Analysis by: Abigail Pichel

ALIASES:

Virut

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Infects files, Propagates via network shares, Propagates via removable drives

VIRUX variants have been spotted as early as 2009. These file infectors spread across removable drives and network shares. They take advantage of vulnerabilities to infect users' systems. VIRUX variants have also been found in websites that offer software license/serial numbers, key generators and program cracks.

Unlike most file infector families that use one method for infecting files, VIRUX variants use a combination of two or more infection methods. This makes detection and removal difficult. Furthermore, VIRUX infects file types such as .EXE, .SCR, .ASP, .HTM, and .PHP. A particular VIRUX variant injects malicious iframe code to infect script files.

When executed, VIRUX accesses IRC servers to receive malicious commands and download URLs. The said URLs lead to other malware including FAKEAV variants.

They terminate security-related applications and disable the Windows Firewall and Security plug-in. Some VIRUX malware also modify the affected systems' HOSTS file to block access to anti-malware sites. This is used to prevent the removal of the malware from affected systems.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Downloads files, Terminates security-related applications, Compromises system security, Modifies HOSTS file

Installation

This file infector drops the following files:

  • %Windows%\{random file name}.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This file infector adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random registry key name}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

Backdoor Routine

This file infector connects to any of the following IRC server(s):

  • irc.{BLOCKEDf.pl

HOSTS File Modification

This file infector adds the following strings to the Windows HOSTS file:

  • 127.0.0.1 {BLOCKED}F.pl
  • 127.0.0.1 jL.{BLOCKED}a.pl

NOTES:

Variants of VIRUX may also connect to randomly generated domains for its C&C (command and control) server. The generated domain is {6 random characters}.com.