Store
|
Contact Norman
|
About Norman
|
Select location
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proactive IT security
Home / Home office Small / Medium business Enterprise Our technology Security center Norman as a business partner Support   Partner web
Home
>
Security center
>
Virus descriptions
>
W32/Virut
Norman SandBox center
Submit file for SandBox analysis
Search malware analysis database
View latest SandBox analyses
Malware statistics
Virus descriptions
Security articles - archive
Malware types
Threat level
Current virus threats
Security blog
Email statistics
Books, general white papers etc.

W32/Virut

Threat risk

Threat risk medium
Detection files published:
Description created: 2009-06-04
Description updated: 2009-09-03
Malware type: Virus
Alias: E_VIRUT, PE_VIRUX
Spreading mechanism File Infection, Network, Other
Payload: Disables Windows file protection,attempts to download malware
Summary

W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.

The Virut.CM variant also injects an iframe object into HTML based files, disables Windows file protection in order to infect essential protected Windows system files. A viral thread, running under winlogon.exe or services.exe, attempts to connect to an IRC backdoor through port 80 or 65520, in order to download additional malware components.

Spreading description

Virut infects executable files as they are accessed, by either subverting a call through the IAT (import address table) in the original host code to jump to itself, or completely replacing the entry point of the executable file to point to itself. Because executable files are infected in this way, files on network drives accessed from an infected computer may also be infected.

Virut will also infect removable media by dropping an infected file, together with an autorun.inf file, to the root of the attached drive, which will run when it is attached to another computer.
 

Threat description

W32/Virut is a polymorphic virus that infects executables and screensaver files, and attempts to downloads additional malware. There are many variants.

The Virut.CM variant also injects an iframe object into HTML based files, disables Windows file protection in order to infect essential protected Windows system files. A viral thread, running under winlogon.exe or services.exe, attempts to connect to an IRC backdoor through port 80 or 65520, in order to download additional malware components.

Virut will also try to block access to websites containing the following strings;

  • eset
  • avg
  • windowsupdate
  • wilderssecurity
  • threatexpert
  • castlecops
  • spamhaus
  • cpsecure
  • arcabit
  • emsisoft
  • sunbelt
  • securecomputing
  • rising
  • prevx
  • pctools
  • norman
  • k7computing
  • ikarus
  • hauri
  • hacksoft
  • gdata
  • fortinet
  • ewido
  • clamav
  • comodo
  • quickheal
  • avira
  • avast
  • esafe
  • ahnlab
  • centralcommand
  • drweb
  • grisoft
  • nod32
  • f-prot
  • jotti
  • kaspersky
  • f-secure
  • computerassociates
  • networkassociates
  • etrust
  • panda
  • sophos
  • trendmicro
  • mcafee
  • norton
  • symantec
  • defender
  • rootkit
  • malware
  • spyware
  • virus
Removal

Virut uses a number of methods in order to avoid detection and removal and thus can be very difficult to completely clean.

Because of the aggressive nature of this malware, some infected files may become corrupted, to the point where they are not possible to repair or clean. In such cases certain files might have to be restored from a backup.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Type Title Comment Usage
Norman Malware Cleaner    
Stopping network share infectors    
Cleaning of back-up folders on Windows Me and XP    
Print
Privacy policy
|
License agreement
|
Trademarks
|
Sitemap