VMware and the SafeSys Worm...a question.

Hi all, i have heard about VMware and i understand that it basically allows you to install multiple Operating Systems and Platforms on a single PC and move back and forth easily between them.

Well what happens when im running in such a virtual Machine OS, if i get a virus?
Will it be deleted when i log off, and not compromise my whole PC?

And how about this SafeSys worm, do you think it will still be able to get into the kernel drivers to insert its code, while i execute the worm in Vmware?

 

I have also heard that there is this ability to create "a snapshot or “picture” of your virtual machine, the memory, settings, and virtual disk are captured and frozen in time at that specific moment. At any time, you can revert back to that original configuration, losing all changes you made since that snapshot was taken."
http://blogs.techrepublic.com.com/virtualization-coach/?p=143

So does this mean that the virus can be defeated this way,
by simply reverting to a previous snapshot?

 

And has ANY virus been able to bypass that in your experience, or do you know of any that has?

Also, another thing that i have read is that apparently the new viruses know if they are operating in a Virtual Machine, and so they keep the payload dormant....to be released if access is possible outside of the VM environment...

Edit: im talking about VMWare Workstation 6.5.2.

 

From what you read, was it revealed how the new virus got onto the computer in the first place?

thanks,

----
rich

 

You download an application.
You dont want to pay for the software.
You then proceed to download the 'crack' or 'patch' released by a software cracking group.
You think you are safe in a Guest Vmware OS, so you first try the software+patch to see if it works, and no funny business.
Everything appears fine, so you decide to install the application+patch in your Host OS.
Bam, the rootkit inside the patch is now activated once it sees that its on the Host OS.

 

Lebowsky,

regarding SafeSys worm, have you seen this thread? Look at the links in the first post (especially the second one).

There are many rumors out there, which doesn't mean they are founded. Where did you hear of this "chain of events"? A link perhaps? IMHO, without some proof (or at least PoC) this is nothing more than a boogeyman story.

 

That's what I thought, but just wanted to be sure.

thanks,

rich

 

I am inclined to agree with you, it just might be a rumor, or the poster may just be bragging. I remember reading something like the rootkit first detects if vmware is running in startup (or?) taskmanager, and if the process is detected, nothing happens, it aborts releasing the payload, and sits dormant.
I think the poster may just be kidding, or not.
I stumbled upon these comments in a blog or a forum, i dont remember which as its been a couple of weeks...you know how it goes, one link leads to another....

you are welcome rich. but like i said, it may or may not be based in fact.

Glad to hear that.