(Win32.Donut (KAV), W32.Donut (NAV), W32/Donut (McAfee))
Sometimes when running an .NET executable the following message box appears:
Costin Ionescu BitDefender Virus Researcher
This is a concept virus which attacks the executables created with Microsoft .NET Framework. It infects the files without enlarging them, because it overwrites the .reloc section. If the .reloc section of the victim executable is not big enough to hold the virus code, it does not infect it. By destroying relocation informations (.reloc section) will make the executable unloadable in some very rare cases.
To infect files the virus searches the current directory and 20 upper directories for .NET executables and tries to infect them. The infection consists in copying the virus body over .reloc section and modifying the .NET stub (by redirecting a jump to the virus entry point), and also inserts a small MSIL code (Microsoft Intermediate Language - .NET native code) which contains the payload: showing in 1/10 cases the above message box. The virus may corrupt some .NET executables not compiled with C#.
To execute the host file, the virus will create a file with the same name as the host but with a space inserted just before the extension (ie.: name .exe).
The virus is written by a member of a well known group of virus writers and is not intended to be spread.