Win32/Virut [Threat Name] go to Threat

Win32/Virut.NBP [Threat Variant Name]

Category virus
Detection created Apr 24, 2009
Signature database version 10143
Aliases Virus.Win32.Virut.ce (Kaspersky)
  W32/Virut.n.gen (McAfee)
  W32.Virut.CF (Symantec)
Short description

Win32/Virut.NBP is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.

Executable file infection

The virus searches for executables with one of the following extensions:

  • .exe
  • .scr

Executables are infected by appending the code of the virus to the last section.


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 19 KB .


It avoids those with any of the following strings in their names:

  • WINC
  • WCUN
  • WC32
  • OTSP

It infects the following files:

  • *.htm*
  • *.php*
  • *.asp*

The virus inserts a/an IFrame element with an URL link into the file.

Other information

The virus acquires data and commands from a remote computer or the Internet.


It communicates with the following servers using IRC protocol:

  • irc.zief.pl
  • proxim.ircgalaxy.pl

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The virus modifies the following file:

  • %system%\­drivers\­etc\­hosts

The virus writes the following entries to the file:

  • 127.0.0.1 jL.chura.pl

The virus creates and runs a new thread with its own program code in all running processes.


The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filepath%" = "%filepath%:*:enabled:@shell32.dll,-1"

The performed data entry creates an exception in the Windows Firewall program.

Please enable Javascript to ensure correct displaying of this content and refresh this page.