Nicolas Falliere's blog

(Note: This blog was written on September 2. We decided to postpone publishing it due to an ongoing joint effort to shut down servers and block domain names. The variant studied is not the latest but accurately reflects the functionalities of the threat.)

W32.Virut is a Windows file infector that’s been around since 2006. It usually makes the top 10 in threat charts and therefore deserves regular scrutiny.

We’ve published a detailed analysis of Sality in a whitepaper titled, “Sality: Story of a Peer-to-Peer Viral Network.”

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots.

Back in the spring of 2010, I blogged about W32.Sality and the decentralized P2P botnet made up by hosts infected by Sality.

In this blog, I’m going to provide extra details about the PLC infection process and how an operator can determine if their PLC is infected.   

Previous blog entries have covered several different Stuxnet propagation vectors, from autorun.inf tricks to

We first mentioned that W32.Stuxnet targets industrial control systems (ICSs) -- such as those used in pipelines or nuclear power plants -- 2 months ago in our blog here and gave some more technical details

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files.

As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems.