W32/Virut.CE - Released Feb 10, 2009 - Last Updated Jun 08, 2009

Alias/es

W32.Virut.CF (Symantec), W32/Virut.n (McAfee), PE_VIRUX.A (Trend), Virus.Win32.Virut.ce (Kaspersky), Virus:Win32/Virut.BM (Microsoft), W32/Scribble-A (Sophos), Win32/Virut.NBM (Eset)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Increased file size of infected files
  • Modified HOSTS file
  • Inserted malicious iFrame tag in webpages
  • HTTP traffic in the WINLOGON process

    • Detailed Analysis

    W32/Virut.CE is a polymorphic, appending, cavity and encrypted file infector that targets Win32 EXE/SCR, HTM, ASP and PHP files.


  • It may create the following event to avoid multiple instances running on the infected system:
    • Vx_5
  • It injects its core routines to the winlogon.exe  process via the CreateRemoteThread  API.

  • It creates the following registry entry in order to bypass the Windows Firewall:
    • key: LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • value: \??\%System%\winlogon.exe
    • data: "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
  • It hooks the following NTDLL APIs to trigger its infection routine:
    • CreateFile
    • CreateProcess
    • CreateProcessEx
    • OpenFile
    • QueryInformationProcess
  • It disables Windows File Protection (or System File Checker) which can be found in SFC.DLL or SFC_OS.DLL. This allows the virus to infect files that are system-protected.

  • It avoids infecting files that have filenames starting with the following strings:
    • OTSP
    • WC32
    • WCUN
    • WINC
  • It creates the following registry entry that contains the future server address:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    • value: UpdateHost
    • data: "{binary value}"

    Win32 Infection

  • It attains polymorphism by inserting a random number of garbage instructions and by using a spaghetti-like coding style.

  • It inhibits the following types of infections:
    • Type 1 - EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 2 - Non-EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 3 - EPO, appending, and single-layer encryption
    • Type 4 - Non-EPO, appending, and single-layer encryption
    • Type 5 - Damaged (no jump going to virus code)

    Webpage Infection

  • For the following files, it infects them by searching for the </BODY> tag, before injecting a malicious IFRAME tag:
    • HTM
    • PHP
    • ASP
  • The malicious IFRAME tag redirects the browser of the infected machine to the following addresses:
    • http://www.zi[Removed].pl
    • http://pro[Removed].pl
    • http://www.tEe[Removed].com
    • http://j[Removed].pl

    HOSTS File Modification

  • It modifies the file %System%\drivers\etc\HOSTS to insert one of the following entries:
    • 127.0.0.1 Zi[Removed].pl
    • 127.0.0.1 j[Removed].pl
    • 127.0.0.1 pro[Removed].pl
    • 127.0.0.1 tEe[Removed].com

    IRC Backdoor

  • It connects to a remote IRC server by using an 8-CHAR random NICK and a 1-CHAR random USER to download other malwares or an updated Virut version from one of the following remote IRC servers:
    • zi[Removed].pl
    • pro[Removed].pl
    • tEe[Removed].com
    • j[Removed].pl
  • Downloaded malware are different classes of malicious software that may include Spambot, Rootkit, and Rogue AV programs.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 734685