Home / malwarePDF  

Virus:Win32/Virut.gen!O


First posted on 11 May 2009.
Source: SecurityHome

Aliases :

Virus:Win32/Virut.gen!O is also known as Also Known As:Win32/Virut.E (AhnLab), Virus.Win32.Virut.ce (Kaspersky), W32/Scribble-B (Sophos), Win32/Virut.NBP (ESET), W32/Virut.n.gen (McAfee), W32.Virut.CF (Symantec).

Explanation :

Virus:Win32/Virut.gen!O is a generic detection for members of Win32/Virut - a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Symptoms
The following symptoms may be indicative of a Virus:Win32/Virut infection:Network traffic on TCP port 65520

Virus:Win32/Virut.gen!O is a generic detection for members of Win32/Virut - a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Installation
Win32/Virut creates a mutex named L0ar or LaOS (or similar) which it uses to prevent multiple copies of itself from running on the host system. Win32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. Win32/Virut avoids infecting files whose names contain any of the following:

  • WINC
  • WCUN
  • WC32
  • PSTO


    • Payload
    Backdoor FunctionalityWin32/Virut opens a connection with an Internet Relay Channel (IRC) servers with the following details:Server: irc.zief.pl (or failing that proxim.ircgalaxy.pl)
    Port: 65520
    This IRC connection allows a remote attacker to control the infected machine and to download and execute arbitrary files.

    Analysis by Dan Kurc

    Last update 11 May 2009

     

    TOP

    Malware :

    Family: