The current means by which most malicious files are actively spread is server-side polymorphism. Infecting files is not as popular as it used to be about five years ago. This is largely because the level of file emulation has improved greatly. As such, you have to hand it to the authors of Virut. The technology implemented in Virut. Anti-emulation and anti-debugging tools are widely used, such as the tick count received when using multiple rdtsc instructions, series of GetTickCount API functions and the calling of multiple fake API functions.
Virut is the fastest-mutating virus known, with a new variant appearing as often as once a week. This indicates that its creators are closely monitoring antivirus databases so that they can take prompt action when a new Virut signature is released. As soon as this happens, the creators modify the virus so that once again it is undetectable. Interestingly, the malicious program ensures that its latest version is downloaded to compromised computers by taking advantage of infected HTML files as described below.
This article reviews the methods used to infect files. Obfuscation will also be covered as it is applied each time an executable file is infected. The first Virut variant was called Virut. From that moment on, the strain has evolved steadily, reaching Virut. It would seem that the creators of the virus spent the interim period perfecting new infection techniques, encryption algorithms and anti-emulation methods.
At present, the Virut. The Top 20 most frequently detected viruses January — May From the graph below it can clearly be seen that the propagation acitivity of Virut. Number of computers infected with Virut. The virus propagates through infected files, both executable and HTML, or smaller programs designed to crack licensed software. Such programs generally include key generators keygens and direct file modification utilities cracks. Such archives include a copy of Virut, either in its original form, or in an infected file alongside the desired program.
It is common knowledge that most malware programs are exclusively designed for financial gain and Virut is certainly no exception. The procedure looks quite conventional, as does the list of processes the virus attempts to terminate as shown in the screenshot below. Screenshot showing part of the decrypted static body of Virut. This downloads the latest version of Virut by exploiting a PDF-file vulnerability.
One or two polymorphic decryptors are used in conjunction with it too. Below is an example of how an instruction and the jump address can be substituted. Consequently file execution will start directly with the virus component. The Main decryptor is located in every file touched by Virut. Let us take a closer look at the function and general appearance of this decryptor.
The Init decryptor is a small piece of code between 0x and 0x bytes long and contains many purposeless instructions that prevent static antivirus signatures from working. The decryptor is placed at the end of a section of code if there is a sufficient number of zeros. To ensure that you are removing viruses from your equipment, it is recommended that you follow these steps. Thus, every time an infected process starts , hence the virus. Is Win32 a virus? Ultimately, the virus tries to download all files that it can recognize as other Trojans.
When someone opens an HTML file, the browser connects to that server without the knowledge of your entire family and. The HTML page that can be hosted at this stage tries to exploit this number of different vulnerabilities browser vulnerabilities and therefore specific programs in order to launch a copy of the virus.
How do I get rid of Win32 Virut? Download some of our free removal tools: rmvirut. The tool creates a simple log of infected files within the same folder the tool is run from. After FixVirut. Web to run a complete system scan.
Before you start the complete system scan, enter Dr. Web will take forever unpacking and scanning inside all the archive-type files on your computer. If you think you need it and have the extra time to burn, you can leave it checked.
Running the Dr. Web complete virus scan is very important. It will pick up any infected files the Symantec tool may have missed. Also, it picked up a couple of Trojan downloaders and suspicious files I believe were affiliated with this virus. In addition, those connected peripherals that may have been infected as some time will be scanned and cured during this complete scan. Be aware that the scan will pause and ask you what to do if it comes across a file it cannot cure.
This entire process will take several hours. When the scan finishes, go through the list of infected and suspicious files. Manually quarantine move or delete any suspicious files Dr. Web may have left alone, just to be on the safe side, unless those files are VERY important on your particular computer. Be happy, because most of the hard work is done. When you are done with Dr. Web you can close it and open the ATF-Cleaner.
This step may not be necessary but I did it simply as a precaution. You can run another quick express scan in Dr. Web to double check if you want, but right now your computer should be clean. Restart your computer normally. The virus also modifies the local machine's Hosts file, redirecting the domain " zief. Allows backdoor access and control.
Should this fail, it instead attempts to connect to " proxim. It contains functionality to download and run files on your PC. This may include additional malware. The backdoor can also be used to change the host that it connects to for control. Analysis by Dan Kurc. Take these steps to help prevent infection on your PC. Alerts from your security software might be the only symptom you'll see.
Send us feedback.
0コメント