Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/Virut

Published: February 17, 2009

Win32/Virut is a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection

Threat Overview

Class/typeVirus - File
DiscoveredSeptember 29, 2006
CirculatingYes
Affected operating systems
Affected software Not specified
Infection ratingLow
Recovery difficultyEasy
Damage ratingLow
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • CA: Win32/Virut
  • Kaspersky: Virus.Win32.Virut
  • McAfee: W32/Virut
  • Norman: W32/Virut
  • Sophos: W32/Virut
  • Symantec: W32.Virut

    • Learn more about the Microsoft Virus Information Alliance.

    Technical Analysis

    Win32/Virut is a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.
     
    Installation
    Win32/Virut creates a mutex named VT_3 which it uses to prevent multiple copies of itself from running on the host system. Win32/Virut disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.
     
    Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. Win32/Virut avoids infecting files whose names contain any of the following:
    • WINC
    • WCUN
    • WC32
    • PSTO
     
    Win32/Virut opens a connection with Internet Relay Channel (IRC) servers as follows:
    Server: proxima.ircgalaxy.pl
    Port: 65520
    Channel: &virtu

    This IRC connection allows a remote attacker to control the infected machine and force it to download and execute potentially unwanted software or malware.

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Enable a firewall on your computer.
    • Get the latest computer updates for all your installed software.
    • Use up-to-date antivirus software.
    • Use caution when opening attachments and accepting file transfers.
    • Use caution when clicking on links to web pages.
    • Avoid downloading pirated software.
    • Protect yourself against social engineering attacks.
    Enable a firewall on your computer
    Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
    To turn on the Windows Firewall in Windows Vista
    1. Click Start, and click Control Panel.
    2. Click Security.
    3. Click Turn Windows Firewall on or off.
    4. Select On.
    5. Click OK.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Click Change Windows Firewall Settings.
    4. Select On.
    5. Click OK.
    Get the latest computer updates
    Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
     
    You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows Vista
    1. Click Start, and click Control Panel
    2. Click System and Maintainance.
    3. Click Windows Updates.
    4. Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel
    2. Click System.
    3. Click Automatic Updates.
    4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
    Use up-to-date antivirus software
    Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
    Use caution when opening attachments and accepting file transfers
    Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.
    Use caution when clicking on links to web pages
    Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
    Avoid downloading pirated software
    Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.
    Protect yourself from social engineering attacks
    While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'. 

    How to Tell If Your Computer Is Infected

    The following symptoms may be indicative of a Virus:Win32/Virut infection:
    • Network traffic on TCP port 65520 with connection to IRC server proxima.ircgalaxy.pl, on channel &virtu
    • Increase in file size of infected files
    • Infected files fail during execution and have a recent modified date property

    How to Recover from Infection

    Automatic Recovery
    To attempt to automatically remove this threat, run one of the following removal tools:

    Manual Recovery

    To detect this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
     
    Note: The method of infection used by Win32/Virut can damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications. 
     
    Recovering from recurring infections on a network
    The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
     
    1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
    2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
    3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/en-us/library/bb456977.aspx.
    4. Remove any unnecessary network shares or mapped drives.
     
    Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement