Home / malwarePDF  

Virus:Win32/Virut.gen!AO


First posted on 14 May 2013.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Virut.gen!AO.

Explanation :



Virus:Win32/Virut.gen!AO is a polymorphic file infector. It injects malicious code into every .EXE and .SCR file that it finds on your computer.

Installation

When run, the virus injects its malicious code into the WINLOGON.exe process.

It creates the following registry entry so that the virus is added on your firewall's authorized applications list:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "\??\<malware file and folder name>"
With data: "\??\<malware file and folder name>:*:enabled:@shell32.dll,-1"

Spreads Via€¦

Infected files

The virus infects EXE and .SCR files when you copy or open them using Windows Explorer. This includes files in folders on shared network drives. This allows the virus to spread as other computers access the network folder.

It can't infect filenames that begin with the following strings:

  • WCUN
  • WC32
  • WINC
  • PSTO


We have also seen some samples of Virus:Win32/Virut.gen!AO corrupt the file it infects. This makes the files unable to run or be restored to their pre-infected state.

Removable media

This virus also spreads through removable media such as floppy disks, USB sticks or flash card readers.

It does this by searching for all the removable drives on the infected system from drive D:\ to Z:\. When a removable drive is found, the virus installs a copy of itself with a randomly generated filename, for example:

  • AjsCEJmF.exe
  • HDWXPx64.exe
  • VPyKrBDo.exe
  • XjKBISPV.exe


It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the autorun feature, the malware is launched automatically.

This is particularly common malware behavior, generally used in order to spread malware from computer to computer.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Payload

Allows backdoor access and control

This virus can open a backdoor to your computer. It does this by connecting to an IRC server and waiting for a remote attacker to perform malicious routines in the infected system.

Backdoor commands include downloading and running files as well as opening webpages.

We have seen Virus:Win32/Virut.gen!AO connect to the following remote IRC servers:



adt.bzug.ru
ant.trenz.pl
aro.adle.pl
bb.bigex.pl
be.difti.at
bgr.runk.pl
bha.ijol.ru
bs.kamfo.at
byx.birs.at
bz.vasli.pl
c7.polgo.pl
ce.kator.at
cf.ketor.ru
cj.gerdo.at
cn.amfib.at
daf.dbut.ru
ddr.bton.pl
der.figs.at
dml.mlix.ru
dq.lilke.ru
ein.ixie.pl
ek.mampo.at
epi.sizi.pl
ewe.egab.at
f1.varpo.ru
frv.vand.pl
fty.idon.pl
g0.egmon.pl
gik.alr4.ru
gxu.deps.pl
har.asyr.pl
hny.rulm.ru
hus.limp.pl
ilo.brenz.pl

in.kolso.pl
iqx.nels.pl
irc.zief.pl
izc.idet.pl
j.konter.pl
jju.xdix.ru
jk.libis.ru
jot.tasb.ru
jps.sox4.at
jqu.meiu.pl
juh.valc.pl
kgr.cawt.ru
knx.remp.pl
kto.gind.at
li.merts.pl
lid.gbil.ru
ll.kerit.pl
lnn.maft.at
lo.paddo.at
mgw.mugu.pl
mk.gimbs.ru
mm.ikepa.at
mx.traum.pl
n2.rolmi.ru
nva.tim4.ru
o2.play9.pl
oh.nigim.pl
pb.volke.pl
prf.wict.ru
ps.indab.pl
qj.ilopa.ru
qq.limag.ru
rcf.tanz.pl
riz.xalx.ru sg.kerta.pl
sm.pamip.ru
sp.iqchk.pl
spn.samb.pl
src.gide.at
srh.hamb.pl
t1.linug.ru
tff.vilq.ru
tfi.plip.pl
tld.rdek.ru
tob.qnx1.ru
tsm.lefi.pl
tuq.xitr.ru
u0a.cing.pl
uqm.xsrv.pl
vab.bolg.pl
vad.kibs.at
vb.rubon.at
vi.strup.pl
vl.ragom.pl
vtx.kans.at
vw.civix.pl
wn.epans.pl
wo.tymis.pl
xez.dizz.at
xun.ilgo.ru
yf.inert.pl
yi.kilme.pl
yn.migtu.ru
yu.timid.pl
ze.lifty.pl
zmu.cfan.pl
zxz.vimb.at

Virus:Win32/Virut.gen!AO can generate random domains for its command and control servers with the format <six letters>.com. It does this to make the domains harder to be blacklisted or blocked.

Examples of these randomly-generated domains include:

  • aupeao.com
  • cktede.com
  • exomyo.com
  • fsmscm.com
  • gucsyv.com
  • isfbni.com
  • jjsagl.com
  • khyukn.com
  • kyydfu.com
  • mauyit.com
  • mavehz.com
  • mwtiql.com
  • ocozar.com
  • osxvei.com
  • pewqmk.com
  • rfcezn.com
  • utuenq.com
  • uuembi.com
  • ydvuyo.com
  • yfvtmv.com
  • yhabnr.com
  • yissya.com
  • yvogna.com
  • yyqfpz.com
  • yzeyzd.com


Prevents website access

Virus:Win32/Virut.gen!AO can stop you from accessing any websites that include any of the following:

ahnlab
arcabit
avast
avg
avira
castlecops
centralcommand
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset
etrust
ewido fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
networkassociates
nod32
norman
norton panda
pctools
prevx
quickheal
rising
rootkit
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
virus
wilderssecurity
windowsupdate Additional information

This virus creates the following registry entry for its backdoor routines:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Sets value: "UpdateHost"
With data: "<binary data>, for example, 00 50 72 85 77 CE"

Virus:Win32/Virut.gen!AO creates mutexes to ensure that only one instance of itself is running. The name of the mutex may use one of the following formats:

  • LtkC3
  • <random>tVt


The virus spreads by hooking the following API functions in ntdll.dll.

  • NtCreateFile
  • NtCreateProcess
  • NtCreateProcessEx
  • NtDeviceIoControlFile
  • NtOpenFile
  • NtQueryInformationProcess


This makes sure the virus stays in memory and is triggered every time the API function is run.

It also disables Windows system file protection (SFP) by patching sfc_os.dll in memory. This allows the virus to infect files protected by SFP.



Analysis by Ric Robielos

Last update 14 May 2013

 

TOP

Malware :

Family: