Prevent Online Threats
« Win2K.Stream
Win32.Andra »

Win2K.Team

Details
Win2K.Team.a

Team is a Windows 2000/XP compatible companion virus using the “stream companion” infection method. This method is based on an NTFS feature that allows the creation of multiple data streams associated with a file.
NTFS Streams
Each file contains at least one default data stream that is accessed just by the file name. Each file may also contain additional stream(s) that can be accessed by their individual or specific names (filename:streamname).
The default file stream is a file body itself (in pre-NTFS terms). For instance, when an EXE file is executed the program is read from the default file stream; when a document is opened, its contents are also read from the default stream.
Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When the file is deleted, its streams are deleted as well; if a file is renamed, its streams follow its new name.
Windows has no standard tools to view/edit file streams. To “manually” view file streams you need to use special utilities such as the FAR utility with a file streams support plug-in (Ctrl-PgDn displays file streams for the selected file).
Virus Execution
The virus itself is a Windows application (PE EXE file) about 4K in size. When run it executes the host file tries to infect all EXE files in the current directory. If the host file is absent, the virus shows the following message before infecting files:

While infecting a file the virus creates a new stream associated with the victim file, this stream has a “ccc” name extension, i.e. the complete stream name is “FileName:ccc”. The virus then moves the victim file’s body to the “ccc” stream and then overwrites the victim file’s body (default stream) with its virus code.
During infection, Team makes a copy of itself under the name 2002. After infection is complete Team deletes this file.
As a result, when the infected file is executed Windows reads the default stream that was overwritten by the virus code and executes it.
Windows reports the same file size for all infected files.
To release control to host programs the virus creates a new process by accessing the original file program using the naming convention FileName:ccc.
This infection method should work on any NTFS system, but the virus checks for the system version and runs only under Win2000/XP.

Related Posts

  • Win2K.Stream
  • Macro.Word.Fox
  • Airwalker.38
  • Samp
  • Legion.327

    • This entry was posted on Saturday, June 28th, 2008 at 3:50 am and is filed under Virus Threats.

    Leave a Reply

    Spyware Removal Spyware Protection Tools