First potential virus risk for Windows Vista found

New command-line shell that may be part of the new Windows OS is already being probed by a virus writer.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Virus writers are targeting a new Microsoft tool that will be part of Windows and is set to ship as part of the next Exchange e-mail server release.

A virus writer has published the first examples of malicious code that targets Microsoft's upcoming command-line shell, code-named Monad, according to Finnish antivirus maker F-Secure. If the technology is included in Windows Vista, these could be one of the first viruses to target the new operating system formerly known as Longhorn, F-Secure said Thursday.

Monad, also known as MSH, is the replacement for the simple command shell in the current versions of Windows. A shell, also called a command line interface, allows a user to give a computer textual commands either from a keyboard or from a script. Monad has much more functionality, similar to shells in competing products such as Bash in Unix. However, by adding the ability to run more-complex scripts, Microsoft could possibly open another door to attackers.

Monad will support Windows Server 2003, Windows XP and Windows Vista, Microsoft representatives said in a Web chat late last year. However, the software maker has not disclosed how it will deliver the tool.

The examples that made it to the Web would cause little harm but could be modified, according to Mikko Hypponen, director of antivirus research at F-Secure.

Hypponen warned that if Microsoft ships Monad with Vista and it is enabled by default this could lead to an "outbreak of scripting viruses." Microsoft may choose to ship the tool as an add-on or disable it by default to reduce the risk, he added.

Microsoft initially planned to include Monad in Vista, formerly known by its Longhorn code-name. However, company representatives have said the tool would first ship as a feature of Exchange 12, due in the second half of 2006. Monad will ship in Windows after that, they said.

Monad is available to testers but is not part of the first Windows Vista beta, which Microsoft released last week, a company representative said Thursday. The shell tool also is not included in the beta of Windows Server 2003 R2, an update to Windows Server due later this year, the representative said.

"At this time, these reports pose no risk for Microsoft customers," the Microsoft representative said.

Microsoft has yet to announce how it will deliver Monad in the Windows operating system. A source familiar with Microsoft's plans said it is too early to say whether the new shell will make it into later beta versions of Windows Vista or the final product. Windows Vista is due on store shelves by the end of 2006.

Microsoft also could offer Monad as a downloadable add-on for Windows.

A Microsoft developer in a blog posting on Thursday criticized the F-Secure report. "It's a misleading title, as it's an issue that affects any vehicle for any executable code on any operating system," wrote Lee Holmes, who works on the team building Monad.

"The fact that MSH is used as the execution vehicle is really a side-note, as it does not exploit any vulnerabilities in Monad," Holmes wrote. "The guidance on shell script viruses is the same as the guidance on all viruses and malware: protect yourself against the point of entry, and limit the amount of damage that the malicious code can do."

In a December online chat session with developers, Microsoft representatives specifically addressed the topic of script attacks. The company is taking measures to prevent those. For example, Monad will run only scripts that are digitally signed by a trusted person. Additionally, it won't be possible to double click on a script and have it run, according to a transcript of the session.

The possibility of viruses being aimed at Microsoft's new shell was discussed at the Virus Bulletin event last year. Eric Chien of Symantec said at the antivirus industry event that the new tool could allow the creation of both classic viruses as well as e-mail worms.

Ingrid Marson of ZDNet UK contributed to this story.