Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Virut

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload Disables Windows file protection,attempts to download malware
Detection files published
Description created 04 Jun 2009 02:17:00
Description updated 03 Sep 2009 02:17:00
Malware type VIRUS
Alias E_VIRUT
PE_VIRUX
Spreading mechanism FILE_INFECTION
NETWORK
OTHER
Summary W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.

W32/Virut

Spreading

Virut infects executable files as they are accessed, by either subverting a call through the IAT (import address table) in the original host code to jump to itself, or completely replacing the entry point of the executable file to point to itself. Because executable files are infected in this way, files on network drives accessed from an infected computer may also be infected.
Virut will also infect removable media by dropping an infected file, together with an autorun.inf file, to the root of the attached drive, which will run when it is attached to another computer.
 

Payload Details

W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.
The Virut.CM variant also injects an iframe object into HTML based files, disables Windows file protection in order to infect essential protected Windows system files. A viral thread, running under winlogon.exe or services.exe, attempts to connect to an IRC backdoor through port 80 or 65520, in order to download additional malware components.
Virut will also try to block access to websites containing the following strings;
eset avg windowsupdate wilderssecurity threatexpert castlecops spamhaus cpsecure arcabit emsisoft sunbelt securecomputing rising prevx pctools lumension k7computing ikarus hauri hacksoft gdata fortinet ewido clamav comodo quickheal avira avast esafe ahnlab centralcommand drweb grisoft nod32 f-prot jotti kaspersky f-secure computerassociates networkassociates etrust panda sophos trendmicro mcafee norton symantec defender rootkit malware spyware virus

Analysis

n/a

Removal

Virut uses a number of methods in order to avoid detection and removal and thus can be very difficult to completely clean. Because of the aggressive nature of this malware, some infected files may become corrupted, to the point where they are not possible to repair or clean. In such cases certain files might have to be restored from a backup.


Last Updated: 12 Nov 2015 11:06:10