Home / malwarePDF  

Virus:Win32/Virut.BM


First posted on 09 February 2009.
Source: SecurityHome

Aliases :

Virus:Win32/Virut.BM is also known as Also Known As:Win32/Virut.NBK (ESET), W32/Scribble-A (Sophos).

Explanation :

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. It uses advanced techniques to hide infection.Spreads Via…Executable File InfectionThe virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine. The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL): NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx Thus, every time an infected process calls one of these functions, execution control is passed to the virus. HTML File InfectionIt writes code to HTML files that adds a hidden IFrame pointing to the domain 'zief.pl'. When the HTML file is opened, the browser connects to this server without the user's knowledge. The HTML page hosted at this location attempts to exploit a number of different vulnerabilities (including those affecting the user's browser and other applications) in order to run a copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH. The virus also modifies the local machine's hosts file, redirecting the domain 'zief.pl' to localhost (127.0.0.1) so that already-infected machines will not run the remotely-hosted copy of the virus.

Payload
Backdoor FunctionalityVirut.BM connects to Internet Relay Channel (IRC) server 'irc.zief.pl' via port 80 using a particular channel. Should this fail, it instead attempts to connect to 'proxim.ircgalaxy.pl' also using port 80. It contains functionality to download and execute arbitrary files on the affected system. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.Additional InformationVirut.BM creates the event 'Vx_5' to prevent multiple copies of itself from running simultaneously on the affected system.

Analysis by Hamish O'Dea and Chun Feng

Last update 09 February 2009

 

TOP