Avira Virus Lab


  • Name
  • Date discovered
    Oct 12, 2015

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term “W32/” denotes a file virus or malware that runs on 32-bit Windows systems and infects harmless files.

A generic detection routine designed to detect common family characteristics shared in several variants. This special detection routine was developed in order to detect unknown variants and will be enhanced continuously.

  • Aliases
    Avast: BV:Agent-AMB
    AVG: Win32/Virut
    Dr. Web: Win32.Virut.56
    F-PROT: W32/Sality.D.gen!Eldorado (generic, not disinfectable)
    Trend Micro: PE_VIRUX.S
    Microsoft: Virus:Win32/Virut.BN
    G Data: Win32.Virtob.Gen.12
    Kaspersky Lab: Virus.Win32.Virut.ce
    Bitdefender: Win32.Virtob.Gen.12
    ESET: Win32/Virut.NBP virus
  • Files
    The following files are changed:
    • %SYSDIR%\drivers\etc\hosts
    • %SYSDIR%\userinit.exe
    • %SYSDIR%\cmd.exe
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %WINDIR%\Prefetch\CMD.EXE-087B4001.pf
    • %SYSDIR%\wbem\Logs\wbemcore.log
    • %WINDIR%\Prefetch\REGEDIT.EXE-1B606482.pf
    • %WINDIR%\Prefetch\WMIPRVSE.EXE-28F301A9.pf
    The following files are created:
    • %TEMPDIR%\~4E.tmp
    • %TEMPDIR%\~4E.bat
    The following files are deleted:
    • %TEMPDIR%\~4E.bat
  • Injections
    • \??\%SYSDIR%\winlogon.exe
    • %SYSDIR%\services.exe
    • %SYSDIR%\lsass.exe
    • %PROGRAM FILES%\VMware\VMware Tools\vmacthlp.exe
    • %SYSDIR%\svchost.exe
    • %SYSDIR%\svchost.exe
    • %WINDIR%\System32\svchost.exe
    • %SYSDIR%\svchost.exe
    • %SYSDIR%\svchost.exe
    • %WINDIR%\Explorer.EXE
    • %SYSDIR%\spoolsv.exe
    • %PROGRAM FILES%\FileZilla Server\FileZilla Server Interface.exe
    • %PROGRAM FILES%\VMware\VMware Tools\VMwareTray.exe
    • %PROGRAM FILES%\VMware\VMware Tools\vmtoolsd.exe
    • %PROGRAM FILES%\FileZilla Server\FileZilla Server.exe
    • %PROGRAM FILES%\VMware\VMware Tools\vmtoolsd.exe
    • %WINDIR%\System32\alg.exe
    • %SYSDIR%\wscntfy.exe
    • %PROGRAM FILES%\Java\jre7\bin\jqs.exe
    • %PROGRAM FILES%\WinPcap\rpcapd.exe
  • Registry
    The following registry entries are changed:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SFC ("ProgramFilesDir": "%PROGRAM FILES%"; "CommonFilesDir": "%PROGRAM FILES%\Common Files")
    The following registry entries are added:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ("\\??\\C:\\WINDOWS\\system32\\winlogon.exe": "\??\%SYSDIR%\winlogon.exe:*:enabled:@shell32.dll,-1")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch ("Epoch": dword:00000017)

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to Avira Answers

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.

What’s Avira Answers?

It’s our thriving community of technical professionals and part-time experts, working together to help solve tech problems. It’s the perfect place to pose your question to a community of fellow Avira users.