W32/Virut
Threat risk
|
Detection files published:
|
Description created:
2009-06-04 |
Description updated:
2009-09-03 |
|
Alias:
E_VIRUT, PE_VIRUX |
Spreading mechanism
File Infection, Network, Other | |
|
Payload:
Disables Windows file protection,attempts to download malware | ||
Summary
W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.
The Virut.CM variant also injects an iframe object into HTML based files, disables Windows file protection in order to infect essential protected Windows system files. A viral thread, running under winlogon.exe or services.exe, attempts to connect to an IRC backdoor through port 80 or 65520, in order to download additional malware components.
Spreading description
Virut infects executable files as they are accessed, by either subverting a call through the IAT (import address table) in the original host code to jump to itself, or completely replacing the entry point of the executable file to point to itself. Because executable files are infected in this way, files on network drives accessed from an infected computer may also be infected.
Virut will also infect removable media by dropping an infected file, together with an autorun.inf file, to the root of the attached drive, which will run when it is attached to another computer.
Threat description
W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.
The Virut.CM variant also injects an iframe object into HTML based files, disables Windows file protection in order to infect essential protected Windows system files. A viral thread, running under winlogon.exe or services.exe, attempts to connect to an IRC backdoor through port 80 or 65520, in order to download additional malware components.
Virut will also try to block access to websites containing the following strings;
- eset
- avg
- windowsupdate
- wilderssecurity
- threatexpert
- castlecops
- spamhaus
- cpsecure
- arcabit
- emsisoft
- sunbelt
- securecomputing
- rising
- prevx
- pctools
- norman
- k7computing
- ikarus
- hauri
- hacksoft
- gdata
- fortinet
- ewido
- clamav
- comodo
- quickheal
- avira
- avast
- esafe
- ahnlab
- centralcommand
- drweb
- grisoft
- nod32
- f-prot
- jotti
- kaspersky
- f-secure
- computerassociates
- networkassociates
- etrust
- panda
- sophos
- trendmicro
- mcafee
- norton
- symantec
- defender
- rootkit
- malware
- spyware
- virus
Removal
Virut uses a number of methods in order to avoid detection and removal and thus can be very difficult to completely clean.
Because of the aggressive nature of this malware, some infected files may become corrupted, to the point where they are not possible to repair or clean. In such cases certain files might have to be restored from a backup.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Användning | Titel | Kommentar |
|---|---|---|
| Förhindra smitta genom fildelning i nätverk | ||
| Sanering av back-up foldrar i Windows Me och XP |
