Threat behavior
Virus:Win32/Murofet.A is a detection for a virus that infects Windows executable files and attempts to download arbitrary files from various domains.
Spread via…
Infects files
Virus:Win32/Murofet.A infects Windows Portable Executable (PE) files. The virus routine uses a cavity infection method to insert its code into free space between the first and second sections of the host file.
Payload
Downloads and executes arbitrary files
Virus:Win32/Murofet.A infected files attempt to download an arbitrary file from a URL generated by the virus. The URL has a domain name that is generated based on the current system time.
The URL has the following pattern:
http://<generated_domain_name>/forum/
It uses one of the following top level domains:
In the wild, we have observed Virus:Win32/Murofet.A generating the following domains:
- kzoildszuspuovoq.biz
- fxkuintqxykyoq.net
- shirquzmsjpdzmm.com
The virus generates 800 of these URLs, saving the downloaded file to the %TEMP% directory.
At the time of writing, if the virus contacts a domain that is active, the file it downloads is detected as
PWS:Win32/Zbot.gen!Y.
Analysis by Amir Fouda
Prevention