Content

W32/Virut.gen

Type
Virus
SubType
Generic
Discovery Date
06/29/2007
Length
Varies
Minimum DAT
5115 (09/07/2007)
Updated DAT
5459 (12/09/2008)
Minimum Engine
5.1.00
Description Added
06/29/2007
Description Modified
08/29/2008 6:03 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-----Update on August 29,2008----

When this new variant of W32/Virut.gen  is executed, it injects its code into running processes.

It opens up backdoor on the compromised machine at port 80 (HTTP) but uses it for IRC communication.

This virus tries to connect to IRC server located at :

  • ircd.zief.pl

And joins the channel named: virtu

It can then receive commands to download and execute other malware on the infected machine.

-----------------------------------------------

 

W32/Virut.gen is a generic detection for the W32/Virut family of polymorphic, entry point obscuring (EPO) file infectors with IRC bot functionality.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:

- Immediately before the encrypted code at the end of the last section

- At the end of the code section of the infected host in 'slack-space' (assuming there is any)

- At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transfering control back to the host.

For further characteristics of specific variants, please check the various description for W32/Virut:

 

Symptoms

  • Modified executable files (increase in the size of exe files)
  • Unexpected DNS queries and IRC related network traffic

 

Method of Infection

W32/Virut.gen is a family of file infecting viruses. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.gen infections are corrupted beyond repair.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Virut.gen is a generic detection for the W32/Virut family of polymorphic, entry point obscuring (EPO) file infectors with IRC bot functionality.

Aliases

  • virus.win32.virut.q (Kaspersky)
  • W32.Virut.U (Symantec)

Characteristics

Characteristics -

-----Update on August 29,2008----

When this new variant of W32/Virut.gen  is executed, it injects its code into running processes.

It opens up backdoor on the compromised machine at port 80 (HTTP) but uses it for IRC communication.

This virus tries to connect to IRC server located at :

  • ircd.zief.pl

And joins the channel named: virtu

It can then receive commands to download and execute other malware on the infected machine.

-----------------------------------------------

 

W32/Virut.gen is a generic detection for the W32/Virut family of polymorphic, entry point obscuring (EPO) file infectors with IRC bot functionality.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:

- Immediately before the encrypted code at the end of the last section

- At the end of the code section of the infected host in 'slack-space' (assuming there is any)

- At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transfering control back to the host.

For further characteristics of specific variants, please check the various description for W32/Virut:

 

Symptoms

Symptoms -

  • Modified executable files (increase in the size of exe files)
  • Unexpected DNS queries and IRC related network traffic

 

Method of Infection

Method of Infection -

W32/Virut.gen is a family of file infecting viruses. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.gen infections are corrupted beyond repair.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A