The discovery this week of the first computer virus that works specifically with Microsoft Corp.'s Windows 2000 initially brought questions about the soon-to-be-unveiled operating system's security.
But experts who have taken a closer look at the virus, officially dubbed W2K.Installer.1676, say it doesn't take advantage of any potential security holes. In fact, it's a relatively conventional file virus that only infects Windows 2000 for the simple reason that it checks to see which OS it's running on, and spreads only if it's Windows 2000.
The virus isn't in actual circulation yet, nor do virus researchers expect it to ever be. Research labs found out about W2K.Installer.1676 when it was sent to them, apparently by its author. In addition, it lacks a damage-causing payload. The only thing it does is spread itself.
Despite the virus being characterized as "rare," major antivirus software makers say their existing packages will detect W2K.Installer.1676 because of the way it works, although they plan to add specific protection against it in their next virus signature updates.
Vincent Weafer, director of the Symantec Antivirus Research Center, says that W2K.Installer.1676 may simply be a "proof of concepts," a typical first-generation virus where the dark fraternity of (mainly male) virus writers explore a new OS, looking for holes or just proving that they can write a virus that works only with that OS, which they were able to do in this case.
Or it may just be an ego thing, according to Weafer, with the author wanting to be the first to write a Windows 2000 virus.
No Antivirus Magic in W2K
While Weafer says that Windows 2000 is "overall a more secure operating system," he says that users still need to be careful, because most viruses that can infect Windows 98 and NT can also infect the new OS.
Under the hood, W2K.Installer.1676 is what's known as a "cavity infector," a common type of virus that looks through files to find unused spaces in the code. When it finds a space big enough, it inserts itself in the file. And because it doesn't actually change the size of the file, it attempts to work around the "heuristic" protection in most antivirus software, which looks for unexpected changes in the sizes of files.
In one way, W2K.Installer.1676 is almost a step back to reusing earlier virus technology in a new context. Cavity infectors were widely used in early DOS viruses, but fell out of favor with virus writers.
When asked about Microsoft's reaction to W2K.Installer.1676, a spokesperson said it's nothing but "a publicity stunt." She added that "a virus is by definition just an application that does something malevolent, and Windows 2000 runs applications."