Win32/Virut [Threat Name] go to Threat
Win32/Virut.NBP [Threat Variant Name]
|Detection created||Apr 24, 2009|
|Signature database version||8164|
Win32/Virut.NBP is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.
Executable file infection
The virus searches for executables with one of the following extensions:
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 19 KB .
It avoids those with any of the following strings in their names:
It infects the following files:
The virus inserts a/an IFrame element with an URL link into the file.
The virus acquires data and commands from a remote computer or the Internet.
It communicates with the following servers using IRC protocol:
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The virus modifies the following file:
The virus writes the following entries to the file:
- 127.0.0.1 jL.chura.pl
The virus creates and runs a new thread with its own program code in all running processes.
The virus may set the following Registry entries:
- "%filepath%" = "%filepath%:*:enabled:@shell32.dll,-1"
The performed data entry creates an exception in the Windows Firewall program.