Microsoft KB Archive/316287

= Information About the .NET W32.Donut Virus =

Article ID: 316287

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional x64 Edition
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q316287



SYMPTOMS
If you run the W32.Donut virus, the virus attempts to infect all .exe files that contain .NET code in the folder that contains the virus and up to 20 parent folders. After the files are infected, the virus replicates. You can identify infected files because they have a space inserted by the virus between the file name and the file extension. Additionally, you may receive the following message:

This cell has been infected by dotNET virus!

.NET.dotNET by Benny/29A



RESOLUTION
To resolve this behavior, run a virus-detection program.



MORE INFORMATION
The virus must be run by a user after being downloaded. W32.Donut takes advantage of a stub that .NET programs use to run Mscoree.dll. The virus only attacks files that are part of the .NET framework.

NOTE: This virus does not spread through e-mail messages. You must have direct access to the .exe file to run the code.

Because .NET programs run native code before running platform-independent code at the time that this article was published, the virus can use Mscoree.dll to attack the CorExeMain function.

The W32.Donut virus is a concept virus and cannot spread widely, cause any damage, or carry a harmful payload.

Keywords: kbprb kbvirus KB316287

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.