Virus:W32/Virut.G
Date discovered:18/04/2007
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium to high
Static file:No
IVDF version:6.38.01.08 - Wednesday, April 18, 2007

 General Method of propagation:
   • Infects files


Aliases:
   •  Kaspersky: Virus.Win32.Virut.n
   •  Sophos: W32/Vetor-A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files
   • Third party control

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This direct-action infector actively searches for files.


The following file is infected:

By file type:
   • *.exe

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: pr**********m.ntkrnlpa.info
Channel: virtu3


– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file

 Injection – It injects itself into processes.

It is injected into all processes.


 Rootkit Technology Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • NtCreateFile
   • NtCreateProcess
   • NtCreateProcessEx
   • NtOpenFile

Description inserted by Razvan Olteanu on Wednesday, April 21, 2010
Description updated by Andrei Ivanes on Thursday, May 27, 2010

Back . . . .