Content

W32/Virut.b

Type
Virus
SubType
Win32
Discovery Date
06/12/2006
Length
Minimum DAT
4782 (06/12/2006)
Updated DAT
5141 (10/15/2007)
Minimum Engine
5.1.00
Description Added
06/12/2006
Description Modified
10/25/2006 1:47 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Virut.b is a file infecting virus. On execution it copies itself in %SYSTEMDIR%\dllcache as msiupdate32.exe. It then tries to infect accessed executables. It may also infect %SYSTEMDIR%\cmd.exe.

Registers itself as a service using the following registry entry:

hkey_local_machine\system\currentcontrolset\services\microsoft update service

    • objectname="LocalSystem"
    • type="32"
    • start="2"
    • description="Microsoft update Service."
    • displayname="Microsoft update Service"
    • errorcontrol="0"
    • imagepath=""%SYSTEMDIR%\dllcache\msiupdate32.exe""

W32/Virut.b opens up backdoor at random ports on the compromised machine.

This virus tries to connect to IRC servers located at :

    • dhl4.irc-sgo.org
    • proxima.ircgalaxy.pl

Following channel names may be used :

    • ##teddy##
    • ##td##
    • ##kd##
    • ##cd##
    • ##proxy##
    • ##sniff##
    • ##test##

Channel topics are accpeted as commands by the virus. The commands that the virus can receive include:

    • Scan for vulnerable systems
    • Download / execute remote files
    • Start, stop the spread through IM
    • Log keystrokes (primarily for stealing bank passwords)
    • Open a command shell
    • Format drive

Tries to stop antivirus services such as:

    • Panda
    • McAfee
    • Norton

Symptoms

  • Modified executable files (change in size of exe files)
  • Presence of %SYSTEMDIR%\dllcache\msiupdate32.exe
  • Presence of registry entries as described
  • DNS queries to dhl4.irc-sgo.org, proxima.ircgalaxy.pl and IRC related network traffic

 

Method of Infection

W32/Virut.b is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine. This virus can also be instructed to scan for vulnerable systems and infect them.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Virut.b is a file infecting virus. It tries to infect executable files that are accessed once the virus is active. W32/Virut.b opens up a backdoor on the infected machine and contacts an IRC server to receive bot commands.

 

Aliases

  • PE_VIRUT.B (Trend Micro)
  • Virus.Win32.Virut.b (Kaspersky)
  • W32.Spybot.Worm (Symantec)
  • W32/Virutas.A (Panda Antivirus)
  • Win32/Virut.B (Microsoft)

Characteristics

Characteristics -

W32/Virut.b is a file infecting virus. On execution it copies itself in %SYSTEMDIR%\dllcache as msiupdate32.exe. It then tries to infect accessed executables. It may also infect %SYSTEMDIR%\cmd.exe.

Registers itself as a service using the following registry entry:

hkey_local_machine\system\currentcontrolset\services\microsoft update service

    • objectname="LocalSystem"
    • type="32"
    • start="2"
    • description="Microsoft update Service."
    • displayname="Microsoft update Service"
    • errorcontrol="0"
    • imagepath=""%SYSTEMDIR%\dllcache\msiupdate32.exe""

W32/Virut.b opens up backdoor at random ports on the compromised machine.

This virus tries to connect to IRC servers located at :

    • dhl4.irc-sgo.org
    • proxima.ircgalaxy.pl

Following channel names may be used :

    • ##teddy##
    • ##td##
    • ##kd##
    • ##cd##
    • ##proxy##
    • ##sniff##
    • ##test##

Channel topics are accpeted as commands by the virus. The commands that the virus can receive include:

    • Scan for vulnerable systems
    • Download / execute remote files
    • Start, stop the spread through IM
    • Log keystrokes (primarily for stealing bank passwords)
    • Open a command shell
    • Format drive

Tries to stop antivirus services such as:

    • Panda
    • McAfee
    • Norton

Symptoms

Symptoms -

  • Modified executable files (change in size of exe files)
  • Presence of %SYSTEMDIR%\dllcache\msiupdate32.exe
  • Presence of registry entries as described
  • DNS queries to dhl4.irc-sgo.org, proxima.ircgalaxy.pl and IRC related network traffic

 

Method of Infection

Method of Infection -

W32/Virut.b is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine. This virus can also be instructed to scan for vulnerable systems and infect them.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A