Threat behavior
Virus:Win32/Virut.BB is a polymorphic virus that infects files with the EXE or SCR file extension. It may open a backdoor connection, allowing a remote attacker to download and run files on the infected computer.
Spreads Via...
File infection
Win32/Virut.BB disables Windows System File Protection (SFP) by injecting code into 'winlogon.exe'. The injected code modifies 'sfc_os.dll' in memory. which in turn allows the virus to infect files protected by SFP.
Virus:Win32/Virut.BB is an appending virus that writes its code in the last sections of EXE and SCR files. Unlike some variants of Virut, which hides the virus entry point, Win32/Virut.BB modifies the entry point of the file to point to the virus code. The virus body is polymorphic and XOR-encrypted using a word key that changes at every iteration of its decryption loop.
Payload
Modifies script files
Virus:Win32/Virut.BB modifies script files with the following extensions:
It modifies these script files to add an IFrame tag pointing to the website
'NtKrnlpa.info'. These infected script files are detected as
Exploit:HTML/IframeRef.gen.
Allows backdoor access and control
Virus:Win32/Virut.BB connects to the IRC channel 'virtu3' to get commands from a remote attacker, such as the following:
If the 'PRIV' command is selected, this virus may download and execute additional malware on infected system in combination with the following command:
!get http://<URL that hosts malware to download>
Analysis by Francis Allan Tan Seng
Prevention
