Home / malware Virus:Win32/Virut.AE
First posted on 05 February 2020.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Virut.AE.
Explanation :
Virus:Win32/Virut.AE is a polymorphic appending file infector that targets .EXE and .SCR files. Virut.AE also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. Spreads Via… File InfectionWin32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine. The virus injects its own code into a system process (iexplorer.exe, winlogon.exe), and hooks low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL): NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx Thus, every time an infected process calls one of these functions, execution control is passed to the virus. Payload Backdoor Functionality
Virut.AE connects to Internet Relay Channel (IRC) server 'proxim.ircgalaxy.pl' via port 65520 using a particular channel. It contains functionality to download and execute additional malware on the infected system, using the following private message: '!get http://' Additional InformationVirus:Win32/Virut.AE quotes Nietzsche - its code contains the following text strings: O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It's late! To ensure there is only one instance of the virus running in the system, it creates an event. Virut.AE uses following event name: Vx_4Last update 05 February 2020
