Content
W32/Virut.j
- Type
- Virus
- SubType
- Win32
- Discovery Date
- 08/31/2007
- Length
- varies
- Minimum DAT
- 5143 (10/17/2007)
- Updated DAT
- 5500 (01/19/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 08/31/2007
- Description Modified
- 02/08/2008 5:55 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update February 08, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.cio.com/article/181250/Antivirus_Company_s_Web_Site_Downloa
--
On execution, the virus looks to inject itself into running processes and hooks the following ntdll.dll APIs:
- NtCreateFile
- NtCreateProcess
- NtCreateProcessEx
- NtOpenFile
It infects executables by appending its body inside the last section and modifying the entry point to itself.
W32/Virut.j opens up backdoor on the compromised machine at port 80 (typically used for HTTP) but uses it for IRC communication.
This virus tries to connect to IRC server located at :
- proxim.ntkrnlpa.info
And joins the following channel:
- virtu3
It can then receive commands to download and execute other malware from various hosts on the infected machine.
Symptoms
- Modified executable files (increase in the size of exe files)
- DNS queries to proxim.ntkrnlpa.info and IRC related network traffic
Method of Infection
W32/Virut.j is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
-- Update February 08, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.cio.com/article/181250/Antivirus_Company_s_Web_Site_Downloa
--
W32/Virut.j is a file infecting virus with IRC based backdoor functionality. It can accept commands to download other malware on the compromised machine.
Aliases
- Virus.Win32.Virut.at (Kaspersky)
Characteristics
Characteristics -
-- Update February 08, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.cio.com/article/181250/Antivirus_Company_s_Web_Site_Downloa
--
On execution, the virus looks to inject itself into running processes and hooks the following ntdll.dll APIs:
- NtCreateFile
- NtCreateProcess
- NtCreateProcessEx
- NtOpenFile
It infects executables by appending its body inside the last section and modifying the entry point to itself.
W32/Virut.j opens up backdoor on the compromised machine at port 80 (typically used for HTTP) but uses it for IRC communication.
This virus tries to connect to IRC server located at :
- proxim.ntkrnlpa.info
And joins the following channel:
- virtu3
It can then receive commands to download and execute other malware from various hosts on the infected machine.
Symptoms
Symptoms -
- Modified executable files (increase in the size of exe files)
- DNS queries to proxim.ntkrnlpa.info and IRC related network traffic
Method of Infection
Method of Infection -
W32/Virut.j is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
