1. Symantec/
  2. Security Response/
  3. W32.Virut


Risk Level 2: Low

April 11, 2007
August 27, 2012 1:56:19 PM
Infection Length:
Systems Affected:
CVE References:
CVE-2005-2127, CVE-2006-3730, CVE-2006-4690, CVE-2006-4777, CVE-2007-0018, CVE-2007-0071, CVE-2008-2463, CVE-2008-4844, CVE-2009-0658
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Removable drives
1.3 Network drives
1.4 Operating system and software patches
1.5 Blocking network addresses
2. Infection method
2.1 Infection of .exe and .scr files
2.2 Infection of .asp, .htm and .php files
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional information

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Users are advised not to execute files from untrusted sources, such as those downloaded from file-sharing networks. Infected files may be shared without the sharer(s) being aware of their infection. Files that are known to be infected may also be shared by those wishing to increase the levels of infection of the threat, most likely for financial gain. Files such as these may deliberately be given enticing names – often of otherwise expensive or much sought after programs – or names with adult themes.

1.2 Removable drives
The virus copies itself to all fixed and removable drives. Users should disconnect removable drives when not required, and if write access is not needed, enable read-only mode if the option is available. As the virus uses autorun.inf files to execute automatically when drives are accessed, users should ensure that AutoPlay is disabled.

1.3 Network drives
W32.Virut is known to spread through network shares. To reduce the risk of infection, network shares should be opened only when necessary, and file sharing turned off altogether if it is not required. In circumstances where file sharing is essential, permissions should be set to ‘read-only’ where possible. Users should disable AutoPlay even if removable drives are not in use as autorun.inf files operate on network shares in an identical manner.

1.4 Operating system and software patches
ASP, HTML and PHP files that have been infected by capable variants of W32.Virut contain a malicious HTML IFRAME that causes the virus to be downloaded and executed when the pages are viewed on a vulnerable computer. The malicious URL attempts to exploit the following vulnerabilities:

Installation of software updates that address these vulnerabilities will reduce the risk of infection.

Users are also advised to ensure that their operating systems and installed software are fully patched and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates so that their computers can receive the latest patches and updates when they are distributed by software vendors.

1.5 Blocking network addresses
W32.Virut is known to connect to the following network addresses and as such they should be blocked at the firewall or router:
  • core.ircgalaxy.pl (
  • irc.zief.pl
  • proxim.ircgalaxy.pl
  • ru.brans.pl (

Note that some variants attempt to bypass the Windows Firewall.

This threat is known to infect computers by way of a number of methods. Each of these methods is examined in more detail in the following sections.

2.1 Infection of .exe and .scr files
W32.Virut is an entry-point obscuring (EPO) polymorphic file-infecting virus. The virus infects executable files with .exe and .scr extensions by hooking the following NTDLL.DLL API functions:
  • ZwCreateFile
  • ZwDeviceIoControlFile
  • ZwOpenFile
  • ZwCreateProcess
  • ZwCreateProcessEx
  • ZwQueryInformationProcess

The hooks are used to infect files when they are accessed and to inject the virus into all newly created processes. Some variants also disable Windows System File Protection in order to infect system files.

The file infection subroutine checks for the following file extensions before attempting to infect a particular file:
  • .exe
  • .scr

W32.Virut uses an infection marker to prevent multiple infections of the same file. The location of the infection marker varies between variants, however, and for this reason a particular executable may be infected multiple times by different W32.Virut variants.

When infecting executables the virus encrypts itself in a polymorphic fashion, adds itself to the file and then either modifies the entry point of the program (to point to itself), or uses the EPO technique of patching the host executable to redirect execution to its own code.

Executable files that have been infected by W32.Virut may be damaged and therefore may not execute correctly.

2.2 Infection of .asp, .htm and .php files
Variants that are capable of injecting malicious HTML also check for the following extensions when files are accessed:
  • .asp
  • .htm
  • .html
  • .php

The virus injects an IFRAME into files with the above extensions. The IFRAME directs the browser to a malicious URL when the HTML page is viewed either on the compromised computer or after having been served via HTTP.

W32.Virut variants are known to insert the following malicious URLs into .asp, .htm, .html and .php files:
  • [http://]ntkrnlpa.info/r[REMOVED]
  • [http://]www.zief.pl/insta[REMOVED]
  • [http://]www.zief.pl/rc/ld.[REMOVED]
  • [http://]zief.pl/exploit/[EXPLO[REMOVED]
  • [http://]zief.pl/insta[REMOVED]

When accessed, the malicious URLs attempt to exploit one or more of the following vulnerabilities to download and execute W32.Virut and once more begin the infection cycle:

W32.Virut opens a back door that allows a remote attacker to download and execute files on the compromised computer. The back door operates over IRC, and non-standard IRC ports – most notably port 80 – are used to bypass firewalls and evade detection. The virus's communication with the IRC server component is encrypted using a relatively simple custom algorithm.

Being based on IRC, the back door functionality enables the remote attacker to address compromised computers either individually or as a group. This functionality allows an attacker to perform targeted attacks on individuals – for example, stealing specific account passwords or other sensitive information – as well as carry out distributed denial of service attacks or trigger mass downloads of a particular pay-per-install application, thus generating revenue for the virus authors and/or their customers.

3.1 System modifications
The following side effects may be observed on computers compromised by members of the W32.Virut threat family:

Files/folders created

Files/folders deleted

Files/folders modified
The virus infects files with the following extensions:
  • .exe
  • .scr

Some variants of the virus may infect files with the following extensions:
  • .asp
  • .htm
  • .html
  • .php

The virus may add the following entry to the hosts file: ZieF.pl

Registry subkeys/entries created
The virus creates the following registry entry to store the IRC server IP address and port number:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"UpdateHost" = "[BINARY DATA]"

Certain variants create the following registry entry to bypass the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%SystemDrive%\[PATH TO VIRUS]\[VIRUS FILE NAME]" = "%SystemDrive%\[PATH TO VIRUS]\[VIRUS FILE NAME]:*:enabled:@shell32.dll,-1"

Registry subkeys/entries deleted

Registry subkeys/entries modified

3.2 Network activity
The virus checks for an Internet connection every five seconds until an active connection is found. It then attempts to resolve the domain used for the IRC command and control server using two DNS servers, the addresses of which are hard-coded in the virus. If neither of the two DNS servers can be found, the IRC server address cannot be resolved or connection to the IRC server fails, the virus attempts to connect to an alternative server using a backup 'last resort' IP address and port number pair that it has previously stored in the registry.

Communication with the IRC server is encrypted using a custom stream cipher. A random symmetric encryption key is generated and is used in an XOR operation with each byte, with the key occasionally being deliberately perturbed to reduce the predictability of the ciphertext.

The virus uses a typical IRC-based communications protocol. Upon connection to the server, the virus sends the following mandatory IRC commands:


  • [OS ID] is a six-byte ID to identify the operating system (OS), with two bytes each used to identify the OS platform, major version and minor version. For example, this field would be sent as 020501 by a copy of the virus running on 32-bit (02) Windows (05) XP (01).
  • [%|#] is a one-byte field to indicate the update status of the infection. When the virus first connects to the IRC server, i.e. before a registry host list update has taken place, '%' is used, whereas following any update '#' is used instead.
  • [VOL ID] is the eight-byte volume ID of the system disk of the compromised computer.
  • [VOL ID CRC] is a one-byte (hexadecimal) hash of the volume ID, (byte1 + byte2 + byte3 + byte4) & 0xF.
  • [OS SERVICE PACK] is a string identifying the OS service pack level, for example 'Service Pack 2'
  • [CHANNEL ID] is the hard-coded name of the IRC channel to join.

An example of the above commands is as follows:

NICK tabrpfpu
USER g020501 . . :%acc55762b Service Pack 2
JOIN #.3159

The virus is able to accept two standard IRC commands from the server. The first command is:


Upon reception of a PING message, the virus saves the IP address and port number of the current server to the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"UpdateHost" = "[BINARY DATA]"

The virus replies to this message with a PONG message.

The second standard IRC command that the virus accepts is:


This message is sent by the server to address one or more compromised computers. Two commands are supported in the [MESSAGE] field. The first command causes the virus to download and execute the file at the specified URL:


The second command will cause the virus to update its internal list of IRC server hostnames, overriding the hard-coded entries:


One special case is an empty host list, which causes the back door to close:



For more information relating to this threat family, please see the following resources:


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Henry Bell and Eric Chien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube