PE_VIRUX.M
Virus:Win32/Virut.gen!M (Microsoft), W32.Virut.CF (Norton), W32/Scribble-B (Sophos), Virus.Win32.Virut.ce (v) (Sunbelt), W32/Virut.CE (Fortinet), Virus.Win32.Virut (Ikarus), Win32/Virut.NBP virus (NOD32)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This file infector modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is "1" .)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is "1" .)
HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is "1".)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
File Infection
This file infector infects the following file types:
- EXE
- SCR
Propagation
This file infector drops the following copy(ies) of itself in all removable drives:
- RUNDLL32.EXE
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=RUNDLL32.EXE
Other Details
This file infector connects to the following possibly malicious URL:
- ru.{BLOCKED}s.pl