Home / malware Virus:Win32/Virut.gen!O
First posted on 11 May 2009.
Source: SecurityHomeAliases :
Virus:Win32/Virut.gen!O is also known as Also Known As:Win32/Virut.E (AhnLab), Virus.Win32.Virut.ce (Kaspersky), W32/Scribble-B (Sophos), Win32/Virut.NBP (ESET), W32/Virut.n.gen (McAfee), W32.Virut.CF (Symantec).
Explanation :
Virus:Win32/Virut.gen!O is a generic detection for members of Win32/Virut - a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.
Symptoms
The following symptoms may be indicative of a Virus:Win32/Virut infection:Network traffic on TCP port 65520
Virus:Win32/Virut.gen!O is a generic detection for members of Win32/Virut - a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.
Installation
Win32/Virut creates a mutex named L0ar or LaOS (or similar) which it uses to prevent multiple copies of itself from running on the host system. Win32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. Win32/Virut avoids infecting files whose names contain any of the following:WINC WCUN WC32 PSTO
Payload
Backdoor FunctionalityWin32/Virut opens a connection with an Internet Relay Channel (IRC) servers with the following details:Server: irc.zief.pl (or failing that proxim.ircgalaxy.pl)
Port: 65520
This IRC connection allows a remote attacker to control the infected machine and to download and execute arbitrary files.
Analysis by Dan KurcLast update 11 May 2009