Malware type: File infector

Aliases: Virus.Win32.Virut.n (Kaspersky), W32/Virut.gen (McAfee), W32.Virut!gen (Symantec), W32/Virut.G (Avira), W32/Virut-L (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This file infector arrives on a system as a downloaded or dropped file of other malware. It may also arrive attached to spammed email messages.

It infects executed files that have .EXE and .SCR as file name extensions. It checks if the target files are in PE format before infecting it. It uses several types of infection techniques. Execution of the infected files perpetuates this virus' infection cycle. All infected files are also detected by Trend Micro as PE_VIRUT.L.

It avoids files with certain strings in their file names. It also ensures that only one instance of itself is running on the affected system's memory. These actions help prevent its immediate detection and consequent removal from an infected system.

This file infector listens to various ports and connects to an Internet Relay Chat (IRC) server where it joins a certain channel. Once connected, it allows a remote user to download and execute files on the affected system, effectively compromising the affected system's security as executed files may be malicious.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 9, 2007 5:22:45 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.