Malware type: File infector

Aliases: Virus.Win32.Virut.n (Kaspersky), W32/Virut.gen (McAfee), W32.Virut.H (Symantec), W32/Virut.J (Avira), W32/Vetor-A (Sophos), Virus:Win32/Virut.D (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

This file infector arrives on a system as a downloaded or dropped file of another malware. It may also arrive on a system as a file attached to spammed email messages.

It spreads by infecting running processes that have EXE and SCR extension names. It checks whether the said target processes are in Portable Executable (PE) format. It then infects said files using various infection techniques. Note that it avoids processes and files with certain strings in their file names.

It also creates the event VT_3 to ensure its memory residency and so that only one instance of itself is running on the affected system's memory.

In addition, this file infector has backdoor capabilities. It listens to various ports and connects to an Internet Relay Chat (IRC) server, where it joins a certain channel. Once connected, it allows a remote user to download and execute files remotely onto the affected system, thus compromising system security.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 4, 2007 6:14:21 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.