Virus:W32/Virut.I
Date discovered:18/04/2007
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium to high
Static file:No
IVDF version:6.38.01.06 - Wednesday, April 18, 2007

 General Aliases:
   •  Kaspersky: Virus.Win32.Virut.n
   •  TrendMicro: PE_VIRUT.XB
   •  Sophos: W32/Vetor-A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files
   • Third party control

 Files It tries to download a file:

– The location is the following:
   • http://64.**********.26/pk/ucsp0416.exe?t=0.4085156
It is saved on the local hard drive under: %TEMPDIR%\VRT7.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/ATRAPS.Gen

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List
   • %SYSDIR%\winlogon.exe

 File infection Infector type:

Embedded - The virus inserts its code throughout the file (in one or more places).


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This memory-resistent infector remains active in memory.


The following files are infected:

By file type:
   • *.exe
   • *.scr
   • *.htm
   • *.html

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: proxim.ircgalaxy.pl
Channel: #virtu

Server: irc.zief.pl
Channel: #virtu



– This malware has the ability to collect and send the following information:
    • Collected Email addresses


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file

 Injection – It injects itself into a process.

    Process name:
   • winlogon.exe


 Rootkit Technology Method used:
• System Service Descriptor Table (SSDT) Hook

Hooks the following API functions:
   • NtCreateFile
   • NtCreateProcess
   • NtCreateProcessEx
   • NtOpenFile
   • NtQueryInformationProcess

Description inserted by Razvan Olteanu on Monday, April 19, 2010
Description updated by Andrei Ivanes on Wednesday, April 21, 2010

Back . . . .