Virus.Win32.Virut.ce

by alexander.adamov on April 27th, 2012 in Malware Descriptions.

Detect: Virus.Win32.Virut.ce
Platform: Win32
Type:  Virus
Size: The virus  is polymorphic, which accounts for the varying size. 

Summary

It is a malicious program that infects executable files.  

Technical Details

Spread

The virus injects its code into the address space of all the processes running on the system. The injected code adds system interceptors to the following functions of the ntdll.dll library:

NtCreateFile

NtCreateProcess

NtCreateProcessEx

NtOpenFile

NtQueryInformationProcess

The virus uses these interceptors to watch over files and applications. Once a process is run and/or an executable file is open, the virus infects it.

The virus infects Windows PE-EXE files with the following extensions:

*.EXE

*.SCR

The virus does not infect files containing the following strings in the name:

WINC

WCUN

WC32

PSTO

During infection, the virus expands the last PE-section of the file being infected and writes its polymorphic body there. It then redirects the program entry point to its body.

In addition, the virus starts scanning all logical drives for files with the following extensions:

*.HTM

*.HTML

*.ASP

*.PHP

and adds to them the following string:

<iframe src="<url, from which an updated antivirus version is downloaded >/" width=1 height=1 style="border:0"></iframe>

Payload

Being activated, the virus adds process executable file it works in to the list of trusted Windows Firewall applications by adding the following registry key:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"<path_to_the_infected_file>"="< path_to_the_infected_file >*:enabled:@shell32.dll,-1"

To disable Windows file protection, the virus uses undocumented function of the "sfc_os.dll" library.

The virus tries to connect to the following IRC intruder servers:

ilo.brenz.pl

ant.trenz.pl

If it succeeds, it sends the following commands to the server:

NICK kzuksqii

USER o

JOIN #.<rnd1>, где rnd1 – random number

The virus then waits for commands from the IRC server.

The virus supports the following commands:

!get

It allows downloading malicious files, storing them in the current user’s temporary folder and launching them for execution.

!hosukf

On the PC, the virus opens URL indicated by the intruder.

The virus makes attempts to connect to one of the intruder servers which domain name is formed according to the special algorithm, as follows:

pptptc.com

wieexk.com

mxexgu.com

mfkiue.com

jmsmcx.com

ujhivi.com

ojzacv.com

tiwcos.com

peitxa.com

qairnt.com

aalxyu.com

gfcnwo.com

wvuwll.com

esvryi.com

Servers did not work when the description was created.

The virus adds the following registry key:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

"ProxyEnable" = "0"

In addition, the virus blocks access to websites that have any the following strings in their domain name:

eset

avg

microsoft

windowsupdate

wilderssecurity

threatexpert

castlecops

spamhaus

cpsecure

arcabit

emsisoft

sunbelt

securecomputing

rising

prevx

pctools

norman

k7computing

ikarus

hauri

hacksoft

gdata

fortinet

ewido

clamav

comodo

quickheal

avira

avast

esafe

ahnlab

centralcommand

drweb

grisoft

nod32

f-prot

jotti

kaspersky

f-secure

computerassociates

networkassociates

etrust

panda

sophos

trendmicro

mcafee

norton

symantec

defender

rootkit

malware

spyware

virus

Removal Recommendations

  1. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).