This application requires Javascript for optimal performance.

W32/Virut.A - Released May 13, 2006 - Last Updated Oct 25, 2006

Alias/es

PE_VIRUT.A, W32/Virut-A, W32/Virut.a

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible firewall alert that an executable attempting to connect to the internet.

Detailed Analysis

  • This virus infects running processes by writing the virus code to the target processes and creating a remote thread to execute it. It avoids infecting the following processes:

    • [system process]
    • system
    • smss.exe
    • csrss.exe

  • Creates a named event to ensure that only one instance of the virus runs on the compromised computer.

  • Connects to the IRC server Proxima.ircgalaxy.pl  using port 65520 on channel &virtu  to await instructions and commands from a malicious user. These commands can cause the infected machine to download malicious files.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Reference: ID - 252377