Virus:Win32/Virut.E is a polymorphic and memory-resident file-infecting virus that infects .EXE and .SCR files on a computer. Win32/Virut.E also opens a backdoor by connecting to an IRC server, allowing an attacker to send commands remotely.
Installation
Virus:Win32/Virut.E injects its codes into system processes and hooks low-level windows kernel API to gain control.
It skips the first three system processes, which may be "system.exe", "smss.exe", and "csrss.exe", as well as any process that starts with "srsc".
It hooks the following kernel APIs:
- NtCreateFile
- NtOpenFile
- NtCreateProcess
- NtCreateProcessEx
Every time an infected system calls any of these APIs, execution control is passed to the virus.
Spreads Via...
File infection
Virus:Win32/Virut.E infects .EXE and .SCR files upon opening, creating, and executing any of these files. These include files that are accessed remotely via network shares with write access. It appends it code at the end of the program.
It does not infect files with names that begin with any of the following strings:
Payload
Performs backdoor functionalites
Virus:Win32/Virut.E connects to the Internet Relay Channel (IRC) server "proxim.ircgalaxy.pl" via port 655230. The connection can give a remote attacker backdoor access and control. The remote attacker may give a command to download and execute unwanted programs and malwares on the computer.
Disables system file protection
Virus:Win32/Virut.E disables the computer's file protection by patching the "SFC.DLL" and "SFC_OS.DLL" instances in memory, thus allowing the virus to modify system files protected by SFP.
Additional information
Virus:Win32/Virut.E creates an event named "VT_4" during execution to avoid re-infecting the system memory.
The following string can be found in the malware binary:
O noon of life! O time to celebrate!
O summer garden
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! Its late!)
Analysis by Rodel Finones