Recently a new Virus variant surfaced which we at Norman call W32/Virut.CM, but what’s in a name. This Virut variant is a polymorphic file infecting Virus, approximately 20Kb long, that aggressively infects most executable and screen saver files on the system. In addition to infecting executables, W32/Virut.CM will also infect most HTML based files on the system by inserting IFrames.
A full technical observation from Norman’s Tom Bonner can be found here. This observation deals with the complete behavior of W32/Virut.CM, infection vectors, connections to IRC Servers, blocking of specific security websites including Norman’s (so if you read this online, it means your system is not infected by this Virut variant, congratulations!) and some anti-emulation tricks. It will also list all the additional components it will download and install, including a rootkit, complemented with the SandBox output and network traffic details. Well worth the time to read.
Norman has released a special cleaning utility (*) for the W32/Virut.CM that can be downloaded and used by everyone. Instructions for usage can be found here (*).
(*) The functionality in the special Virut cleaner has as of 2nd September 2009 been incorporated in the free general tool, Norman Malware Cleaner. You will find this tool here.
