Content
W32/Virut.n.gen
- Type
- Virus
- SubType
- Generic
- Discovery Date
- 02/11/2009
- Length
- Minimum DAT
- 5523 (02/11/2009)
- Updated DAT
- 6475 (09/20/2011)
- Minimum Engine
- 5.2.00
- Description Added
- 02/11/2009
- Description Modified
- 09/03/2010 8:04 AM (PT)
Tab Navigation
Characteristics
When W32/Virut.n.gen s executed it injects its code into winlogon.exe process.
Then the virus infects the executable file (PE) by appending the viral code in the first section and the last section of executable, infects the html file by appending malicious iframe to it.
Viral code decryptor is polymorphic and it is located either:
1. Before the encrypted code at the end of the last section
2. At the end of the code section infected file in 'slack-space'
3. At the original entry point of host file
The following registry key is added to bypass the firewall applications:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplication\List "C:\WINDOWS\system32\winlogon.exe" ,"C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1 "
This virus tries to connect to IRC server located at :
* brenz.pl/xxxx
* trenz.pl/sasdas
Then it receives commands to download and execute other malwares on infected machine. at the time of writing malware tries to download malware from;
![http://sb.xxxxtexe.com/[executable].gif](http://sb.xxxxtexe.com/[executable].gif){kind=link}
Symptoms
1. Modified executable files, html and asp file.(increase in file size)
2. IRC related network traffic to the above mentioned server.
Method of Infection
W32/Virut.n.gen spreads by manual execution of infected executable or through network shares.
Removal
Variants
Variants
N/A
All Information
Overview -
W32/Virut.n.gen is a polymorpic parasitic virus with IRC based backdoor functionality. It will infect PE and HTML files in the system and download other malware.
Aliases
- PE_VIRUX.J(Trend Micro)
- Virus:Win32/Virut.BM(microsoft)
- W32.Virut.CF(Symantec)
Characteristics
Characteristics -
When W32/Virut.n.gen s executed it injects its code into winlogon.exe process.
Then the virus infects the executable file (PE) by appending the viral code in the first section and the last section of executable, infects the html file by appending malicious iframe to it.
Viral code decryptor is polymorphic and it is located either:
1. Before the encrypted code at the end of the last section
2. At the end of the code section infected file in 'slack-space'
3. At the original entry point of host file
The following registry key is added to bypass the firewall applications:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplication\List "C:\WINDOWS\system32\winlogon.exe" ,"C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1 "
This virus tries to connect to IRC server located at :
* brenz.pl/xxxx
* trenz.pl/sasdas
Then it receives commands to download and execute other malwares on infected machine. at the time of writing malware tries to download malware from;
http://sb.xxxxtexe.com/[executable].gif
Symptoms
Symptoms -
1. Modified executable files, html and asp file.(increase in file size)
2. IRC related network traffic to the above mentioned server.
Method of Infection
Method of Infection -
W32/Virut.n.gen spreads by manual execution of infected executable or through network shares.
Removal -
Removal -
Variants
Variants -
N/A