that conclusion after analyzing W64.Rugrat.3344, which they describe as "a fairly simple proof-of-concept virus" that is the first of its kind "to attack 64-bit Windows executables on IA64 systems intentionally and successfully."
"An IT manager doesn't need to be worried about this right now, but it is an indicator of future threats," said Kevin Hogan, senior manager of Symantec Security Response. "This is the first virus we've seen that turns the theory of targeting 64-bit files into reality."
It is a "direct-action infector" of IA64 Windows Portable Executable (PE) files, including most Windows applications but excluding .dlls. It infects files that are in the same folder as the virus and in all subfolders, and uses the Thread Local Storage structures to execute code. The virus is considered a Level 1 threat (Level 5 being most severe) easily neutralized by running LiveUpdate.
The company has issued
According to the advisory, the virus carries the following string within itself, which is never displayed: Shrug - roy g biv. The file infection routine is standard. The last section of the program file is marked as executable; the virus body is inserted into the last section and a random number of bytes are appended to the end of the virus body.
The author is also behind a number of other proof-of-concept viruses, collected under the name W32.Chiton.gen, the advisory notes.
"Currently, there isn't a broad penetration of 64-bit systems. Most home and business systems deployed today are running on 32-bit platforms and are not affected by this threat," said Vincent Weafer, senior director of Symantec Security Response. "At this time, we are not expecting widespread copycats since assembly code requires advanced technical knowledge."
In the end, Hogan said, the virus "doesn't do any damage. It just spreads."