Uncategorized

Crisis virus attempts to infect VMware Workstation or Player virtual machines on Windows

A new virus has been discovered that infects virtual machines that reside on Windows PCs.   We wanted our customers to be aware of this issue and to take the necessary precautions to protect themselves.

On August 20, 2012, Symantec published a blog post on the Crisis virus: http://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines.  This virus spreads to systems running Windows through social engineering. Users must install a masqueraded JAR file. Symantec discovered that once the virus is present on a Windows system,  the malware tries to infect virtual machines that reside on the PC.

This has the potential to impact customers running VMware Workstation or VMware Player on Windows. The virus uses legitimate functionality to mount virtual disks and then copies itself onto the disks. It does not use any vulnerabilities in VMware Workstation or Player to infect the virtual machines.    

Windows users that run VMware Workstation or VMware Player are advised to follow standard security practices on their host systems to minimize the risk of introducing the Crisis virus to Windows systems.:

  • Practice safe browsing. Do not visit untrusted Web sites.
  • Do not open untrusted files downloaded from the Web.
  • Run anti-virus software and keep it up-to-date.
  • Keep current with Windows updates.

You can use additional measures to protect VMware virtual machines against the Crisis virus:

  • The Crisis virus cannot infect encrypted virtual machines. VMware Workstation has a feature that allows encryption of virtual machines.
  • Consider using third-party whole-disk encryption tools in the virtual machine
  • If VMware Workstation or Player is used to create virtual machines that are later used on ESX/ESXi hosts, take care that the systems on which virtual machines are created are secure and regularly audited.

The VMware security team is following this closely and we will post any updates to this blog.