Avira Virus Lab
W32/Virut.Gen
-
NameW32/Virut.Gen
-
Date discoveredOct 12, 2015
-
TypeMalware
-
ImpactHigh
-
Reported InfectionsLow
-
Operating SystemWindows
The term 'W32' denotes a virus that runs on 32-bit Windows systems and infects files.
A generic detection routine designed to detect common family characteristics shared in several variants. This special detection routine was developed in order to detect unknown variants and will be enhanced continuously.
-
AliasesAvast: BV:Agent-AMBAVG: Win32/VirutDr. Web: Win32.Virut.56F-PROT: W32/Sality.D.gen!Eldorado (generic, not disinfectable)Trend Micro: PE_VIRUX.SMicrosoft: Virus:Win32/Virut.BNG Data: Win32.Virtob.Gen.12Kaspersky Lab: Virus.Win32.Virut.ceBitdefender: Win32.Virtob.Gen.12ESET: Win32/Virut.NBP virus
-
FilesThe following files are changed:
- %SYSDIR%\drivers\etc\hosts
- %SYSDIR%\userinit.exe
- %SYSDIR%\cmd.exe
- %temporary internet files%\Content.IE5\index.dat
- %USERPROFILE%\Cookies\index.dat
- %USERPROFILE%\Local Settings\History\History.IE5\index.dat
- %WINDIR%\Prefetch\CMD.EXE-087B4001.pf
- %SYSDIR%\wbem\Logs\wbemcore.log
- %WINDIR%\Prefetch\REGEDIT.EXE-1B606482.pf
- %WINDIR%\Prefetch\WMIPRVSE.EXE-28F301A9.pf
- %TEMPDIR%\~4E.tmp
- %TEMPDIR%\~4E.bat
- %TEMPDIR%\~4E.bat
-
Injections
- \??\%SYSDIR%\winlogon.exe
- %SYSDIR%\services.exe
- %SYSDIR%\lsass.exe
- %PROGRAM FILES%\VMware\VMware Tools\vmacthlp.exe
- %SYSDIR%\svchost.exe
- %WINDIR%\System32\svchost.exe
- %WINDIR%\Explorer.EXE
- %SYSDIR%\spoolsv.exe
- %PROGRAM FILES%\FileZilla Server\FileZilla Server Interface.exe
- %PROGRAM FILES%\VMware\VMware Tools\VMwareTray.exe
- %PROGRAM FILES%\VMware\VMware Tools\vmtoolsd.exe
- %PROGRAM FILES%\FileZilla Server\FileZilla Server.exe
- %WINDIR%\System32\alg.exe
- %SYSDIR%\wscntfy.exe
- %PROGRAM FILES%\Java\jre7\bin\jqs.exe
- %PROGRAM FILES%\WinPcap\rpcapd.exe
-
RegistryThe following registry entries are changed:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SFC ("ProgramFilesDir": "%PROGRAM FILES%"; "CommonFilesDir": "%PROGRAM FILES%\Common Files")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ("\\??\\C:\\WINDOWS\\system32\\winlogon.exe": "\??\%SYSDIR%\winlogon.exe:*:enabled:@shell32.dll,-1")
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch ("Epoch": dword:00000017)
Help make the web safer by sending us suspicious files/URLs to analyze
Submit your file/URL or Go to support.avira.comWhy submit a suspicious file?
If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.