McAfee > Theat Center > Virus Detail Page

Overview

W32/Virut is a polymorpic parasitic virus. It will infect PE and HTML files in the system and download other malware.

File Information

• MD5  -  E9B75FDC5E6DAD27643B1B75B33C42AC
• SHA  - DE7B31C6863D1563723B7DB61CBF4186B2F622F1

Aliases

• Norman  - W32/Virut.GE
• NOD32  - a variant of Win32/Virut.NCF
• Ikarus      - Virus.Win32.VB
• Microsoft - Virus:Win32/Sality.AM

Characteristics

Upon execution, the Virut inject threads into the Winlogon.exe and connects to the IP address 83.133.[Removed].206 through a remote port 80 and it will cause the process to download malicious files.

When executed, the Virus copies itself into the following locations:

• %USERPROFILE%\Desktop\Desktop.exe
• %USERPROFILE%\Start Menu\Programs\Programs.exe
• %USERPROFILE%\Start Menu\Start Menu.exe
• %USERPROFILE%\Documents\My Videos\My Videos.exe
• %USERPROFILE%\Documents\My Pictures\My Pictures.exe
• %USERPROFILE%\Documents\My Music\My Music.exe
• %Windir%\Help\schedl.exe
• %Windir%\Fonts\services.exe
• [Removable Drive]:\D.exe

The Virus copies itself into all the folders in the system same name of the respective folder.

And drop the following files:

• %Windir%\system32\iwmivtva0.exe [Detected as Generic.dx!use]
• %Windir%\system32\iwmivtva˙.exe [Detected as Generic.dx!use]
• %Windir%\system32\MSWINSCK.OCX [Detected as Generic.dx!ul]
• %Windir%\system32\wuaucldt.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\uygkr9b.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftcore.dll
• %WINDIR%\Temp\msftldr.dll
• %WINDIR%\Temp\1ey9.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msfteml.dll
• %WINDIR%\Temp\js9asy7q4.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftstp.exe [Detected as Generic.dx!upm]
• %WINDIR%\Temp\msftdm.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftdm32.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msfttcp.dll [Detected as Generic.dx!uou]
• [Removable Drive]:\hqsm.cmd [Detected as W32/Sality.gen]
• C:\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Virus file via the following command syntax.

• [AutoRun]
• ;YCSbpANAnxts vUbjuQpTwi iytubvPxcNIroAl  BEpmRmAfsy
• shell\Explore\cOmmaND = hqsm.cmd
• oPEn =hqsm.cmd
• shell\oPen\cOmmanD=hqsm.cmd
• ;rxVQwg OIdlva KJjc
• shelL\open\DefauLt=1
• ShELL\AUTOplAY\commaNd =hqsm.cmd

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AtapiDrv
• HKU\.DEFAULT\Software\MSoftware
• HKU\S-1-5-18\Software\MSoftware
• HKEY_CURRENT_USER\Software\Awldea
• HKEY_CURRENT_USER\Software\bntrp
• HKEY_CURRENT_USER\Software\wrfke

The following registry values have been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “schedl” = "%Windir%\Help\schedl.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “wuaucldt” = "%Windir%\system32\wuaucldt.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “iwmivtva˙” = "%Windir%\System32\iwmivtva˙.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “5c9o” = "%Windir%\TEMP\1ey9.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  v5uvf: "%Windir%\TEMP\uygkr9b.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “apps” = "%Windir%\fonts\services.exe"

The above mentioned registry ensures that, the Virus registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\]
  "win" = "%Windir%\fonts\services.exe"
• [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\]
  "init" = "%Windir%\fonts\services.exe"

The above mentioned registry ensures that, the Virus registers with the compromised system and execute itself upon every boot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\]
  AntiVirusOverride = 0x00000001
  AntiVirusDisableNotify = 0x00000001
  FirewallDisableNotify = 0x00000001
  FirewallOverride = 0x00000001
  UacDisableNotify = 0x00000001
  FirstRunDisabled = 0x00000001
  UpdatesDisableNotify = 0x00000001
  UacDisableNotify = 0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
  AntiVirusOverride = 0x00000001
  AntiVirusDisableNotify = 0x00000001
  FirewallDisableNotify = 0x00000001
  FirewallOverride = 0x00000001
  UpdatesDisableNotify = 0x00000001
  UacDisableNotify = 0x00000001
  FirstRunDisabled = 0x00000001

The above mentioned registry entries ensures that Virus disable Windows Security Center alerts.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools: 0x00000001

The above registry entries confirm that, the Virus disables the Registry tools and Task Manager Options.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
  “EnableFirewall” = “0x00000000”

The Trojan disables the windows firewall by adding the above value to the registry keys.

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  "C:\Documents and Settings\Naveen\Desktop\E.exe" = "%USERPROFILE%\Desktop\E.exe:*:Enabled:ipsec"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  "%Temp%\wingaxhrm.exe" = "%Temp%\wingaxhrm.exe:*:Enabled:ipsec"

The following registry values have been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  “CheckedValue” = “0x00000000”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  “Hidden” = “0x00000002”

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Start: 0x00000004
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

Symptoms

• Presence of above mentioned files and registry keys.
• Presence unexpected network connection to the above mentioned IP Address.

Method of Infection

W32/Virut is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

W32/Virut is a polymorpic parasitic virus. It will infect PE and HTML files in the system and download other malware.

File Information

• MD5  -  E9B75FDC5E6DAD27643B1B75B33C42AC
• SHA  - DE7B31C6863D1563723B7DB61CBF4186B2F622F1

Aliases

• Norman  - W32/Virut.GE
• NOD32  - a variant of Win32/Virut.NCF
• Ikarus      - Virus.Win32.VB
• Microsoft - Virus:Win32/Sality.AM

Characteristics

Characteristics -

Upon execution, the Virut inject threads into the Winlogon.exe and connects to the IP address 83.133.[Removed].206 through a remote port 80 and it will cause the process to download malicious files.

When executed, the Virus copies itself into the following locations:

• %USERPROFILE%\Desktop\Desktop.exe
• %USERPROFILE%\Start Menu\Programs\Programs.exe
• %USERPROFILE%\Start Menu\Start Menu.exe
• %USERPROFILE%\Documents\My Videos\My Videos.exe
• %USERPROFILE%\Documents\My Pictures\My Pictures.exe
• %USERPROFILE%\Documents\My Music\My Music.exe
• %Windir%\Help\schedl.exe
• %Windir%\Fonts\services.exe
• [Removable Drive]:\D.exe

The Virus copies itself into all the folders in the system same name of the respective folder.

And drop the following files:

• %Windir%\system32\iwmivtva0.exe [Detected as Generic.dx!use]
• %Windir%\system32\iwmivtva˙.exe [Detected as Generic.dx!use]
• %Windir%\system32\MSWINSCK.OCX [Detected as Generic.dx!ul]
• %Windir%\system32\wuaucldt.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\uygkr9b.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftcore.dll
• %WINDIR%\Temp\msftldr.dll
• %WINDIR%\Temp\1ey9.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msfteml.dll
• %WINDIR%\Temp\js9asy7q4.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftstp.exe [Detected as Generic.dx!upm]
• %WINDIR%\Temp\msftdm.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msftdm32.exe [Detected as W32/Virut.n.gen]
• %WINDIR%\Temp\msfttcp.dll [Detected as Generic.dx!uou]
• [Removable Drive]:\hqsm.cmd [Detected as W32/Sality.gen]
• C:\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Virus file via the following command syntax.

• [AutoRun]
• ;YCSbpANAnxts vUbjuQpTwi iytubvPxcNIroAl  BEpmRmAfsy
• shell\Explore\cOmmaND = hqsm.cmd
• oPEn =hqsm.cmd
• shell\oPen\cOmmanD=hqsm.cmd
• ;rxVQwg OIdlva KJjc
• shelL\open\DefauLt=1
• ShELL\AUTOplAY\commaNd =hqsm.cmd

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp470n5
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AtapiDrv
• HKU\.DEFAULT\Software\MSoftware
• HKU\S-1-5-18\Software\MSoftware
• HKEY_CURRENT_USER\Software\Awldea
• HKEY_CURRENT_USER\Software\bntrp
• HKEY_CURRENT_USER\Software\wrfke

The following registry values have been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “schedl” = "%Windir%\Help\schedl.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “wuaucldt” = "%Windir%\system32\wuaucldt.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “iwmivtva˙” = "%Windir%\System32\iwmivtva˙.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “5c9o” = "%Windir%\TEMP\1ey9.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  v5uvf: "%Windir%\TEMP\uygkr9b.exe"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  “apps” = "%Windir%\fonts\services.exe"

The above mentioned registry ensures that, the Virus registers run entry with the compromised system and execute itself upon every boot.

• [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\]
  "win" = "%Windir%\fonts\services.exe"
• [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows\]
  "init" = "%Windir%\fonts\services.exe"

The above mentioned registry ensures that, the Virus registers with the compromised system and execute itself upon every boot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\]
  AntiVirusOverride = 0x00000001
  AntiVirusDisableNotify = 0x00000001
  FirewallDisableNotify = 0x00000001
  FirewallOverride = 0x00000001
  UacDisableNotify = 0x00000001
  FirstRunDisabled = 0x00000001
  UpdatesDisableNotify = 0x00000001
  UacDisableNotify = 0x00000001
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\]
  AntiVirusOverride = 0x00000001
  AntiVirusDisableNotify = 0x00000001
  FirewallDisableNotify = 0x00000001
  FirewallOverride = 0x00000001
  UpdatesDisableNotify = 0x00000001
  UacDisableNotify = 0x00000001
  FirstRunDisabled = 0x00000001

The above mentioned registry entries ensures that Virus disable Windows Security Center alerts.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools: 0x00000001

The above registry entries confirm that, the Virus disables the Registry tools and Task Manager Options.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
  “EnableFirewall” = “0x00000000”

The Trojan disables the windows firewall by adding the above value to the registry keys.

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  "C:\Documents and Settings\Naveen\Desktop\E.exe" = "%USERPROFILE%\Desktop\E.exe:*:Enabled:ipsec"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\]
  "%Temp%\wingaxhrm.exe" = "%Temp%\wingaxhrm.exe:*:Enabled:ipsec"

The following registry values have been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  “CheckedValue” = “0x00000000”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  “Hidden” = “0x00000002”

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Start: 0x00000004
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000

[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %UserProfile% is c:\Documents and Settings\Administrator\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

Symptoms

Symptoms -

• Presence of above mentioned files and registry keys.
• Presence unexpected network connection to the above mentioned IP Address.

Method of Infection

Method of Infection -

W32/Virut is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A