PE_VIRUT
Virut
Windows 2000, Windows XP, Windows Server 2003
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
VIRUX variants have been spotted as early as 2009. These file infectors spread across removable drives and network shares. They take advantage of vulnerabilities to infect users' systems. VIRUX variants have also been found in websites that offer software license/serial numbers, key generators and program cracks.
Unlike most file infector families that use one method for infecting files, VIRUX variants use a combination of two or more infection methods. This makes detection and removal difficult. Furthermore, VIRUX infects file types such as .EXE, .SCR, .ASP, .HTM, and .PHP. A particular VIRUX variant injects malicious iframe code to infect script files.
When executed, VIRUX accesses IRC servers to receive malicious commands and download URLs. The said URLs lead to other malware including FAKEAV variants.
They terminate security-related applications and disable the Windows Firewall and Security plug-in. Some VIRUX malware also modify the affected systems' HOSTS file to block access to anti-malware sites. This is used to prevent the removal of the malware from affected systems.
TECHNICAL DETAILS
Installation
This file infector drops the following files:
- %Windows%\{random file name}.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Other System Modifications
This file infector adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random registry key name}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
Backdoor Routine
This file infector connects to any of the following IRC server(s):
- irc.{BLOCKEDf.pl
HOSTS File Modification
This file infector adds the following strings to the Windows HOSTS file:
- 127.0.0.1 {BLOCKED}F.pl
- 127.0.0.1 jL.{BLOCKED}a.pl