virus logo Virus

W32/Virut.CE

description-logoAnalysis

W32/Virut.CE is a polymorphic, appending, cavity and encrypted file infector that targets Win32 EXE/SCR, HTM, ASP and PHP files.

  • It may create the following event to avoid multiple instances running on the infected system:
    • Vx_5
  • It injects its core routines to the winlogon.exe  process via the CreateRemoteThread  API.

  • It creates the following registry entry in order to bypass the Windows Firewall:
    • key: LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • value: \??\undefinedSystemundefined\winlogon.exe
    • data: "\??\undefinedSystemundefined\winlogon.exe:*:enabled:@shell32.dll,-1"
  • It hooks the following NTDLL APIs to trigger its infection routine:
    • CreateFile
    • CreateProcess
    • CreateProcessEx
    • OpenFile
    • QueryInformationProcess
  • It disables Windows File Protection (or System File Checker) which can be found in SFC.DLL or SFC_OS.DLL. This allows the virus to infect files that are system-protected.

  • It avoids infecting files that have filenames starting with the following strings:
    • OTSP
    • WC32
    • WCUN
    • WINC
  • It creates the following registry entry that contains the future server address:
    • key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    • value: UpdateHost
    • data: "{binary value}"

    Win32 Infection
  • It attains polymorphism by inserting a random number of garbage instructions and by using a spaghetti-like coding style.

  • It inhibits the following types of infections:
    • Type 1 - EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 2 - Non-EPO, appending, and multi-layer encryption (contains a decoder stub as cavity)
    • Type 3 - EPO, appending, and single-layer encryption
    • Type 4 - Non-EPO, appending, and single-layer encryption
    • Type 5 - Damaged (no jump going to virus code)

    Webpage Infection
  • For the following files, it infects them by searching for the </BODY> tag, before injecting a malicious IFRAME tag:
    • HTM
    • PHP
    • ASP
  • The malicious IFRAME tag redirects the browser of the infected machine to the following addresses:
    • http://www.zi[Removed].pl
    • http://pro[Removed].pl
    • http://www.tEe[Removed].com
    • http://j[Removed].pl

    HOSTS File Modification
  • It modifies the file undefinedSystemundefined\drivers\etc\HOSTS to insert one of the following entries:
    • 127.0.0.1 Zi[Removed].pl
    • 127.0.0.1 j[Removed].pl
    • 127.0.0.1 pro[Removed].pl
    • 127.0.0.1 tEe[Removed].com

    IRC Backdoor
  • It connects to a remote IRC server by using an 8-CHAR random NICK and a 1-CHAR random USER to download other malwares or an updated Virut version from one of the following remote IRC servers:
    • zi[Removed].pl
    • pro[Removed].pl
    • tEe[Removed].com
    • j[Removed].pl
  • Downloaded malware are different classes of malicious software that may include Spambot, Rootkit, and Rogue AV programs.

    • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2022-12-20 90.08897
    2022-06-28 90.03672
    2022-05-25 90.02623
    2022-05-25 90.02622
    2022-05-11 90.02192
    2022-05-11 90.02191
    2022-05-03 90.01962
    2022-03-08 90.00283
    2021-12-07 89.07553
    2021-11-30 89.07343
    ID 734685
    Released Feb 10, 2009
    Description
    Updated    		 Jun 08, 2009
    Aliases W32.Virut.CF (Symantec), W32/Virut.n (McAfee), PE_VIRUX.A (Trend), Virus.Win32.Virut.ce (Kaspersky), Virus:Win32/Virut.BM (Microsoft), W32/Scribble-A (Sophos), Win32/Virut.NBM (Eset)
    Platform Profile Win32 file format / PE 32 bit