W32.Virut is a virus that infects executable files. Some variants also infect ASP, HTML and PHP files. The virus has worm-like behavior and spreads by copying itself to fixed, removable and network drives. It also opens a back door on the compromised computer.
W32.Virut is an entry-point obscuring (EPO) polymorphic file-infecting virus. The virus infects executable files with .exe and .scr extensions by hooking system APIs and as such whenever a file is accessed it may be infected. Executable files that have been infected by W32.Virut may be damaged and therefore may not execute correctly.
Certain variants of W32.Virut are in addition capable of infecting ASP, HTML and PHP files. The virus inserts a malicious HTML IFRAME tag into the files, which causes a copy of the virus to be downloaded and executed when the pages are displayed in a vulnerable Web browser.
W32.Virut also has worm-like characteristics in that it attempts to spread by copying itself to fixed, removable and network drives. The virus also copies an autorun.inf file that causes the virus to be executed whenever the drives are accessed on computers that have AutoPlay enabled.
The virus may also spread when infected files are distributed via file-sharing networks.
W32.Virut opens a back door that allows a remote attacker to perform operations on the compromised computer. The back door operates by way of Internet Relay Chat (IRC) with communication encrypted both ways. The back door allows the remote attacker to address compromised computers individually or as a group.
The back door functionality allows additional files to be downloaded and executed on the compromised computer, which means that the threat is infinitely flexible and extensible; files that have been observed to be downloaded include misleading applications and copies of other malware. It is likely that W32.Virut has been written to provide a channel for the mass installation of pay-per-install software, with the author(s) profiting by way of affiliate programs.
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.