Skip to content

Export page to PDF
PE_VIRUT
Aliases: Virut
Malware type: File infector
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
In the wild: Yes

Overview


Infection Channel: Infects files, Propagates via network shares, Propagates via removable drives

VIRUX variants have been spotted as early as 2009. These file infectors spread across removable drives and network shares. They take advantage of vulnerabilities to infect users' systems. VIRUX variants have also been found in websites that offer software license/serial numbers, key generators and program cracks.

Unlike most file infector families that use one method for infecting files, VIRUX variants use a combination of two or more infection methods. This makes detection and removal difficult. Furthermore, VIRUX infects file types such as .EXE, .SCR, .ASP, .HTM, and .PHP. A particular VIRUX variant injects malicious iframe code to infect script files.

When executed, VIRUX accesses IRC servers to receive malicious commands and download URLs. The said URLs lead to other malware including FAKEAV variants.

They terminate security-related applications and disable the Windows Firewall and Security plug-in. Some VIRUX malware also modify the affected systems' HOSTS file to block access to anti-malware sites. This is used to prevent the removal of the malware from affected systems.

Technical Details

Memory resident: Yes
Payload: Downloads files, Terminates security-related applications, Compromises system security, Modifies HOSTS file

Installation

This file infector drops the following files:

  • %Windows%\{random file name}.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This file infector adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random registry key name}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

Backdoor Routine

This file infector connects to any of the following IRC server(s):

  • irc.{BLOCKEDf.pl

HOSTS File Modification

This file infector adds the following strings to the Windows HOSTS file:

  • 127.0.0.1 {BLOCKED}F.pl
  • 127.0.0.1 jL.{BLOCKED}a.pl


Connect with us on