Internet threat level: 1
Home→Descriptions→Virus.Win32.Virut.ce
Virus.Win32.Virut.ce
| Detected | Oct 29 2009 14:07 GMT |
| Released | Jan 09 2013 12:15 GMT |
| Published | Oct 29 2009 14:07 GMT |
Payload
Removal instructions
Technical Details
This file virus infects Windows executable files. It is a malicious code contained in Windows PE EXE files. The virus body is about 17 Kb, though the use of polymorphic encryption means its size may vary.
Propagation
The virus injects its code into the address spaces of all the processes running in the system. The injected code intercepts the following system functions in the ntdll.dll library:
NtCreateFile NtCreateProcess NtCreateProcessEx NtOpenFile NtQueryInformationProcessUsing these system functions, the virus tracks files that are opened and any applications launched for execution. When the virus detects a new process being launched or an executable file being opened, it infects it. Files with .EXE and .SCR extensions are infected. These files are Windows (PE EXE) applications. The virus does not infect files with names containing any of the following strings: “WINC”, “WCUN”, “WC32”, “PSTO”. When infecting a file, the virus expands the PE section and writes its own polymorphic body into it. It then modifies the program’s entry point so that it leads to the virus code.
Payload
The virus adds the executable file of the host process to the Windows firewall list of trusted applications.
Then it disables the “Restore system files” function.
The virus attempts to contact the following IRC servers:
prox*****ircgalaxy.pl irc*****ef.plIf a connection is established, the virus sends the following commands to the server:
NICK dewxxpyi USER b JOIN #.<rnd1>, where rnd1 is a random number.Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.
The virus is capable of executing the following commands:
- !Get: download a malicious code from the Internet and inject it into processes running on the victim computer.
- !hosu: open specified URLs on the victim computer.
The virus also scans the victim computer’s hard drive for files with the following extensions:
HTM PHP ASPIf found, it adds the following string into them:
style="border:0"></iframe>
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Update your Kaspersky Anti-Virus databases and perform a full scan of the computer (download trial version).
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:
- when infecting accessible disks, a virus penetrates a file located on a network resource
- a virus copies itself to a removable storage device or infects a file on a removable device
- a user sends an email with an infected attachment.
Virus.
- Virus.
Win32. Sality. ae (Kaspersky Lab) - Virus.
Win32. Sality. ae (Kaspersky Lab) - Trojan.
Win32. Genome. aeywa (Kaspersky Lab) - Trojan.
Win32. Vilsel. bevv (Kaspersky Lab) - Email-Worm.
Win32. Brontok. se (Kaspersky Lab) - Email-Worm.
Win32. Brontok. sd (Kaspersky Lab) - Trojan.
Win32. Genome. sdlo (Kaspersky Lab) - Worm.
Win32. AutoRun. bzax (Kaspersky Lab) - Worm.
Win32. AutoRun. byqn (Kaspersky Lab) - Trojan.
Win32. Autoit. aji (Kaspersky Lab) - IM-Worm.
Win32. VB. akl (Kaspersky Lab) - Worm.
Win32. Zombaque. l (Kaspersky Lab) - Worm.
Win32. AutoRun. hmn (Kaspersky Lab) - Trojan.
Win32. Refroso. cbmr (Kaspersky Lab) - Trojan-PSW.
Win32. QQPass. xqo (Kaspersky Lab) - Worm.
Win32. VB. bbo (Kaspersky Lab) - Trojan.
Win32. Vilsel. cfb (Kaspersky Lab) - Virus.
Win32. Sality. ae (Kaspersky Lab) - Virus.
Win32. Sality. ae (Kaspersky Lab) - Hoax.
Win32. Sality. ae (Kaspersky Lab) - P2P-Worm.
Win32. Sality. ae (Kaspersky Lab) - Trojan-Downloader.
Win32. Virut. ce (Kaspersky Lab) - Trojan-SMS.
Win32. Virut. ce (Kaspersky Lab) - Trojan.
Win32. Virut. ce (Kaspersky Lab) - Hoax.
Win32. Virut. ce (Kaspersky Lab) - Backdoor.
Win32. Virut. ce (Kaspersky Lab) - Worm.
Win32. AutoRun. fya (Kaspersky Lab) - Virus.
Win32. Sality. ae (Kaspersky Lab) - Virus.
Win32. Sality. ae (Kaspersky Lab) - Backdoor.
Win32. IRCBot. ihd (Kaspersky Lab) - Virus:
W32/Virut. n. gen (McAfee) - W32.
Changeup. 8657 (Symantec) - W32.
Virut. CF. 37843 (Symantec) - W32/Scribble-B (Sophos)
- W32/Sality.
AO (Panda) - Virus:
Win32/Virut. BN (MS(OneCare)) - Win32.
Virut. 56 (DrWeb) - Win32.
Virtob. Gen. 12 (BitDef7) - Win32.
Virut. AB. Gen (VirusBuster) - Win32:
VB-YDQ [Trj] (AVAST) - File was not downloaded for scan (AVAST)
- Gen.
Trojan. Heur (Ikarus) - Trojan.
Win32. Spy (Ikarus) - Win32/DH.
FF81010B{40580000-00001000-00000000-00000000} (AVG) - Win32/Virut (AVG)
- W32/Virut.
gen (AVIRA) - W32/Virut.
HL (Norman) - W32/Virut.
EH (Norman) - Win32.
Virut. dy (Rising) - Win32.
Virtob. Gen. 12 [Aquarius] (FSecure) - PE_VIRUX.
R (TrendMicro) - Virus.
Win32. Virut. ce (v) (Sunbelt) - Virus.
Win32. Virut. ce. 5 (v) (Sunbelt) - Win32.
Virut. AB. Gen (VirusBusterBeta) - W32/Virut.
CE (Fortinet) - Win32.
Virtob. Gen. 12 (GData)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.