Home / malware Virus:Win32/Virut.AA
First posted on 28 May 2009.
Source: SecurityHomeAliases :
There are no other names known for Virus:Win32/Virut.AA.
Explanation :
Virus:Win32/Virut.AA is a file infector that targets .EXE and .SCR files. It also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Virus:Win32/Virut.AA is a file infector that targets .EXE and .SCR files. It also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.
Installation
Virus:Win32/Virut.AA injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level Windows API calls to stay in memory. It hooks the following functions in each running process: NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.Spreads Via...Executable File InfectionVirus:Win32/Virut.AA infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) results in files being infected, and the virus spreading from machine to machine. However, the virus may NOT infect files with file names that begin with the following strings: winc
wcun
wc32
otsp Virus:Win32/Virut.AA disables Windows System File Protection (SFP) by injecting code into winlogon.exe. The injected code modifies sfc_os.dll in memory, which in turn allows the virus to infect files protected by SFP.
Payload
Performs backdoor functionalitiesVirus:Win32/Virut.AA connects to the Internet Relay Channel (IRC) server proxim.ntkrnlpa.info via port 80 using a particular channel. It contains functionality to download and execute arbitrary files on the computer, which may include additional malware. It can also be used to change the host that it connects to.Additional InformationVirus:Win32/Virut.AA creates an event named 'VevT' during execution.
Analysis by Chun FengLast update 28 May 2009
