Microsoft security software detects and removes this threat.

This virus family can give a malicious hacker access to your PC by opening a backdoor connection to an IRC server.

Find out ways that malware can get on your PC.  

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior


Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. Win32/Virut avoids infecting files whose names contain any of the following:

  • WINC
  • WCUN
  • WC32
  • PSTO

This IRC connection allows a hacker to access and control your PC, and to download and run other files on it.


Alerts from your security software may be the only symptom.


Alert level: Severe
This entry was first published on: Jul 30, 2007
This entry was updated on: Sep 16, 2014

This threat is also detected as:
  • Win32/Virut (CA)
  • Virus.Win32.Virut (Kaspersky)
  • W32/Virut (Norman)
  • W32/Virut (Sophos)
  • W32/Virut (McAfee)
  • W32.Virut (Symantec)