Content

W32/Virut.g

Type
Virus
SubType
Win32
Discovery Date
06/27/2007
Length
Varies
Minimum DAT
5138 (10/10/2007)
Updated DAT
5141 (10/15/2007)
Minimum Engine
5.1.00
Description Added
06/27/2007
Description Modified
12/16/2008 3:15 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

On execution, the virus looks to inject itself into running processes and hooks the following ntdll.dll APIs:

  • NtCreateFile
  • NtCreateProcess
  • NtCreateProcessEx
  • NtOpenFile


It infects executables by appending its body inside the last section and modifying the entry point to itself.


W32/Virut.g opens up a backdoor on the compromised machine at port 80 (typically used for HTTP) but uses it for IRC communication.


This virus tries to connect to IRC server located at :

  • proxim.ntkrnlpa.info


And joins the following channel:

  • virtu3


It can then receive commands to download and execute other malware from various hosts on the infected machine.

Symptoms

  • Modified executable files (increase in the size of exe files)
  • DNS queries to proxim.ntkrnlpa.info and IRC related network traffic

Method of Infection

W32/Virut.g is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Virut.g is a file infecting virus with IRC based backdoor functionality. It can accept commands to download other malware on the compromised machine.

 

 

Characteristics

Characteristics -

On execution, the virus looks to inject itself into running processes and hooks the following ntdll.dll APIs:

  • NtCreateFile
  • NtCreateProcess
  • NtCreateProcessEx
  • NtOpenFile


It infects executables by appending its body inside the last section and modifying the entry point to itself.


W32/Virut.g opens up a backdoor on the compromised machine at port 80 (typically used for HTTP) but uses it for IRC communication.


This virus tries to connect to IRC server located at :

  • proxim.ntkrnlpa.info


And joins the following channel:

  • virtu3


It can then receive commands to download and execute other malware from various hosts on the infected machine.

Symptoms

Symptoms -

  • Modified executable files (increase in the size of exe files)
  • DNS queries to proxim.ntkrnlpa.info and IRC related network traffic

Method of Infection

Method of Infection -

W32/Virut.g is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A