Threat Encyclopedia

W32/Virut.CE

description-logoAnalysis

W32/Virut.CE is a polymorphic, appending, cavity and encrypted file infector that targets Win32 EXE/SCR, HTM, ASP and PHP files.

  • It may create the following event to avoid multiple instances running on the infected system:
    • Vx_5
  • It injects its core routines to the winlogon.exe  process via the CreateRemoteThread  API.

  • It creates the following registry entry in order to bypass the Windows Firewall:
    • key: LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • value: \??\undefinedSystemundefined\winlogon.exe
    • data: "\??\undefinedSystemundefined\winlogon.exe:*:enabled:@shell32.dll,-1"
  • It hooks the following NTDLL APIs to trigger its infection routine:
    • CreateFile
    • CreateProcess
    • CreateProcessEx
    • OpenFile
    • QueryInformationProcess
  • It disables Windows File Protection (or System File Checker) which can be found in SFC.DLL or SFC_OS.DLL. This allows the virus to infect files that are system-protected.

  • It avoids infecting files that have filenames starting with the following strings:
    • OTSP
    • WC32
    • WCUN
    • WINC
  • It creates the following registry entry that contains the future server address:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    • value: UpdateHost
    • data: "{binary value}"

    Win32 Infection
  • It attains polymorphism by inserting a random number of garbage instructions and by using a spaghetti-like coding style.

  • It inhibits the following types of infections:
    • Type 1 - EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 2 - Non-EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 3 - EPO, appending, and single-layer encryption
    • Type 4 - Non-EPO, appending, and single-layer encryption
    • Type 5 - Damaged (no jump going to virus code)

    Webpage Infection
  • For the following files, it infects them by searching for the </BODY> tag, before injecting a malicious IFRAME tag:
    • HTM
    • PHP
    • ASP
  • The malicious IFRAME tag redirects the browser of the infected machine to the following addresses:
    • http://www.zi[Removed].pl
    • http://pro[Removed].pl
    • http://www.tEe[Removed].com
    • http://j[Removed].pl

    HOSTS File Modification
  • It modifies the file undefinedSystemundefined\drivers\etc\HOSTS to insert one of the following entries:
    • 127.0.0.1 Zi[Removed].pl
    • 127.0.0.1 j[Removed].pl
    • 127.0.0.1 pro[Removed].pl
    • 127.0.0.1 tEe[Removed].com

    IRC Backdoor
  • It connects to a remote IRC server by using an 8-CHAR random NICK and a 1-CHAR random USER to download other malwares or an updated Virut version from one of the following remote IRC servers:
    • zi[Removed].pl
    • pro[Removed].pl
    • tEe[Removed].com
    • j[Removed].pl
  • Downloaded malware are different classes of malicious software that may include Spambot, Rootkit, and Rogue AV programs.

  • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry