1. Symantec/
  2. Security Response/
  3. W32.Virut


Risk Level 2: Low

April 11, 2007
August 27, 2012 1:56:19 PM
Infection Length:
Systems Affected:
CVE References:
CVE-2005-2127, CVE-2006-3730, CVE-2006-4690, CVE-2006-4777, CVE-2007-0018, CVE-2007-0071, CVE-2008-2463, CVE-2008-4844, CVE-2009-0658
W32.Virut is a virus that infects executable files. Some variants also infect ASP, HTML and PHP files. The virus has worm-like behavior and spreads by copying itself to fixed, removable and network drives. It also opens a back door on the compromised computer.

W32.Virut is an entry-point obscuring (EPO) polymorphic file-infecting virus. The virus infects executable files with .exe and .scr extensions by hooking system APIs and as such whenever a file is accessed it may be infected. Executable files that have been infected by W32.Virut may be damaged and therefore may not execute correctly.

Certain variants of W32.Virut are in addition capable of infecting ASP, HTML and PHP files. The virus inserts a malicious HTML IFRAME tag into the files, which causes a copy of the virus to be downloaded and executed when the pages are displayed in a vulnerable Web browser.

W32.Virut also has worm-like characteristics in that it attempts to spread by copying itself to fixed, removable and network drives. The virus also copies an autorun.inf file that causes the virus to be executed whenever the drives are accessed on computers that have AutoPlay enabled.

The virus may also spread when infected files are distributed via file-sharing networks.

W32.Virut opens a back door that allows a remote attacker to perform operations on the compromised computer. The back door operates by way of Internet Relay Chat (IRC) with communication encrypted both ways. The back door allows the remote attacker to address compromised computers individually or as a group.

The back door functionality allows additional files to be downloaded and executed on the compromised computer, which means that the threat is infinitely flexible and extensible; files that have been observed to be downloaded include misleading applications and copies of other malware. It is likely that W32.Virut has been written to provide a channel for the mass installation of pay-per-install software, with the author(s) profiting by way of affiliate programs.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version April 12, 2007
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version April 12, 2007
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date April 18, 2007
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Henry Bell and Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube