Threat behavior
Virus:Win32/Virut.X is generic detection for a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. It uses advanced techniques to hide infection.
Spreads Via…
Executable File Infection
Win32/Virut.X disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.
The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.
The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):
NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.
Payload
Backdoor Functionality
Virut.X connects to Internet Relay Channel (IRC) server 'proxim.ntkrnlpa.info' via port 20480 using a particular channel. Should this fail, it instead attempts to connect to 'proxim.ircgalaxy.pl'.
It contains functionality to download and execute arbitrary files on the affected system. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.
Analysis by Dan Kurc
Prevention
