Virut

Original issue date: September 17, 2007

It has been observed that a polymorphic file infector virus named Virut is circulating widely. It infects the file with .exe and .scr extensions. The virus is capable of creating IRC backdoor on the infected system to connect itself to the IRC server and listen for remote attacker commands. This IRC backdoor functionality is used by the Virut to download other malwares on the infected system. The downloaded malwares are found capable of launching malicious attacks.

Aliases : Virus.Win32.Virut.n [Kaspersky], W32/Virut.gen [McAfee], W32.Virut.U[Symantec], W32/Virut.U [Avira]

Upon execution, the virus

• Creates a mutex named VT_3 to prevent multiple copies of itself from running on the infected system.
  
• Infects the .exe and .scr files by appending itself at the end.
  
• Avoids infecting files whose names contain any of the
  following :
  • WINC
  • WCUN
  • WC32
  • PSTO
  
• Opens a backdoor on the infected system on TCP port 65520/80 and connects to
  the IRC server Proxima DOT ircgalaxy DOT pl on channel &virtu . It listens for remote attackers commands to download and execute other malware.

In view of high damage potential of this malware users are advised to implement following countermeasures:

• Install and maintain a updated anti-virus software at gateway and desktop level
• Keep up-to-date patches and fixes on the operating system and application software.
• Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.
• Block TCP port 65520 at the firewall. Allow only required ports at the firewall.

References

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003