McAfee > Theat Center > Virus Detail Page

Overview

W32/Virut.d is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:

- Immediately before the encrypted code at the end of the last section

- At the end of the code section of the infected host in 'slack-space' (assuming there is any)

- At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transfering control back to the host.

Characteristics

When W32/Virut.d is executed it injects its code into running processes.

W32/Virut.d opens up backdoor at port 65520 on the compromised machine.

This virus tries to connect to IRC servers located at :

- bproxim.ircgalaxy.pl

Symptoms

- Modified executable files (increase of ~9,000 bytes of exe files)

- DNS queries to bproxim.ircgalaxy.pl and IRC related network traffic

Method of Infection

W32/Virut.d is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine. This virus can also be instructed to scan for vulnerable systems and infect them.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.d infections are corrupted beyond repair.

Removal

Variants

Variants

N/A

All Information

Overview -

W32/Virut.d is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:

- Immediately before the encrypted code at the end of the last section

- At the end of the code section of the infected host in 'slack-space' (assuming there is any)

- At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transfering control back to the host.

Characteristics

Characteristics -

When W32/Virut.d is executed it injects its code into running processes.

W32/Virut.d opens up backdoor at port 65520 on the compromised machine.

This virus tries to connect to IRC servers located at :

- bproxim.ircgalaxy.pl

Symptoms

Symptoms -

- Modified executable files (increase of ~9,000 bytes of exe files)

- DNS queries to bproxim.ircgalaxy.pl and IRC related network traffic

Method of Infection

Method of Infection -

W32/Virut.d is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine. This virus can also be instructed to scan for vulnerable systems and infect them.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.d infections are corrupted beyond repair.

Removal -

Removal -

Variants

Variants -

N/A