Home / malwarePDF  

Virus:Win32/Virut.BI


First posted on 18 September 2019.
Source: Microsoft

Aliases :

Virus:Win32/Virut.BI is also known as W32/Virut-Gen, Win32.Virut.U, W32/Virut.j.

Explanation :

Virus:Win32/Virut.BI is a polymorphic appending file infector that infects files with the EXE and SCR file extensions. It may open a backdoor connection, allowing a remote attacker to download and run files on the infected computer. File InfectionWin32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. Virus:Win32/Virut.BI is a virus that writes its code in the last section of EXE and SCR files found in a file. Unlike some variants of Virut, which obscures the virus entry point, Win32/Virut.BI simply modifies the entry point of the file to point to the virus code. The virus body is polymorphically XOR-encrypted using a word key that changes every iteration of its decryption loop. Infects Script FilesVirus:Win32/Virut.BI infects script files with the following extensions: It modifies these script files to add an IFrame tag pointing to the website . These infected script files are detected as .www.NtKrnlpa.cn/rc/Exploit:HTML/IframeRef.gen  Performs Backdoor FunctionsVirus:Win32/Virut.BI connects to the IRC channel to possibly perform the following commands:virtu3  If the PRIV command is selected, this virus may download and execute additional malware on infected system in combination with the following command: !get http://
  Analysis by Francis Allan Tan Seng Spreads Via... Payload ASP HTM PHP PING PRIV

Last update 18 September 2019

 

TOP