1. /
  2. Security Response/
  3. W32.Virut

W32.Virut

Risk Level 2: Low

Discovered:
April 11, 2007
Updated:
August 27, 2012 1:56:19 PM
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2005-2127, CVE-2006-3730, CVE-2006-4690, CVE-2006-4777, CVE-2007-0018, CVE-2007-0071, CVE-2008-2463, CVE-2008-4844, CVE-2009-0658
W32.Virut is a virus that infects executable files. Some variants also infect ASP, HTML and PHP files. The virus has worm-like behavior and spreads by copying itself to fixed, removable and network drives. It also opens a back door on the compromised computer.

Infection
W32.Virut is an entry-point obscuring (EPO) polymorphic file-infecting virus. The virus infects executable files with .exe and .scr extensions by hooking system APIs and as such whenever a file is accessed it may be infected. Executable files that have been infected by W32.Virut may be damaged and therefore may not execute correctly.

Certain variants of W32.Virut are in addition capable of infecting ASP, HTML and PHP files. The virus inserts a malicious HTML IFRAME tag into the files, which causes a copy of the virus to be downloaded and executed when the pages are displayed in a vulnerable Web browser.

W32.Virut also has worm-like characteristics in that it attempts to spread by copying itself to fixed, removable and network drives. The virus also copies an autorun.inf file that causes the virus to be executed whenever the drives are accessed on computers that have AutoPlay enabled.

The virus may also spread when infected files are distributed via file-sharing networks.

Functionality
W32.Virut opens a back door that allows a remote attacker to perform operations on the compromised computer. The back door operates by way of Internet Relay Chat (IRC) with communication encrypted both ways. The back door allows the remote attacker to address compromised computers individually or as a group.

The back door functionality allows additional files to be downloaded and executed on the compromised computer, which means that the threat is infinitely flexible and extensible; files that have been observed to be downloaded include misleading applications and copies of other malware. It is likely that W32.Virut has been written to provide a channel for the mass installation of pay-per-install software, with the author(s) profiting by way of affiliate programs.


GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVELANCE
Symantec has observed the following following infection levels of this threat worldwide.


SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures


Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version April 12, 2007
  • Latest Rapid Release version February 19, 2013 revision 016
  • Initial Daily Certified version April 12, 2007
  • Latest Daily Certified version March 2, 2011 revision 039
  • Initial Weekly Certified release date April 18, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: High
  • Number of Infections: 50 - 999
  • Number of Sites: 10+
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium
  • Payload: Opens a back door and downloads files
  • Modifies Files: Modifies the hosts file
  • Causes System Instability: Windows system executables may be damaged by infection
  • Compromises Security Settings: Bypasses the Windows firewall

Distribution

  • Distribution Level: Medium
  • Shared Drives: Copies itself to fixed, removable and network drives
  • Target of Infection: Executables with .exe and .scr extensions, and ASP, HTML and PHP files
Writeup By: Henry Bell and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver