Home / malwarePDF  

Virus:Win32/Virut.BN


First posted on 15 February 2019.
Source: Microsoft

Aliases :

Virus:Win32/Virut.BN is also known as Win32/Virut.F, W32/Virut.AI!Generic, W32/Virut.gen, Win32.Virtob.Gen.12, Win32/Virut.17408, Win32.Virut.56, Win32/Virut.NBP, Virus.Win32.Virut.ce, W32/Virut.n.gen, W32/Virut.CX, W32/Sality.AO, Win32.Virut.cl, W32.Virut.CF, PE_VIRUX.J-2.

Explanation :

Installation

Virus:Win32/Virut.BN might be downloaded and installed by other malware.

Spreads via…

File infection

The virus disables Windows System File Protection (SFP) by injecting code into the Windows process "winlogon.exe". The injected code modifies the system file "sfc_os.dll" in memory which in turn allows the virus to infect files protected by SFP.

Virus:Win32/Virut.BN infects .EXE and .SCR files, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from PC to PC.

The virus injects its own code into a system process such as "explorer.exe" or "winlogon.exe", and hooks low-level (NTDLL layer) Windows API calls  in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):

NtCreateFile NtOpenFile NtCreateProcess NtCreateProcessEx

Thus, every time an infected process runs, so does the virus.

It also writes code to HTML files that adds a hidden IFrame pointing to the domain "zief.pl". When you open an HTML file, the browser connects to this server without you knowing. The HTML page hosted at this location attempts to exploit a number of different vulnerabilities (browser-based and program-specific vulnerabilities) in order to run a copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH.

The virus also modifies the local machine's Hosts file, redirecting the domain "zief.pl" to local host (127.0.0.1) so that already-infected PCs will not run the remotely-hosted copy of the virus. 

Payload

Allows backdoor access and control

Virut.BN tries to connect to Internet Relay Channel (IRC) server "irc.zief.pl" through port 80 using a particular channel. Should this fail, it instead attempts to connect to "proxim.ircgalaxy.pl" also using port 80.

It contains functionality to download and run files on your PC. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.

Analysis by Dan Kurc

Last update 15 February 2019

 

TOP

Malware :

Family: