Win32/Virut [Threat Name] go to Threat
Win32/Virut.NBK [Threat Variant Name]
Category | virus |
Aliases | Virus.Win32.Virut.ce (Kaspersky) |
W32.Virut.CF (Symantec) | |
W32/Virut.n (McAfee) |
Short description
Win32/Virut.NBK is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.
Installation
The virus creates and runs a new thread with its own program code within the following processes:
- winlogon.exe
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "\??\%system%\winlogon.exe" = "\??\%system%\winlogon.exe:*:enabled:@shell32.dll,-1"
The performed data entry creates an exception in the Windows Firewall program.
Executable file infection
The virus searches for executables with one of the following extensions:
- .exe
- .scr
Executables are infected by appending the code of the virus to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
It avoids those with any of the following strings in their names:
- WINC
- WCUN
- WC32
- OTSP
It infects the following files:
- *.htm
- *.php
- *.asp
- *.html
The virus inserts a/an IFrame element with an URL link into the file.
Other information
The virus acquires data and commands from a remote computer or the Internet.
It communicates with the following servers using IRC protocol:
- irc.zief.pl
- proxim.ircgalaxy.pl
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The virus modifies the following file:
- %system%\drivers\etc\hosts
The virus writes the following entries to the file:
- 127.0.0.1 ZieF.pl