First 64-Bit Windows Virus Discovered

W64/Rugrat Represents New Turn in Viruses

Symantec and McAfee have both released write-ups for an interesting new file infector by the name of W64/Rugrat. The “W64” designates that, as opposed to the usual “W32” (Windows 32-bit operating system), this virus infects only 64-bit Windows PE (portable executables.) The Rugrat virus will only function under systems capable of running 64-bit programs, either naturally or via emulation.

Rugrat is a standard virus in every way other than being the first 64-bit virus and written in IA64 assembly code. Much of the code, in fact, was stolen from the interesting but dated W32/Chiton virus. It directly infects Windows programs, including .dll files, and is 3,344 bytes in length.

W64/Rugrat is actually a member of a larger family of viruses, as indicated by the following text:

Shrug - roy g biv

This references a family of viruses known as W32/Shrug. Specifically, this virus is related to several variants of W32/Chiton, which is related to W32/Shrug. “roy g biv” (the colors of the rainbow, for trivia's sake) is the name of the virus writer who wrote all these viruses, and probably also W64/Rugrat.

”roy g biv” has in the past released his viruses as proof of the concept, never spreading them intentionally. This along with the fact that 64-bit process is far from commonplace make it unlikely that “Rugrat” will spread significantly in the Wild. Still, this concept shows that virus writers are definitely starting to work on viruses to support the new standard.