A new virus from the Czech Republic has anti-virus software makers rushing to analyse the effects of using so-called "files streams," a Windows NT technology, as a means of infection.
File streams -- not to be confused with audio and video streaming a la Real Networks -- break programs up into a main code segment, or stream, and several alternate ones. Used for sharing data between programs, the Microsoft technology first debuted in the Windows NT file system, or NTFS, but is also present in Windows 2000.
Eugene Kaspersky, the head of anti-virus researcher Kaspersky Lab and the first to spotlight the Stream virus, theorised that hiding malicious code in a file stream will make it more difficult to detect.
"Certainly, this virus begins a new era in computer virus creation," said Kaspersky, who is based in Moscow, in a statement. "The 'Stream Companion' technology the virus uses to plant itself into files makes its detection and disinfection extremely difficult to complete."
Most anti-virus scanners only scan the main stream of each program and could miss data hiding in an alternate data stream, stated Kaspersky.
Others deride Kaspersky's announcement as thinly veiled hype.
"They have not proven anything here except that they can write data to an alternate data stream," said Russ Cooper, editor of Windows NT security watcher NTBugtraq.com, who moderated a discussion of the possible dangers posed by alternate data streams in 1997. That discussion found that there was very little danger posed by the exploitation of the file streams system.
"This is highly theoretical and not all that new," said Cooper. The virus -- created by two writers who use the names Benny/29A and Ratter -- does little else except infect files and it doesn't do that very well either, said Patrick Martin, product manager for Symantec's anti-virus research labs.
Users should not worry about the virus attacking their computers. "This is a proof of concept," he said. "This virus is not going anywhere. It is not in the wild."
