Virus:Win32/Virut.BF is a polymorphic and memory resident file infecting virus that infects .EXE and .SCR files. Win32/Virut.BF also opens a backdoor in the infected system by connecting to an IRC server, allowing a remote attacker to send commands remotely.
Installation
Virus:Win32/Virut.BF injects its codes into the system processes and hooks the following low-level windows kernel APIs to gain control:
- NtCreateFile
- NtOpenFile
- NtCreateProcess
- NtCreateProcessEx
Every time an infected system calls any of these APIs, execution control is passed to the virus. Virus:Win32/Virut.BF also creates the event 'VevTT' to ensure that only one instance of this virus runs at any time.
Spreads Via...
File infection
Virus:Win32/Virut.BF infects .EXE and .SCR files when they are opened, created, or executed. These include files that are accessed remotely via shares (with write access). It appends it codes at the end of the host program.
It does not infect files with file names that begin with any of the following strings:
Payload
Modifies Internet files
Virus:Win32/Virut.BF modifies .HTM, .PHP, and .ASP files to insert an IFrame that accesses the Web site 'Zief.pl'. These types of files typically refer to Web pages.
Allows backdoor access and control
Virus:Win32/Virut.BF connects to the Internet Relay Channel (IRC) server 'irc.zief.pl' via port 80. It may then connect to a remote attacker to receive commands, such as downloading and executing arbitrary files. It may protect the server by modifying the HOSTS file of the infected system.
Modifies firewall policy
Virus:Win32/Virut.BF enables infected system processes, such as 'winlogon.exe', to the authorized application list so that it can bypass the firewall when accessing the network:
Adds value: "<infected process>"
With data: "<infected process>:*:enabled:@shell32.dll,-1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Analysis by Rodel Finones
