Alert level

Virus:Win32/Virut.BM


Encyclopedia entry
Updated: Aug 07, 2009  |  Published: Feb 06, 2009

Aliases
  • Virus:Win32/Sqraw.gen!A (Microsoft)
  • Win32/Virut.NBK (ESET)
  • W32/Scribble-A (Sophos)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.51.360.0
Released: Feb 06, 2009 		Detection initially created:
Definition: 1.51.303.0
Released: Feb 05, 2009

Summary

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.

Top

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).

Top

Technical Information (Analysis)

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. It uses advanced techniques to hide infection.
Spreads Via…
Executable File Infection
Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.
 
The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.
 
The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls  in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):
 
NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
 
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.
 
HTML File Infection
It writes code to HTML files that adds a hidden IFrame pointing to the domain 'zief.pl'. When the HTML file is opened, the browser connects to this server without the user's knowledge. The HTML page hosted at this location attempts to exploit a number of different vulnerabilities (including those affecting the user's browser and other applications) in order to run a copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH.
 
The virus also modifies the local machine's hosts file, redirecting the domain 'zief.pl' to localhost (127.0.0.1) so that already-infected machines will not run the remotely-hosted copy of the virus. 
Payload
Backdoor Functionality
Virut.BM connects to Internet Relay Channel (IRC) server 'irc.zief.pl' via port 80 using a particular channel. Should this fail, it instead attempts to connect to 'proxim.ircgalaxy.pl' also using port 80.
 
It contains functionality to download and execute arbitrary files on the affected system. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.
Additional Information
Virut.BM creates the event 'Vx_5' to prevent multiple copies of itself from running simultaneously on the affected system. A minor variant may create another mutex "l0r5".
 
Analysis by Hamish O'Dea and Chun Feng

Top

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.
 
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows Vista
  1. Click Start, and click Control Panel
  2. Click System and Maintainance.
  3. Click Windows Updates.
  4. Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to web pages
Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'. 

Top

Recovery

To detect this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
 
Note: The method of infection used by Win32/Virut can damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications. 
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/en-us/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Top