Problem solve Get help with specific problems with your technologies, process and projects.

The first .NET virus

Even though it's brand-new, someone has a virus for .NET.

The Windows .NET server family is not even out of beta yet and already there is a virus specifically targeted for that developing network operating system. The virus is named W32.Donut. Currently, it is little more than a proof-of-concept virus showing that it is possible to infect files specific to the .NET OS.

However, Microsoft was quick to publish a response claiming that this virus is just a Windows virus that infects .NET files. However, most antivirus companies disagree with Microsoft's downplay of this threat. It doesn't really matter that this virus is not operating within the .NET framework as managed code. What matters is that this virus shows that it is possible to infect the very files that are the managed code of the .NET framework.

The W32.Donut virus seems to be an altered form of a previous Windows virus named W32.Winux. The new version incorporates the Microsoft .NET Intermediate Language (MSIL) to define its .NET specific infection code, thus making it an original type of virus.

Fortunately for now, the version of the virus discovered does not self-replicate and requires that a user execute its code before the infection occurs. It should be obvious that with a bit more effort on the part of the virus-code author, these deficiencies could be erased. If so, .NET would have a serious problem on its hands.

Based on previous virus scares, Microsoft's Internet Explorer and Outlook Express (as well as the full version of Outlook) do not automatically download and execute many common file types where viruses can be hidden. Microsoft's response to the W32.Donut virus states that both IE and Outlook block this virus when it is received via a Web page or as an e-mail attachment. However, viruses can be included in legitimate software, thus creating a Trojan horse. Neither of Microsoft's IE or Outlook inspect the contents of compressed archives or prevent them from traversing the Internet connection. Archives such as .zip, .arj or .rar can include virus files just as easily as benign software and data files.

To protect yourself from this current threat, you have a few options. First, don't run Windows .NET beta on a production system. Second, don't download Web pages or e-mail onto your Windows .NET beta systems. Third, use standard security practices to protect yourself from viruses and Trojan horses, such as installing and keeping updated a quality virus scanner and keeping network and Internet activity to a minimum.

Even though this virus either has been, or will soon be added to most antivirus software definitions lists, don't assume that this will be the first and last time a .NET specific virus pops up.

About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.

Reader Feedback
What do you think of this article? E-mail us, and let us know. Or, post your comments in our .a2BmagW1ejj^0@.ee84078!viewtype=&skip=&expand=>discussion forum.

Just as an observation. If there is a .NET Virus already waiting to be released, maybe we should be more worried about how people have been able to get a hold of the source code.

Instead of blaming Microsoft for having all these problems, maybe we should look at those people outside of Microsoft who have access to the source code. If a developer loans his software to someone it will get passed around and end up in the wrong hands.

I am not trying to blame anyone about this, but it will take Microsoft and the rest of us to weed out the rotten apples who are allowing new viruses to be developed.


Personally, I think the virus is overrated and has gotten way too much press. The virus doesn't even rank on the danger scale. A good proof-of-concept virus would be something much more damaging.

This was last published in January 2002

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.